Masjesu Botnet: DDoS-for-Hire Service Targeting Global IoT

A botnet advertised on Telegram as a DDoS-for-hire service has been systematically compromising routers and IoT devices across multiple continents. Security researchers tracking Masjesu—also known as XorBot—found the operation exploiting 12 different vulnerabilities to build its attack infrastructure, with nearly half of observed traffic originating from Vietnam.

Masjesu has been active since 2023, but recent reporting highlights its continued expansion and the sophistication of its evasion techniques. The botnet targets CDNs, game servers, and enterprise networks, offering volumetric DDoS capabilities to anyone willing to pay.

How Masjesu Operates

The botnet combines aggressive propagation with operational security measures designed to maintain persistence:

Exploitation Capabilities: Masjesu deploys 12 different command injection and code execution exploits targeting consumer and enterprise networking equipment. Confirmed vulnerable vendors include D-Link, Eir, GPON, Huawei, Intelbras, MVPower, NETGEAR, TP-Link, Vacron, and Realtek. The malware specifically exploits port 52869, associated with Realtek SDK's miniigd daemon.

Persistence Mechanisms: Once installed, Masjesu binds to TCP port 55988, providing direct attacker access. The malware ignores termination signals and actively disables competing tools like wget and curl—both to prevent cleanup attempts and to block rival botnets from taking over infected devices.

Propagation: Self-propagation occurs through random IP scanning for open ports, expanding the botnet automatically without operator intervention. This approach mirrors techniques documented in other IoT botnet campaigns targeting similar device classes.

Obfuscation: XOR-based encryption protects strings, configurations, and payloads, complicating static analysis and signature-based detection.

Geographic Distribution

Traffic analysis reveals distinct geographic patterns:

• Vietnam: ~50% of observed traffic
• Ukraine, Iran, Brazil, Kenya, India: Significant secondary sources

The concentration in Vietnam likely reflects a combination of vulnerable device populations and network infrastructure conditions rather than specific targeting. IoT botnets typically spread opportunistically, with device vulnerability and internet exposure determining infection rates.

Attribution

Researchers attributed Masjesu to Seyit Girgin, a Turkish national operating through multiple GitHub accounts and Telegram channels. The same actor has been linked to credit card theft operations and Discord token stealing campaigns, suggesting Masjesu is one component of broader criminal activity.

The Telegram-based distribution model provides operational flexibility—channels can be recreated if taken down, and payment processing happens outside traditional financial oversight. This DDoS-for-hire approach has become standard for botnet operators, as we've seen with other infrastructure disruption campaigns.

Detection and Mitigation

Organizations should implement the following:

1. Monitor port 55988 - Connections to this port indicate Masjesu infection
2. Patch IoT devices - Apply firmware updates from affected vendors
3. Segment IoT networks - Isolate routers and gateways from production systems
4. Block Realtek SDK exploitation - Filter traffic to port 52869 where possible
5. Review Trellix and NSFOCUS indicators - Both vendors have published detection signatures

For consumers, the recommendations are simpler but rarely followed: update router firmware, change default credentials, and disable remote administration. Most Masjesu infections exploit devices running years-old firmware with known vulnerabilities.

The Bigger Picture

Masjesu represents the commoditization of DDoS infrastructure. The technical barriers to launching attacks have collapsed—anyone with cryptocurrency and a Telegram account can rent attack capacity. The Q1 2026 record of 2Tbps attacks linked to expanding botnets demonstrates the scale these operations can achieve.

The IoT security problem isn't new, but it's not improving. Manufacturers continue shipping devices with weak defaults, consumers rarely update firmware, and the economics favor attackers. Each unpatched router becomes a potential node in someone's attack infrastructure.

For enterprises, the lesson is that IoT exposure extends beyond your own devices. Your network might be secured, but your ISP's other customers probably aren't. The DDoS traffic Masjesu generates will hit your infrastructure regardless of your own security posture. Check our ransomware news coverage for related threat intelligence on criminal infrastructure operations.

Organizations dependent on internet availability should ensure their DDoS mitigation strategies account for volumetric attacks at multi-terabit scale. The botnets generating these attacks aren't going away—they're getting bigger.