The article reports on a botnet called Masjesu, also known as XorBot, which researchers say has evolved into a commercial DDoS-for-hire operation targeting internet-connected devices around the world. First observed in 2023 and now promoted through Telegram, the botnet is described as focusing on persistence and stealth rather than reckless mass disruption. According to the report cited by The Hacker News, Masjesu infects routers, gateways, and other IoT equipment across multiple hardware architectures, while deliberately avoiding certain highly sensitive IP ranges such as those associated with the U.S. Department of Defense in order to reduce attention and extend its operational life. The article notes that earlier research had already linked the botnet to an operator called “synmaestro,” and that newer versions have steadily expanded their exploit arsenal and DDoS capabilities.

The piece also explains how the malware works once it lands on a device. It opens a hard-coded TCP port to allow direct operator access, establishes persistence, suppresses common utilities like wget and curl—possibly to interfere with rival malware—and then contacts an external server for attack instructions. Masjesu is further described as self-propagating, scanning random IP addresses for exposed services and exploiting vulnerable devices, including Realtek-based routers through port 52869 associated with the miniigd daemon. The article says the botnet is marketed for volumetric attacks against targets such as CDNs, game servers, and enterprises, with much of the observed attack traffic originating from countries including Vietnam, Ukraine, Iran, Brazil, Kenya, and India, and Vietnam accounting for nearly half of it. The broader takeaway is that Masjesu is becoming a more mature and commercially structured botnet operation, combining quiet long-term survival with enough automation and scale to make it a serious threat in the IoT DDoS ecosystem.

‍

Source: https://thehackernews.com/2026/04/masjesu-botnet-emerges-as-ddos-for-hire.html