Cybersecurity researchers have lifted the curtain on a stealthy botnet that's designed for distributed denial-of-service (DDoS) attacks. Called Masjesu, the botnet has been advertised via Telegram as a DDoS-for-hire service since it first surfaced in 2023. It's capable of targeting a wide range of IoT devices, such as routers and gateways, spanning multiple architectures. "Built for persistence and low visibility, Masjesu favors careful, low-key execution over widespread infection, deliberately avoiding blocklisted IP ranges such as those belonging to the Department of Defense (DoD) to ensure long-term survival," Trellix security researcher Mohideen Abdul Khader F said in a Tuesday report. It's worth noting that the commercial offering also goes by the moniker XorBot owing to its use of XOR-based encryption to conceal strings, configurations, and payload data. It was first documented by Chinese security vendor NSFOCUS in December 2023, linking it to an operator named "synmaestro." A subsequent iteration of the botnet observed a year later was found to have added 12 different command injection and code execution exploits to target routers, cameras, DVRs, and NVRs from D-Link, Eir, GPON, Huawei, Intelbras, MVPower, NETGEAR, TP-Link, and Vacron, and obtain initial access. Also added were new modules to conduct DDoS flood attacks. "As an emerging botnet family, XorBot is showing a strong growth momentum, continuously infiltrating and controlling new IoT devices," NSFOCUS said in November 2024. "Notably, these controllers are increasingly inclined to use social media platforms such as Telegram as the main channels for recruitment and promotion, attracting target 'customers' through initial active promotional activities, laying a solid foundation for the subsequent expansion and development of the botnet." The latest findings from Trellix show that Masjesu has marketed the ability to carry out volumetric DDoS attacks, emphasizing its diverse botnet infrastructure and its suitability for targeting content delivery networks (CDNs), game servers, and enterprises. Attacks mounted by the botnet primarily originate from Vietnam, Ukraine, Iran, Brazil, Kenya, and India, with Vietnam accounting for nearly 50% of the observed traffic. Once deployed on a compromised device, the malware moves to create and bind a socket with a hard-coded TCP port (55988) to enable the attacker to connect directly. If this operation fails, the attack chain is immediately killed. Oth