MASJESU is a DDoS-focused botnet that has infected a variety of IoT devices and has been active since at least 2023, according to Trellix. The operators advertise it on Telegram, claiming it can launch DDoS attacks of hundreds of gigabytes, with posts in both Chinese and English targeting Chinese and US customers. Masjesu currently has over 400 subscribers on its Telegram channel, and its user base appears larger since an initial channel was closed by policy violations.
The malware has infected devices in Vietnam as the primary country, but samples show infections in Brazil, India, Iran, Kenya, and Ukraine as well. Trellix notes the botnet’s samples target multiple architectures, including i386, MIPS, ARM, SPARC, PPC, 68K, and AMD64, and that it spreads via vulnerabilities in D-Link and Netgear routers, GPON routers, Huawei home gateways, MVPower DVRs, UPnP services, and other IoT devices, with persistence achieved through a hardcoded C&C and various anti‑detection techniques.
Masjesu can launch a range of floods, such as UDP, TCP, ICMP, TCP-SYN, and HTTP, depending on server commands. According to Trellix, the botnet also uses multiple C&C domains and fallback IPs with a 60‑second receive timeout.