Critical Threat Research : The Iranian Cyber War Intensifies! 
Comprehensive Threat Exposure Management Platform
Masjesu, also tracked as XorBot, is a commercially operated IoT botnet active since early 2023 that functions as a distributed denial-of-service for-hire platform marketed through Telegram channels. This botnet represents a significant evolution in IoT-based threat infrastructure, combining widespread vulnerability exploitation, sophisticated obfuscation techniques, and comprehensive DDoS attack capabilities to create a resilient and scalable threat platform capable of generating approximately 290 Gbps of attack traffic from compromised consumer and enterprise IoT devices.
The botnet propagates through indiscriminate internet-wide scanning operations targeting random IP addresses across commonly exploited network ports including TCP 80, 8080, 8443, 37215, and 5555. This scanning methodology identifies systems running vulnerable services across diverse IoT device categories including consumer routers, digital video recorders, network video recorders, CCTV systems, and devices implementing Universal Plug and Play protocols. The broad targeting approach maximizes infection opportunities while distributing compromise attempts across global infrastructure to avoid concentrated attention on specific networks or geographies.
Masjesu’s exploitation arsenal encompasses both legacy vulnerabilities and recent disclosures, demonstrating operators’ commitment to maintaining infection capabilities across diverse device generations. The botnet weaponizes CVE-2018-10561 and CVE-2018-10562, authentication bypass and command injection vulnerabilities in Dasan GPON routers that have been extensively exploited since their disclosure in 2018. Additionally, the botnet incorporates exploitation capabilities for CVE-2024-12847, a recently disclosed authentication bypass vulnerability in Netgear DGN1000 routers, indicating active monitoring of vulnerability disclosures and rapid weaponization of new attack vectors.
The malware demonstrates technical sophistication through multiple evasion and persistence mechanisms. XOR-based encryption using a layered multi-key scheme with values 0x16, 0x9F, and 0x8 obfuscates critical configuration data including command-and-control domains, IP addresses, and process names, preventing trivial extraction of operational infrastructure through static analysis. The malware employs process name spoofing to masquerade as legitimate Linux system components, renaming itself to mimic trusted binaries and reducing visibility during casual system inspection or basic process monitoring.
Persistence is achieved through cron-based scheduling that re-executes the malware every 15 minutes, ensuring survival through system reboots, manual termination attempts, and basic remediation efforts. The botnet binds a listener on TCP port 55988 to maintain direct operator communication channels independent of primary command-and-control infrastructure. Signal suppression techniques prevent termination through standard process signals, requiring more sophisticated removal procedures than simple kill commands.
Masjesu demonstrates aggressive competitive behavior against rival botnets, actively hunting and terminating processes associated with competing malware families including Mirai and Gafgyt. The botnet identifies competitor processes through naming conventions including “i386” architecture indicators and terminates them to ensure exclusive control over compromised devices. Additionally, the malware restricts administrative access by killing SSH daemon processes, preventing legitimate administrators from remediating compromised systems, and terminates wget and curl utilities to prevent rival botnets from downloading competing payloads.
The command-and-control infrastructure exhibits resilience through domain rotation and fallback mechanisms. Recent variants rotate across four primary domains with a backup IP address, maintaining connectivity even during partial infrastructure disruption or domain seizure operations. Communications utilize the same XOR encryption scheme protecting configuration data, preventing network-based inspection of command traffic. Compromised devices beacon system information including processor architecture and botnet version identifier (1.04) to operators, enabling infrastructure management and attack orchestration.
The botnet implements 13 distinct DDoS attack vectors providing operators with tactical flexibility for targeting different victim infrastructures. Attack methods include UDP floods, TCP SYN and ACK floods, HTTP application-layer attacks, Generic Routing Encapsulation protocol attacks, ICMP floods, Internet Group Management Protocol attacks, Open Shortest Path First protocol exploitation, Remote Desktop Protocol floods, and Valve Source Engine game server targeting. This diverse capability set enables effective attacks against network infrastructure, web applications, enterprise services, gaming platforms, and content delivery networks.
Notably, Masjesu demonstrates strategic restraint through deliberate exclusion of IP address ranges associated with United States Department of Defense, federal government agencies, and critical government infrastructure from scanning operations. This selective targeting reduces the probability of attracting high-profile law enforcement attention or triggering aggressive government response operations, allowing extended operational longevity. This calculated approach to target selection suggests sophisticated threat actor understanding of law enforcement priorities and risk management.
