top of page
perceptive_background_267k.jpg

Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices

Published:

8 april 2026 om 16:30:00

Alert date:

8 april 2026 om 18:01:38

Source:

thehackernews.com

Click to open the original link from this advisory

Mobile & IoT, Ransomware & Malware, Network Infrastructure

Cybersecurity researchers have discovered the Masjesu botnet, a stealthy DDoS-for-hire service that has been advertised via Telegram since 2023. The botnet is designed specifically for distributed denial-of-service attacks and targets a wide range of IoT devices including routers and gateways across multiple architectures. This represents an active threat to global IoT infrastructure with commercial availability making it accessible to various threat actors.

Technical details

Masjesu (also known as XorBot) is a stealthy botnet designed for DDoS attacks, first surfaced in 2023 and advertised via Telegram as DDoS-for-hire service. Uses XOR-based encryption to conceal strings, configurations, and payload data. Targets IoT devices including routers, cameras, DVRs, and NVRs. Contains 12 different command injection and code execution exploits. Creates and binds socket with hard-coded TCP port 55988 for direct attacker connection. Has self-propagating capabilities, probes random IP addresses for open ports. Targets Realtek routers by scanning port 52869 associated with Realtek SDK's miniigd daemon. Avoids blocklisted IP ranges like Department of Defense to ensure survival.

Mitigation steps:

Monitor for connections on TCP port 55988, implement network segmentation for IoT devices, keep IoT devices updated with latest firmware, monitor for scanning activity on port 52869, block known malicious IP ranges, implement DDoS protection measures for CDNs and game servers, monitor Telegram channels for botnet-as-a-service advertisements.

Affected products:

D-Link routers
Eir devices
GPON devices
Huawei routers
Intelbras devices
MVPower cameras/DVRs
NETGEAR routers
TP-Link routers
Vacron devices
Realtek routers
IoT devices (multiple architectures)

Related links:

https://www.trellix.com/blogs/research/masjesu-rising-stealth-iot-botnet-ddos-evasion/
https://nsfocusglobal.com/xorbot-a-stealthy-botnet-family-that-defies-detection/
https://thehackernews.com/2024/11/matrix-botnet-exploits-iot-devices-in.html
https://www.trendmicro.com/en_us/research/19/c/upnp-enabled-connected-devices-in-home-unpatched-known-vulnerabilities.html
https://www.akamai.com/blog/security/universal-plug-and-play-upnp-what-you-need-to-know
https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/jenx/
https://ics-cert.kaspersky.com/publications/blog/2017/12/14/satori/
https://www.fortinet.com/blog/threat-research/satori-adds-known-exploit-chain-to-slave-wireless-ip-cameras

Related CVE's:

Related threat actors:

IOC's:

TCP port 55988 (hard-coded), Port 52869 (Realtek SDK miniigd daemon scanning), Primary attack origins: Vietnam (50%), Ukraine, Iran, Brazil, Kenya, India, XOR-based encryption usage

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page