Masjesu
Masjesu, also referred to as XorBot, is a Mirai-derived IoT botnet used as a DDoS-for-hire service and advertised on Telegram since 2023. It targets a broad range of IoT and embedded devices, including routers, gateways, cameras, DVRs, and NVRs, across multiple CPU architectures. Reported targeted vendors include D-Link, GPON, Huawei, Netgear, TP-Link, Eir, Intelbras, MVPower, Vacron, and Realtek-based devices. It propagates by scanning random IP space for hardcoded open ports and exploiting known command injection and remote code execution vulnerabilities, then downloading and executing payloads; one noted target is port 52869 associated with the Realtek SDK miniigd daemon. The malware is designed for persistence and low visibility: it uses XOR-based encryption/obfuscation for strings, configuration data, payloads, and C2 communications; decrypts critical data at runtime; binds to hard-coded TCP port 55988; daemonizes itself; ignores termination signals; renames itself to resemble legitimate files such as /usr/lib/ld-unix.so.2; spoofs process names such as systemd-journald; installs a cron job every 15 minutes; kills processes including wget, curl, and sshd; and locks down /tmp. It also deliberately avoids sensitive or blocklisted ranges, including U.S. Department of Defense and other U.S. government IP space, to reduce visibility and prolong operations. Masjesu supports multiple DDoS methods, including UDP, TCP, HTTP, VSE, GRE, RDP, OSPF, and ICMP floods, with reported attack capacity around 290 Gbps. It has been promoted for attacks against CDNs, game servers, and enterprises, with observed attack traffic heavily sourced from Vietnam and also from Ukraine, Iran, Brazil, Kenya, and India. Reported infrastructure includes primary C2 85[.]11[.]167[.]182, which served compiled payloads for 17 CPU architectures and exposed a Go-based SSH service on port 1337 and Apache on port 80, as well as related infrastructure 85[.]11[.]167[.]180 (relay[.]hotemail[.]asia) and 45[.]153[.]34[.]252 (blackmirror[.]hotemail[.]asia). The botnet has been linked in reporting to the Telegram handle/channel t.me/flylegit and to the actor name "synmaestro"; one report further attributes Masjesu/XorBot to Seyit Girgin, a Turkish national, based on open-source infrastructure and account correlations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Called Masjesu, the botnet has been advertised via Telegram as a DDoS-for-hire service since it first surfaced in 2023. It's capable of targeting a wide range of IoT devices, such as routers and gateways, spanning multiple architectures.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniques
Resource Development
MITRE ATT&CK ID Technique Evidence T1583.001 Acquire Infrastructure: Domains hotemail[.]asia (typosquat), easyfor[.]me, shopanatolia[.]com
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
To achieve persistence, the malware renames itself as a legitimate system file (e.g., /usr/lib/ld-unix.so.2), installs a cron job to run every 15 minutes, and daemonizes to operate silently.
A subsequent iteration of the botnet observed a year later was found to have added 12 different command injection and code execution exploits...
Persistence
3 techniques
Persistence
To achieve persistence, the malware renames itself as a legitimate system file (e.g., /usr/lib/ld-unix.so.2), installs a cron job to run every 15 minutes, and daemonizes to operate silently.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
It's worth noting that the commercial offering also goes by the moniker XorBot owing to its use of XOR-based encryption to conceal strings, configurations, and payload data.
To achieve persistence, the malware renames itself as a legitimate system file (e.g., /usr/lib/ld-unix.so.2)... It also spoofs process names like systemd-journald to avoid detection.
Defense Impairment
1 technique
Defense Impairment
Discovery
3 techniques
Discovery
Once compromised, devices are instructed to connect to a hard-coded port to receive commands for executing attacks and to self-propagate by scanning for vulnerable devices.
Lateral Movement
2 techniques
Lateral Movement
Command and Control
4 techniques
Command and Control
Impact
4 techniques
Impact
Cybersecurity researchers have lifted the curtain on a stealthy botnet that's designed for distributed denial-of-service (DDoS) attacks.
MITRE ATT&CK ID Technique Evidence T1498.001 Network Denial of Service: Direct Network Flood UDP, TCP, ICMP, GRE, OSPF floods
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Mirai-derived IoT DDoS botnet that self-propagates across vulnerable consumer and SOHO networking devices, deploys payloads for 17 CPU architectures, uses XOR-encrypted C2 communications, performs honeypot detection, and launches volumetric floods across multiple protocols including UDP, TCP, VSE, GRE, RDP, OSPF, and ICMP.
IoT-focused botnet used as a DDoS-for-hire service. It targets routers and gateways across multiple architectures, uses XOR encryption, emphasizes stealth and persistence, exploits command injection and code execution flaws for initial access, and propagates by scanning for vulnerable devices.
A stealthy IoT botnet marketed via Telegram as a DDoS-for-hire service. It targets routers, gateways, and embedded devices across multiple CPU architectures, uses XOR encryption to hide strings/configs/payloads, persists via cron jobs and process masquerading, scans random IPs for vulnerable devices, exploits known flaws in products such as D-Link, GPON, and Netgear, and executes TCP, UDP, and HTTP flood attacks under C2 control.
An IoT-focused DDoS botnet marketed as a DDoS-for-hire service. It targets routers, gateways, cameras, DVRs, and NVRs across multiple architectures, uses XOR-based encryption to conceal strings/configurations/payloads, establishes persistence, opens a hard-coded TCP port for direct attacker access, kills competing processes like wget and curl, receives DDoS commands from an external server, and self-propagates by scanning random IPs for exploitable services.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.