CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Masjesu DDoS botnet campaign expands with multi-architecture payload targeting global IoT devices

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

The Masjesu DDoS botnet has been operationally active since at least 2023, infecting IoT devices worldwide to launch multi-vector DDoS attacks exceeding hundreds of gigabytes in volume. The botnet’s operator advertises services on Telegram, targeting both Chinese and English-speaking users, and maintains a multi-architecture malware payload capable of infecting devices running i386, MIPS, ARM, SPARC, PPC, 68K, and AMD64. Masjesu primarily spreads via vulnerabilities in D-Link, GPON, Huawei home gateways, MVPower DVRs, Netgear routers, and UPnP-enabled devices, with the highest concentration of infected devices observed in Vietnam, Brazil, India, Iran, Kenya, and Ukraine.

Timeline

  1. 08.04.2026 14:49 1 articles · 2h ago

    Masjesu DDoS botnet expands with global IoT infections and multi-architecture payload

    Analysts identify Masjesu as an active DDoS botnet since at least 2023, infecting IoT devices across multiple regions to launch high-volume attacks. The botnet leverages known vulnerabilities in common IoT device families to propagate, employs advanced persistence techniques, and supports a diverse set of CPU architectures for broader device compatibility. Masjesu’s C&C infrastructure includes multiple domains and fallback IPs, with client-side decryption and a 60-second socket timeout enhancing operational resilience.

    Show sources
    Open in new tab

Information Snippets

  • Masjesu has been active since at least 2023, with the operator advertising DDoS-for-hire services on Telegram, targeting both Chinese and English-speaking users.

    First reported: 08.04.2026 14:49
    1 source, 1 article
    Show sources

  • The botnet primarily infects IoT devices via known vulnerabilities in D-Link routers, GPON routers, Huawei home gateways, MVPower DVRs, Netgear routers, and UPnP services.

    First reported: 08.04.2026 14:49
    1 source, 1 article
    Show sources

  • Masjesu malware supports multiple CPU architectures, including i386, MIPS, ARM, SPARC, PPC, 68K (Motorola 68000), and AMD64, enabling broad device compatibility.

    First reported: 08.04.2026 14:49
    1 source, 1 article
    Show sources

  • Infected devices are predominantly located in Vietnam, with significant presence in Brazil, India, Iran, Kenya, and Ukraine, indicating a geographically distributed botnet.

    First reported: 08.04.2026 14:49
    1 source, 1 article
    Show sources

  • The malware achieves persistence by renaming its executable to mimic a legitimate Linux dynamic linker, forking a new process, and establishing a cron job with 15-minute recurrence.

    First reported: 08.04.2026 14:49
    1 source, 1 article
    Show sources

  • Masjesu encrypts sensitive strings such as C&C domains, ports, and process names in a lookup table, decrypting them at runtime to evade detection.

    First reported: 08.04.2026 14:49
    1 source, 1 article
    Show sources

  • The botnet terminates common utilities (e.g., wget, curl) and locks shared temporary folders to prevent interference from competing malware while enabling its own spread.

    First reported: 08.04.2026 14:49
    1 source, 1 article
    Show sources

  • Masjesu supports multiple DDoS attack vectors, including UDP, TCP, VSE, GRE, RDP, OSPF, ICMP, IGMP, TCP_SYN, TCP-ACK, TCP-ACKPSH, and HTTP floods.

    First reported: 08.04.2026 14:49
    1 source, 1 article
    Show sources

  • The malware uses multiple C&C domains and fallback IPs, implements a 60-second receive timeout on socket connections, and performs client-side decryption of received data.

    First reported: 08.04.2026 14:49
    1 source, 1 article
    Show sources