HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Stealthy Masjesu Botnet Offers DDoS‑for‑Hire Service Targeting IoT Devices While Evading High‑Profile Networks

The Masjesu botnet, active since 2023, provides a DDoS‑for‑hire service that compromises IoT routers and gateways, encrypts its payloads, and deliberately avoids high‑profile IP ranges to remain undetected. Its ability to generate up to 290 Gbps of traffic poses a significant service‑disruption risk for organizations that rely on third‑party IoT infrastructure.

LiveThreat™ Intelligence · 📅 April 10, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Stealthy Masjesu Botnet Offers DDoS‑for‑Hire Service Targeting IoT Devices While Evading High‑Profile Networks

What Happened – A sophisticated botnet named Masjesu, active since 2023, provides a DDoS‑for‑hire service that compromises IoT routers, gateways and embedded systems. It spreads by exploiting known firmware flaws in devices from vendors such as D‑Link, Netgear and GPON, encrypts its payloads, and deliberately avoids high‑profile IP ranges (e.g., U.S. Department of Defense) to stay hidden.

Why It Matters for TPRM

  • The botnet can be rented to launch multi‑gigabit attacks against CDNs, gaming platforms and enterprise services, creating service‑disruption risk for downstream customers.
  • Its focus on stealth and persistence means compromised IoT assets may remain undetected for months, increasing the attack surface of any organization that relies on third‑party IoT infrastructure.
  • Operators advertise via Telegram, indicating a commercial “crime‑as‑a‑service” model that can be quickly adopted by threat actors targeting supply‑chain partners.

Who Is Affected – Technology & SaaS providers, manufacturing firms, energy & utilities, retail/e‑commerce operators, and any organization that deploys or manages IoT routers, gateways or embedded devices.

Recommended Actions

  • Conduct an inventory of all IoT assets and verify firmware versions against vendor advisories.
  • Enforce strict network segmentation and egress filtering to block outbound traffic to known Masjesu C2 domains and ports (e.g., TCP 55988).
  • Require vendors to demonstrate timely patching of known router vulnerabilities (CVE‑2024‑xxxx series).
  • Monitor threat‑intel feeds for Masjesu‑related Telegram channels and implement user‑education on social‑media phishing.

Technical Notes – Masjesu uses multi‑stage XOR encryption to hide strings and C2 information, installs persistence via renamed system libraries and cron jobs, and launches TCP/UDP/HTTP flood attacks up to ~290 Gbps. Exploited vulnerabilities include outdated firmware on D‑Link, Netgear and GPON devices. Source: SecurityAffairs

📰 Original Source
https://securityaffairs.com/190548/malware/masjesu-botnet-targets-iot-devices-while-evading-high-profile-networks.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →