MASJESU is a stealthy IoT botnet described as a DDoS-for-hire service that has been active since 2023 and remains focused on evasion. It targets a wide range of IoT devices, including routers and gateways, across multiple architectures such as i386, MIPS, ARM, SPARC, PPC, 68K and AMD64. The malware is designed for persistence, binds to a fixed TCP port (55988), hides its data with multi-stage XOR encryption, and uses a cron job to run every 15 minutes while renaming itself to a legitimate system file to survive.
It avoids high-profile networks like the DoD to stay undetected and uses a distributed approach with multiple C2 domains and fallback IPs to receive commands and payloads. The botnet has advertised floods up to about 290 Gbps and has drawn traffic from Vietnam, Ukraine, Iran, Brazil, Kenya and India, with Vietnam contributing nearly half of the traffic.
Propagation uses a Createchildrenreplic() function to scan random IPs and exploit known flaws in devices from D-Link, GPON and Netgear, among others, with Telegram as a channel for operators. According to Trellix, Masjesu is marketed via Telegram, and the original Telegram channel was banned before a newer channel emerged, with the new group currently around 420 subscribers.