201/69 Thursday, April 9, 2026
Trellix has revealed details about the Masjesu botnet, which is specifically designed to carry out Distributed Denial-of-Service (DDoS) attacks. Active since 2023, the botnet operators promote their services via Telegram in both Chinese and English, claiming the capability to launch attacks reaching hundreds of gigabits per second. Analysis shows that the botnet supports multiple architectures, including i386, MIPS, ARM, SPARC, PPC, 68K, and AMD64. Most infected devices are located in Vietnam, with additional cases reported in Brazil, India, Iran, Kenya, and Ukraine.
Masjesu spreads by exploiting vulnerabilities in various IoT devices, such as routers from D-Link, Huawei, and Netgear, as well as MVPower digital video recorders (DVRs) and UPnP-enabled services. A key characteristic of this botnet is its focus on long-term persistence rather than aggressive propagation. The malware disguises its files to resemble legitimate Linux system components and establishes cron jobs to reinfect the system every 15 minutes. It also encrypts critical information-such as C2 domains and ports-within lookup tables, decrypting them only during execution.
Operationally, Masjesu can launch multiple types of DDoS attacks, including UDP, TCP, and HTTP floods, as well as protocol-specific attacks like GRE. The malware also disables tools such as wget and curl and locks temporary directories to prevent other botnets from infecting the same device. According to Trellix, Masjesu emphasizes stealth, persistence, and evasion techniques over widespread and noisy propagation, making it particularly difficult to detect and mitigate.
Source https://www.securityweek.com/evasive-masjesu-ddos-botnet-targets-iot-devices/