Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting IoT Devices
Masjesu is a commercially operated IoT botnet active since 2023, offering DDoS-for-hire services via Telegram and targeting routers and embedded devices worldwide.
A New DDoS-for-Hire Botnet Hits the Scene
Security researchers have exposed Masjesu, a commercially operated IoT botnet active since 2023. The botnet is marketed as a DDoS-for-hire service on Telegram, allowing anyone with cryptocurrency to launch massive distributed denial-of-service attacks.
Masjesu targets a wide range of IoT devices including routers, gateways, and embedded hardware across multiple CPU architectures. It spreads by exploiting default credentials and unpatched vulnerabilities, building a global network of compromised devices.
Multi-Architecture, Multi-Target
What makes Masjesu notable is its breadth. The malware supports multiple processor architectures, meaning it can infect nearly any internet-connected device from consumer routers to small office equipment. Nearly 50% of its traffic has been traced to Vietnam, with infections spanning the globe.
Once a device is compromised, it becomes a remotely controlled bot capable of participating in coordinated DDoS attacks. The service model lowers the barrier to entry, turning complex cyberattacks into a pay-per-use commodity.
The Booter Service Problem
Masjesu follows the growing booter or stresser trend where attack capabilities are sold as a service. Telegram channels advertise pricing and attack volume, measured in traffic capacity directed at targets. Anonymous payment via cryptocurrency makes tracking operators and clients difficult for law enforcement.
This trend poses a direct challenge to DDoS protection services like Cloudflare, Akamai, Imperva, and Radware. Organizations relying on AWS WAF or F5 Advanced WAF for application protection need robust DDoS mitigation layered on top.
WAFplanet Take
Masjesu is yet another reminder that IoT security is the weakest link in the DDoS chain. Vendors like Cloudflare and Akamai have the DDoS muscle to absorb these attacks, but organizations running ModSecurity or Coraza without a dedicated DDoS layer are exposed. Change default passwords, update firmware, and segment IoT devices from your core network. The botnet operators are already moving to avoid detection, and this threat will only grow.
