Cybersecurity firm Trellix has uncovered new details about the Masjesu botnet designed to launch large-scale distributed denial-of-service (DDoS) attacks by hijacking vulnerable Internet of Things (IoT) devices.
Active since at least 2023, Masjesu has been promoted mainly on Telegram, where its operator boasts the ability to execute attacks reaching hundreds of gigabytes in volume. The campaign appears to target both Chinese- and English-speaking users. Although the current Telegram channel has over 400 subscribers, researchers believe the true userbase is larger due to previously banned channels.
Analysis shows the majority of infected devices are located in Vietnam, with additional victims spread across Brazil, India, Iran, Kenya, and Ukraine.
Masjesu is capable of infecting a wide range of system architectures, including i386, ARM, MIPS, and AMD64, allowing it to compromise diverse devices such as routers, home gateways, and digital video recorders. It exploits known vulnerabilities in products from vendors like D-Link, Huawei, and Netgear, as well as security issues in UPnP services.
Once installed, the malware establishes persistent control by disguising itself as a legitimate Linux system process and setting up scheduled tasks to ensure it runs continuously. It also blocks competing malware by terminating common utilities and restricting access to shared directories.
Communication with command-and-control servers is encrypted and resilient, using multiple domains and fallback IP addresses. Based on instructions received, infected devices can launch a variety of DDoS attacks, including TCP, UDP, HTTP floods, and more specialized techniques.