Masjesu employs indiscriminate internet-wide scanning to identify vulnerable IoT devices across global networks. The botnet probes random IP addresses on commonly exploited ports associated with web administration interfaces, remote management services, and known vulnerable IoT protocols. TCP port 80 represents standard HTTP web interfaces used by router administration panels and IoT device management consoles. Ports 8080 and 8443 provide alternative HTTP and HTTPS services frequently used by embedded web servers on consumer network equipment.
Port 37215 is associated with specific IoT device management protocols and vulnerable services on certain router and DVR models. Port 5555 provides Android Debug Bridge connectivity and is frequently exposed on Android-based IoT devices including smart TVs, set-top boxes, and Android-powered CCTV systems. The scanning methodology prioritizes speed and coverage over stealth, as the botnet seeks to maximize infection rates rather than evade detection during initial compromise attempts.
Upon identifying responsive services on targeted ports, Masjesu attempts exploitation using its vulnerability arsenal. The bot net’s exploitation of CVE-2018-10561 and CVE-2018-10562 in Dasan GPON routers leverages authentication bypass to gain unauthorized administrative access followed by command injection to achieve arbitrary code execution. These vulnerabilities, despite being publicly disclosed and patched since 2018, remain effective against numerous unpatched devices across consumer and small business deployments where firmware updates are rarely applied.
The incorporation of CVE-2024-12847 exploitation demonstrates active vulnerability research and weaponization capabilities. This Netgear DGN1000 authentication bypass vulnerability represents a recent disclosure, and its rapid integration into Masjesu’s exploitation toolkit indicates operators monitor vulnerability databases and security advisories to maintain current exploitation capabilities. The targeting of Netgear devices supplements GPON router exploitation, expanding the botnet’s addressable victim population across diverse manufacturer ecosystems.
Following successful exploitation, Masjesu deploys architecture-specific payloads supporting i386, MIPS, ARM, SPARC, PowerPC, M68K (Motorola 68000), and AMD64 processor architectures. This comprehensive architecture support enables compromise across virtually all Linux-based IoT devices regardless of underlying hardware platform. The malware fetches payloads from command-and-control infrastructure via shell scripts executed through compromised device interfaces, ensuring appropriate binary selection for each victim system architecture.
Upon establishing presence on compromised devices, Masjesu implements multiple persistence mechanisms ensuring long-term access and resistance to remediation. The primary persistence method utilizes cron-based scheduling, a standard Unix/Linux task scheduler present on virtually all Linux-based IoT devices. The malware installs cron entries configured to re-execute the bot binary every 15 minutes, providing automatic recovery following system reboots, manual process termination, or temporary network disruptions.
The malware employs process name spoofing to masquerade as legitimate Linux system components. By renaming itself to mimic trusted system binaries such as “/usr/lib/systemd/systemd-journald” or “usr/lib/ld-unix.so.2,” Masjesu reduces visibility during casual system inspection. Administrators performing routine process monitoring may overlook the malicious process, assuming it represents legitimate system functionality. This technique is particularly effective against inexperienced administrators or automated monitoring systems relying on process name matching rather than comprehensive binary verification.
Masjesu binds a listener socket on TCP port 55988, establishing a direct communication channel for operator commands independent of primary command-and-control domains. This secondary control channel provides operational redundancy, allowing operators to maintain access even if primary C2 infrastructure is disrupted or blocked. The hardcoded port selection enables rapid operator reconnection to compromised devices without requiring complex discovery or beaconing protocols.
The malware implements signal suppression to resist termination attempts. By ignoring or blocking standard Unix signals including SIGTERM and SIGINT, Masjesu prevents termination through simple kill commands or graceful shutdown requests. This defensive mechanism forces administrators to use more aggressive termination methods including SIGKILL or physical system restarts, increasing the effort required for remediation and providing additional time for the botnet to re-establish persistence through cron mechanisms.
Masjesu protects operational configuration data including command-and-control domains, IP addresses, and process names through multi-layer XOR encryption. The obfuscation scheme employs three sequential XOR operations with keys 0x16, 0x9F, and 0x8, applied in layers to encrypted data. This approach prevents trivial extraction of configuration values through static binary analysis or memory inspection, requiring reverse engineers to identify and replicate the decryption routine before recovering operational infrastructure indicators.
The XOR encryption, while not cryptographically strong against determined analysis, provides sufficient obfuscation to defeat automated indicator extraction tools and signature-based detection systems relying on plaintext domain or IP address matching. By encrypting configuration data at rest and decrypting only at runtime, Masjesu reduces its static signature footprint and complicates automated threat intelligence collection from malware samples.
