Masjesu IoT Botnet Powers Stealthy DDoS-for-Hire Attacks
Researchers reported that the Masjesu botnet, also tracked as XorBot, has been operating since early 2023 as a DDoS-for-hire service promoted on Telegram. The malware targets internet-exposed routers, gateways, cameras, DVRs, NVRs, and other embedded devices across multiple CPU architectures, exploiting known command-injection and remote code execution flaws in products from vendors including D-Link, Huawei, NETGEAR, TP-Link, and GPON. Trellix said the botnet is engineered for stealth and longevity, using XOR-based obfuscation, runtime decryption, persistence mechanisms, process spoofing, and multi-domain command-and-control infrastructure with fallback IPs.
Once installed, Masjesu opens a hard-coded TCP port 55988 for direct operator access, suppresses termination signals, kills utilities such as wget and curl, and connects to external servers for attack instructions. The operators reportedly avoid scanning or infecting high-profile ranges such as U.S. Department of Defense networks to reduce scrutiny, while advertising the botnet's geographic spread and attack capacity. Observed traffic has been concentrated in Vietnam and also seen from Ukraine, Iran, Brazil, Kenya, and India, with the botnet used to launch TCP, UDP, and HTTP flood attacks against CDNs, game servers, and enterprises, including volumes reported at roughly 290 Gbps.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Breakglass report deanonymizes alleged Masjesu operator as Seyit Girgin
Breakglass Intelligence published an attribution investigation alleging that Masjesu/XorBot is operated by Turkish national Seyit Girgin. The report linked the botnet to Girgin through Telegram channels, C2 and adjacent infrastructure, GitHub accounts, and commit email metadata, expanding attribution beyond the previously reported alias 'synmaestro.'
Trellix publishes analysis of Masjesu's stealth, persistence, and DDoS activity
Trellix reported that Masjesu targets a wide range of IoT devices across multiple CPU architectures, uses XOR-based obfuscation and resilient command-and-control infrastructure, and avoids high-profile IP ranges such as U.S. Department of Defense networks. The report said infected bots could launch TCP, UDP, and HTTP flood attacks, with observed traffic concentrated in Vietnam and also seen from Ukraine, Iran, Brazil, Kenya, and India, and attack volumes reaching roughly 290 Gbps.
Masjesu expands with exploits targeting routers, cameras, DVRs, and NVRs
Newer Masjesu variants incorporated numerous command injection and remote code execution exploits affecting devices from vendors including D-Link, Huawei, NETGEAR, and TP-Link. The malware spread by scanning for hardcoded open ports and exploiting known vulnerabilities across multiple IoT and embedded device types.
NSFOCUS links Masjesu activity to actor 'synmaestro'
At some point prior to the April 2026 reporting, NSFOCUS attributed the Masjesu operation to a threat actor identified as "synmaestro." This represented an attribution development in understanding the botnet's operators.
Masjesu botnet begins operating as a Telegram-marketed DDoS-for-hire service
Masjesu, also called XorBot, has been active since early 2023 and was marketed primarily on Telegram as a DDoS-for-hire service. The operation focused on building a stealthy, persistent IoT botnet for long-term use in distributed denial-of-service attacks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
From 'Hello Honeypot' to Real Name: Deanonymizing the Masjesu Botnet Operator Through GitHub Commit Emails - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceMasjesu botnet: Stealthy DDoS-for-hire service targets IoT devices | brief | SC Media
scworld.com
Open sourceMasjesu botnet targets IoT devices while evading high-profile networks
securityaffairs.com
Open sourceMasjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Aisuru Botnet Launches Record-Breaking DDoS Attacks and Expands to Residential Proxy Services
The Aisuru botnet, a Mirai-based IoT malware network, has been responsible for a series of unprecedented distributed denial-of-service (DDoS) attacks, with some exceeding 20 terabits per second and 4 gigapackets per second. These attacks have primarily targeted online gaming platforms and have caused significant disruptions for broadband providers, with infected consumer routers, CCTV/DVRs, and other vulnerable devices being leveraged to generate massive traffic floods. The botnet's operators have avoided government and military targets, focusing instead on commercial and consumer-facing services, and have demonstrated the ability to overwhelm network infrastructure, including causing router line card failures at ISPs. In addition to its DDoS capabilities, Aisuru has recently shifted towards monetizing its vast network of compromised devices by renting them out as residential proxies. This move has enabled cybercriminals to anonymize their traffic, facilitating large-scale data harvesting and content scraping operations, often tied to artificial intelligence projects. The proliferation of Aisuru-controlled proxies has made it easier for malicious actors to evade detection by routing their activities through what appear to be legitimate residential connections, further complicating mitigation efforts for ISPs and targeted organizations.
Mar 21, 2026
Mirai-Based xlabs_v1 Botnet Hijacks ADB-Exposed Android Devices to Hit Minecraft Servers
Researchers uncovered **`xlabs_v1`**, a Mirai-derived botnet that compromises internet-exposed Android and IoT devices with **ADB enabled on TCP port `5555`** and repurposes them for **DDoS-for-hire** attacks, with a strong focus on **Minecraft and other game servers**. Hunt.io traced the operation to bulletproof-hosted infrastructure in the Netherlands, including an exposed server at **`176.65.139[.]44`** and a control panel tied to **`xlabslover[.]lol`**. The malware drops a bot binary into **`/data/local/tmp/`**, disguises itself as **`/bin/bash`**, decrypts configuration data with **ChaCha20**, and communicates with command-and-control over **TCP port `35342`**. Analysts also found an embedded operator handle, **"Tadashi,"** though attribution remains unconfirmed. The botnet supports **21 flood methods** across TCP, UDP, and raw protocols, including a **RakNet flood** capability tailored to disrupt Minecraft services, and it even serves its bot binary over **TCP port `25565`**, the default Minecraft server port. Hunt.io said the malware profiles victim bandwidth by opening **8,192 parallel TCP sockets** to nearby Speedtest servers, likely to sort infected devices into service tiers for customers. The malware also includes a built-in killer to remove competing malware and a fallback access path on **TCP port `26721`**, but it lacks persistence and must reinfect devices through the same exposed ADB route. Separately, Darktrace reported threat actors abusing a deliberately misconfigured Jenkins honeypot to deploy another DDoS botnet, underscoring continued targeting of gaming-related infrastructure.
May 7, 2026
RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
**RondoDox** has expanded into a large-scale botnet campaign that targets **174 vulnerabilities** across a wide range of internet-exposed devices, with researchers observing up to **15,000 daily exploitation attempts**. Reporting based on **Bitsight** telemetry says the botnet, active since 2025 and built on a **Mirai** code base, is more focused than typical Mirai-derived operations: it is geared toward **denial-of-service activity** and supports **18 architectures**, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped **148 exploits to CVEs**, identified **15 public PoCs without CVEs**, and found **11 exploits with no public PoC**, indicating active exploit collection and rapid weaponization of newly disclosed flaws. The campaign has evolved from earlier exploitation of **TP-Link Archer AX21** flaw `CVE-2023-1389` and later abuse of `CVE-2024-3721`, `CVE-2024-12856`, and the **React2Shell** issue `CVE-2025-55182` affecting **Next.js** servers. Researchers also reported that the operators use **residential IP infrastructure** and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit `CVE-2025-62593` before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Mar 22, 2026