MASJESU is a stealthy DDoS botnet that has been advertised via Telegram as a DDoS-for-hire service since it first surfaced in 2023, and it targets a wide range of IoT devices such as routers and gateways across multiple architectures. It is designed for persistence and low visibility, favouring careful, low-key execution and deliberately avoiding blocklisted IP ranges such as those belonging to the Department of Defence to improve long-term survival, according to Trellix.
The commercial offering goes by the moniker XorBot due to its use of XOR-based encryption, and NSFOCUS first documented it in December 2023 linking it to an operator named "synmaestro." A later iteration added 12 command injection and code-execution exploits to attack devices from various manufacturers and enable DDoS flood capabilities.
Attacks primarily originate from Vietnam, Ukraine, Iran, Brazil, Kenya, and India, with Vietnam accounting for nearly 50% of observed traffic, and the malware binds a hard-coded port (55988) to enable direct attacker control.