All command-and-control communications utilize the same XOR encryption scheme, preventing network-based inspection of command traffic through deep packet inspection or intrusion detection systems. The encryption provides confidentiality for attack commands, target specifications, and botnet management traffic, forcing defenders to either capture and decrypt traffic or analyze malware binaries to understand operational activity.
Masjesu demonstrates aggressive competition with rival IoT botnets through active process termination of competing malware families. The botnet specifically targets processes associated with Mirai and Gafgyt, two of the most prevalent IoT botnet families. Process identification occurs through naming convention matching, particularly targeting processes with “i386” architecture indicators in their names, a common pattern in Mirai and Gafgyt variants.
By eliminating competitor malware, Masjesu ensures exclusive control over compromised devices, preventing resource contention and maintaining reliable bot availability for DDoS operations. This competitive behavior also serves defensive purposes, as removing rival botnets reduces the likelihood of compromise detection through behavioral anomalies caused by multiple simultaneous infections.
The malware actively terminates wget, curl, and other file download utilities to prevent rival botnets from deploying competing payloads. By killing these processes and potentially blocking their future execution, Masjesu creates hostile environments for other bot nets’ propagation mechanisms while preserving its own installed presence. Additionally, the malware terminates SSH daemon (sshd) processes, preventing legitimate administrators from accessing compromised systems for remediation while simultaneously blocking SSH-based propagation attempts by competing botnets.
Masjesu further reinforces its control by modifying filesystem permissions on the /tmp directory, setting it to read-only to prevent other malware from staging payloads in shared temporary storage locations. This defensive technique specifically targets malware families that rely on /tmp for staging and execution, effectively blocking a common propagation and persistence vector used by competitors.
The botnet’s command-and-control architecture demonstrates evolution toward resilience and redundancy. Recent Masjesu variants rotate across four primary domains with a fallback IP address, implementing automatic failover mechanisms that maintain connectivity during infrastructure disruption. This domain rotation strategy provides operational continuity even if individual domains are seized, sinkholed, or blocked by defenders.
The use of multiple domains distributed across different registrars and hosting providers complicates takedown operations, as law enforcement or security researchers must coordinate simultaneous action across multiple jurisdictions and service providers to fully disrupt botnet communications. The fallback IP address provides emergency connectivity when all domain-based communications fail, ensuring operators maintain some level of control even during coordinated infrastructure disruption attempts.
Compromised devices beacon system information to command-and-control infrastructure including processor architecture and botnet version identifier. The current version identifier of 1.04 suggests active development and version management, with operators potentially deploying updates and improvements over time. Architecture reporting enables operators to manage their bot population, understanding the composition of compromised devices and potentially tailoring attack strategies or payload deployments based on victim system characteristics.
Masjesu implements 13 distinct DDoS attack vectors, providing tactical flexibility for operators conducting attacks against diverse target infrastructures. UDP flood attacks generate high volumes of User Datagram Protocol traffic to overwhelm victim bandwidth and exhaust network resources. TCP SYN floods exploit the three-way handshake mechanism by sending connection requests without completing handshakes, exhausting server connection tables. TCP ACK floods target established connections and stateful firewalls with unsolicited acknowledgment packets.
HTTP application-layer attacks generate seemingly legitimate web requests to overwhelm web servers, application servers, and content delivery network resources. Generic Routing Encapsulation protocol attacks target network infrastructure and VPN services. ICMP floods generate high volumes of ping traffic to consume bandwidth and processing resources. Internet Group Management Protocol attacks target multicast routing infrastructure.
Open Shortest Path First protocol exploitation targets routing infrastructure through malformed or excessive OSPF packets, potentially disrupting routing table calculations and causing network instability. Remote Desktop Protocol floods target Windows terminal services and remote access infrastructure. Valve Source Engine attacks specifically target gaming servers running Source Engine games including Counter-Strike, Team Fortress, and Garry’s Mod, demonstrating specialized capability against gaming infrastructure.
The botnet has demonstrated attack generation capacity exceeding 290 Gbps from its distributed infrastructure, representing significant volumetric attack potential capable of disrupting enterprise networks, content delivery infrastructure, and internet service provider capacity. This attack volume places Masjesu among capable mid-tier DDoS-for-hire platforms, though below the capacity of largest IoT botnets that have demonstrated terabit-scale attacks.
Masjesu’s operators demonstrate sophisticated understanding of law enforcement priorities and operational security through deliberate exclusion of U.S. Department of Defense, federal government, and critical government infrastructure IP address ranges from scanning operations. This strategic restraint reduces the probability of triggering high-priority law enforcement investigation or military cyber response operations that might result in rapid infrastructure takedown, operator attribution, or legal consequences.
By avoiding targets that would attract disproportionate government attention, Masjesu operators extend the botnet’s operational lifespan and reduce personal risk. This calculated approach to target selection suggests professional threat actors with understanding of law enforcement resource allocation and prioritization, potentially indicating cybercriminal experience or consultation with knowledgeable advisors.
The commercial DDoS-for-hire business model marketed through Telegram channels indicates profit-motivated operations rather than ideological or state-sponsored activity. The Telegram marketing approach provides anonymous customer acquisition and payment processing through cryptocurrency or other anonymous payment methods, enabling monetization while maintaining operator anonymity and reducing law enforcement attribution opportunities.
Organizations must implement comprehensive IoT firmware update programs covering all D-Link, GPON, Netgear, Huawei, TP-Link, Eir, Realtek, and Vacron devices within their networks. Masjesu exploits known vulnerabilities including CVE-2018-10561, CVE-2018-10562, and CVE-2024-12847 to achieve initial compromise, and applying vendor-provided firmware updates eliminates these entry points. Organizations should establish regular firmware update schedules and inventory all IoT devices to ensure comprehensive patch coverage.
All default usernames and passwords on routers, gateways, digital video recorders, and network video recorders must be changed immediately following device deployment. Botnet operators routinely conduct brute-force attacks against factory-default credentials that are publicly documented in manufacturer manuals and online databases. Strong, unique passwords should be implemented for each device, and credential management systems should track IoT device authentication information to prevent credential reuse across devices.
Security teams must implement audit procedures for cron schedules on Linux-based IoT and embedded devices, specifically monitoring for unexpected entries executing binaries every 15 minutes. Particular attention should be paid to cron jobs referencing paths resembling legitimate system components such as “usr/lib/ld-unix.so.2” that may indicate process name spoofing. Baseline cron configurations should be documented for all IoT devices, with automated alerting for deviations from approved scheduling patterns.
File integrity monitoring and process auditing systems should be deployed to detect when running process names are altered to impersonate legitimate system components. Cross-referencing running process names against their actual binary file paths reveals spoofing attempts where process names claim to be system components but execute from non-standard locations. Security teams should implement automated validation comparing running processes against known-good system binary locations and alerting on discrepancies.
Web proxies, intrusion detection systems, intrusion prevention systems, and network monitoring tools must be configured to flag HTTP traffic containing the user-agent string “masjesu,” which represents a distinctive fingerprint of Masjesu botnet exploit payloads and communication attempts. This hardcoded user-agent provides a reliable indicator that can be detected through signature-based monitoring, enabling identification of both compromise attempts and post-infection command-and-control traffic.
Network security teams must deploy traffic analysis capabilities specifically configured to detect high-volume outbound UDP, TCP SYN, GRE, ICMP, and HTTP flood patterns originating from internal IoT device network segments. Masjesu has demonstrated DDoS attack throughput exceeding 290 Gbps from its distributed infrastructure, and compromised internal devices will generate abnormal outbound traffic volumes inconsistent with typical IoT device behavior. Baseline traffic profiles should be established for IoT segments, with automated alerting for traffic volume anomalies or protocol abuse patterns.
Network access control lists and firewall rules should block or heavily monitor traffic on TCP port 55988, which Masjesu uses as a hardcoded listener port for direct attacker connectivity to compromised devices. Legitimate IoT devices have no operational requirement for this port, making blocking a low-risk defensive measure. Monitoring for connection attempts to this port can provide early warning of compromise attempts or identify already-compromised devices attempting to establish operator communication channels.
T1190: Exploit Public-Facing Application
T1059: Command and Scripting Interpreter
T1053: Scheduled Task/Job
T1543: Create or Modify System Process
T1036: Masquerading
T1027: Obfuscated Files or Information
T1562: Impair Defenses
T1018: Remote System Discovery
T1046: Network Service Discovery
T1210: Exploitation of Remote Services
T1071: Application Layer Protocol
T1008: Fallback Channels
T1573: Encrypted Channel
T1498: Network Denial of Service
Get through updates and upcoming events, and more directly in your inbox