Inside the Masjesu IoT Botnet’s 3-Year Stealth Reign

Trellix ARC has released a deep dive into the Masjesu botnet, a threat that has redefined stealth in the Internet of Things (IoT) landscape. Unlike the flashy, massive outbreaks of years past, Masjesu is a patient, commercially-driven operation that has been quietly maturing for three years.

Masjesu isn’t just a random malware strain; it is a professional business. According to the Trellix report, “the Masjesu botnet, a sophisticated, commercially-run Internet of Things (IoT) threat, has been operational and evolving since early 2023, continuing into 2026”. The operators behind this framework have a clear monetization strategy, marketing the botnet as a “Distributed Denial of Service (DDoS)-for-hire service” via encrypted Telegram channels.

While other botnets burn through targets quickly, Masjesu plays the long game. The report notes that the botnet “favors careful, low-key execution over widespread infection, deliberately avoiding blocklisted IP ranges such as those belonging to the Department of Defense (DoD) to ensure long-term survival”.

This “low-profile” philosophy extends to its technical build:

• Broad Architecture Support: It targets a massive range of devices, including i386, MIPS, ARM, and AMD64 architectures.
• Encrypted Operations: The malware utilizes XOR-based encryption to mask its strings and configuration data, making life difficult for traditional security scanners.
• Selective Exploitation: For propagation, the malware identifies and exploits known vulnerabilities in devices from major manufacturers like D-Link, GPON, and Netgear.

The current iteration of the botnet, hardcoded as version 1.04, carries a diverse toolkit for digital destruction. Once a device is compromised, it communicates with a Command and Control (C2) infrastructure that uses multiple domains and fallback IPs for resiliency.

“Its command and control (C2) infrastructure uses multiple domains with fallback IP addresses, and supports numerous DDoS attack methods, including TCP, UDP, and HTTP floods,” the report explains.

Beyond standard floods, Masjesu supports niche and devastating attack vectors. When an attack is initiated, the malware uses a unique user-agent string: “masjesu”. Depending on the instructions received from the server, the botnet can deploy:

• Valve Source Engine (VSE) Floods: Exploiting game server protocols.
• RDP and GRE Flooding: Generating random payloads to choke network infrastructure.
• Industrial and Network Protocols: Targeting OSPF, ICMP, and IGMP for specialized disruptions.

The persistence of Masjesu serves as a warning that IoT security cannot be an afterthought. Because these actors are “aggressively promoting their sites” and using sophisticated obfuscation, standard defense perimeters are often bypassed.

To harden your environment against this evolving threat, security teams should focus on:

• Vulnerability Management: Prioritize patching edge devices from Netgear, D-Link, and GPON.
• Network Monitoring: Watch for the unique “masjesu” user-agent in inbound and outbound traffic.
• Behavioral Analysis: Look for unusual XOR-encrypted payloads or connections to non-standard C2 fallback IPs.