There is a commercial market for attacking your devices. It has a storefront, a price list, customer support on Telegram, and — as of this week — a confirmed capability to flood networks at nearly 300 gigabits per second.
Security researchers at Trellix published a detailed technical analysis of Masjesu, a sophisticated IoT botnet that has been operating since at least 2023 and is now firmly established as a commercial DDoS-for-hire service. The botnet targets consumer and industrial routers, network gateways, and edge devices — and has recently expanded its extortion operations to include smart factory floors.
What makes Masjesu worth paying close attention to is not just its scale, but its deliberate design for long-term survival. This is not a blunt instrument. It is a carefully engineered platform built to avoid detection, evade blocklists, and remain embedded in victim networks for as long as possible.
What Masjesu Is and How It Works
Masjesu — also tracked under the alias XorBot due to its use of XOR-based encryption to conceal strings, configurations, and payload data — is a botnet-as-a-service operation that has been advertised via Telegram since it first surfaced in 2023.
The operational model is straightforward: the Masjesu operators build and maintain the botnet infrastructure, infect victim IoT devices, and then rent attack capacity to customers who want to take a specific target offline. Customers pay for attack duration, volume, and protocol type. The operators handle everything else.
Supported attack types include:
- TCP SYN, ACK, and ACK/PSH floods
- UDP floods
- ICMP and IGMP floods
- GRE and OSPF protocol floods
- Valve Source Engine query floods (specifically targeting gaming infrastructure)
- HTTP floods designed to simulate legitimate browser traffic
The HTTP flood capability is particularly significant for industrial operators — traffic that mimics legitimate browser requests can pass through many network security appliances that rely on signature-based detection.
Architecture coverage includes i386, MIPS, ARM, and AMD64 processor architectures, meaning Masjesu can infect the full range of IoT devices deployed in both consumer and industrial environments — from home routers to industrial gateways to edge computing nodes on factory floors.
The Evasion That Makes It Dangerous
What distinguishes Masjesu from simpler IoT botnets is its deliberate approach to staying alive.
DoD IP avoidance. The botnet’s command-and-control infrastructure maintains a blocklist of IP ranges belonging to the Department of Defense and other high-profile security research organizations. Traffic is specifically routed to avoid scanning or detection by these entities. This is not accidental — it reflects deliberate operational security designed to extend the botnet’s lifespan.
Low-profile infection strategy. Rather than infecting as many devices as possible as quickly as possible — the approach that gets botnets discovered and shut down — Masjesu favors careful, targeted infection. Researchers describe it as prioritizing “stealth over scale” in initial infection phases. The result is a botnet that is harder to detect and survives longer.
XOR encryption of all communications. Configuration data, command traffic, and payload data are encrypted using XOR-based schemes that obscure the botnet’s presence from network monitoring tools that look for plaintext signatures.
Persistence mechanisms. Once installed on a device, Masjesu uses multiple persistence techniques to survive reboots, firmware update attempts, and basic device resets. Victims who think they’ve cleaned an infected device may find the infection returning.
The Smart Factory Angle
Until recently, Masjesu’s operations were primarily focused on consumer infrastructure — home routers, broadband gateways, and consumer-grade networking equipment. The Trellix research reveals a concerning expansion.
Masjesu has begun targeting smart factory floor environments for extortion.
The mechanism is straightforward but effective: infect enough devices connected to a manufacturing operation’s network, then threaten to launch a DDoS attack against operational systems unless a ransom is paid. For a manufacturing facility where downtime costs tens of thousands of dollars per hour, the calculus becomes uncomfortable — particularly if the alternative is an operational technology network flooded with 290 Gbps of junk traffic.
This represents a meaningful evolution in IoT botnet operations. Historically, OT and manufacturing environments were targeted primarily by ransomware operators who encrypted data and demanded payment for decryption keys. Masjesu’s model is different — it doesn’t require encryption, doesn’t require persistence in OT systems specifically, and doesn’t even require a successful breach of production networks. It only requires the ability to flood them.
This changes the threat model for industrial operators in ways that deserve attention:
Traditional OT security focuses on protecting against intrusion — keeping attackers out of SCADA systems, PLCs, and industrial networks. DDoS-based extortion attacks this boundary from the outside. The attacker doesn’t need to be inside your OT network to threaten it.
