Overview
- Security researchers at Trellix published a deep dive into Masjesu, an IoT botnet active since 2023 that is rented out on Telegram to launch paid denial‑of‑service attacks.
- Most observed attack traffic comes from Vietnam with additional sources in Brazil, India, Iran, Kenya, and Ukraine, indicating many networks are involved rather than a single hosting provider.
- The malware spreads by scanning the internet for open ports and exploiting known flaws in home and small office gear such as D‑Link and GPON routers, Huawei gateways, MVPower and NETGEAR devices, and Realtek routers exposed on port 52869.
- To stay on infected devices, Masjesu binds a backdoor on TCP port 55988, hides its settings with XOR encryption, renames itself to look like a Linux system file, sets a cron job to relaunch every 15 minutes, and kills tools like wget and curl to block rival malware.
- Bots receive commands from multiple fallback control domains and can run many flood types including UDP, TCP, ICMP, GRE, and HTTP, which the operator markets as fit for hitting CDNs, game servers, and enterprises, putting unwitting device owners at risk of being weaponized.