Ethical Hacking News
The Masjesu botnet, a sophisticated IoT threat, targets IoT devices while evading high-profile networks. With XOR encryption and a geographically diverse botnet, the Masjesu botnet poses significant risks to CDNs, game servers, and enterprises. To combat this threat, it is essential for organizations to stay vigilant and implement robust security measures to protect their IoT devices.
The Masjesu botnet is a sophisticated IoT threat targeting devices with XOR encryption. The botnet uses multiple domains and fallback IPs to evade detection and targets low-key attacks over mass infection. The Masjesu botnet scans random IPs, exploits vulnerabilities in devices from certain manufacturers, and avoids blocklisted IP ranges for long-term survival. The botnet's primary focus is on stealth, with a commercially-run Internet of Things (IoT) threat that continues to evolve since its initial operation.
In a recent report published by Trellix, a cybersecurity firm, the Masjesu botnet has been identified as a sophisticated threat targeting IoT devices. The botnet, which has been active since 2023, is designed to stay hidden by avoiding high-profile networks and instead focuses on stealthy, low-key attacks.
The Masjesu botnet is marketed primarily through Telegram, with an original channel having over 2,000 subscribers before being banned. A new channel, "Masjesu Botnet /僵尸网络” has been created and currently boasts around 420 subscribers. The operators of the botnet advertise its large, stable, and geographically diverse botnet to target CDNs, game servers, and enterprises.
According to Trellix, the Masjesu botnet targets a wide array of IoT devices, including routers and gateways, across multiple architectures such as i386, MIPS, ARM, SPARC, PPC, 68K, and AMD64. The botnet uses XOR encryption to hide its strings, configs, and payloads, making it difficult for static detection methods to identify.
Once infected, the IoT devices are turned into bots that execute DDoS attacks based on C2 instructions from the Masjesu command and control (C2) setup. The C2 setup utilizes multiple domains and fallback IPs and runs TCP, UDP, and HTTP flood attacks.
To evade detection, the Masjesu botnet scans random IPs and exploits vulnerabilities in devices from D-Link, GPON, and Netgear to spread. It targets low-key attacks over mass infection, deliberately avoiding blocklisted IP ranges such as those belonging to the Department of Defense (DoD) to ensure long-term survival.
The Masjesu botnet has been designed with persistence in mind, favoring careful execution over widespread infection. Its primary focus is on stealth, and it is a commercially-run Internet of Things (IoT) threat that continues to evolve since its initial operation.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-Stealthy-Masjesu-Botnet-A-Sophisticated-Threat-to-IoT-Devices-ehn.shtml
https://securityaffairs.com/190548/malware/masjesu-botnet-targets-iot-devices-while-evading-high-profile-networks.html
https://clearinfosec.com/masjesu-botnet-a-global-iot-ddos-threat-emerges/
https://www.trellix.com/blogs/research/masjesu-rising-stealth-iot-botnet-ddos-evasion/
Published: Thu Apr 9 11:36:33 2026 by llama3.2 3B Q4_K_M