Scale: What 290 Gbps Actually Means
In October 2025, Masjesu operators posted screenshots of attack metrics to their Telegram channel demonstrating a 290 Gbps ACK flood. To put that number in context:
- A typical enterprise internet connection provides between 1–10 Gbps of bandwidth
- Most enterprise DDoS mitigation services start to struggle above 100 Gbps without upstream scrubbing
- 290 Gbps is sufficient to saturate the internet connectivity of most industrial facilities, most commercial data centers, and most mid-tier cloud provider points of presence
The geographic distribution of the botnet is global. Vietnam provides approximately half of the attack traffic, with significant contributions from Ukraine, Iran, Brazil, Kenya, and India. This distribution is both a reflection of where unpatched IoT devices are concentrated globally and a deliberate strategy to make traffic filtering more difficult — blocking entire country ranges causes collateral damage.
Which Devices Are Being Infected
Masjesu targets devices across multiple categories:
Consumer and SOHO routers — particularly models from manufacturers with slow or inconsistent firmware update cadences. Devices from TP-Link, Netgear, D-Link, and similar consumer brands that have been deployed without firmware updates are primary targets.
Industrial network gateways — the edge devices that bridge OT networks to corporate IT networks or the internet. These are increasingly common in industrial environments as operators seek remote monitoring capabilities, and they often run embedded Linux on MIPS or ARM processors that Masjesu specifically targets.
Network-attached storage devices — NAS devices running exposed management interfaces are a common infection vector.
IoT cameras and access control systems — devices with web-based management interfaces that are internet-exposed or accessible from internal networks compromised by other means.
The common thread is unpatched firmware and default or weak credentials. Masjesu’s infection mechanism relies on known vulnerabilities and credential stuffing — it is not exploiting unknown zero-days. This means that organizations that maintain firmware updates and enforce strong credential policies are substantially less exposed.
What Industrial Operators Should Do
1. Audit your network edge devices. Every gateway, router, and network device that bridges your OT network to any external network should be inventoried, firmware-updated, and assessed for internet exposure. Pay particular attention to devices installed by vendors or integrators that may not have been included in your standard patching cycles.
2. Change all default credentials. Masjesu’s infection vector depends on default or weak credentials. This is the single highest-leverage action available — changing factory-default passwords on all network devices closes one of the primary infection routes immediately.
3. Implement DDoS mitigation at your internet perimeter. If your industrial operation depends on internet connectivity for any operational function — remote monitoring, vendor access, cloud SCADA, or similar — ensure you have upstream DDoS mitigation in place. Cloud-based scrubbing services (Cloudflare Magic Transit, Akamai Prolexic, or similar) can absorb volumetric attacks before they reach your infrastructure.
4. Segment OT networks from internet-facing infrastructure. Your PLCs, SCADA systems, and production networks should not be reachable from internet-facing segments. Network segmentation with properly configured firewalls means that even a successful DDoS against your internet-facing infrastructure doesn’t necessarily reach your operational systems.
5. Monitor for botnet indicators. The Trellix research includes specific indicators of compromise (IOCs) for Masjesu. Ensure your security monitoring tools are ingesting current threat intelligence feeds that include these IOCs, and investigate any alerts promptly.
6. Have a DDoS response plan. If you receive a ransom demand threatening a DDoS attack against your operations, you should already know what you’re going to do. This means having pre-arranged agreements with your ISP for emergency bandwidth, knowing which upstream mitigation services you can activate, and having a decision framework for how to respond to extortion demands. Developing that plan after you receive the demand is too late.
The Broader Picture
Masjesu is one data point in a larger trend: the commoditization of cyber attacks against industrial and operational technology environments.
The barrier to launching a sophisticated attack against industrial infrastructure is falling. Five years ago, a 290 Gbps DDoS attack against a manufacturing facility would have required significant technical capability and infrastructure. Today, it requires a Telegram account and a payment.
This commoditization changes the threat landscape in two important ways. First, the population of potential attackers expands dramatically — you no longer need state-level capability to threaten industrial operations. Second, the economics shift in favor of attackers — when attack capacity is cheap and widely available, the volume of attacks increases even if individual attack sophistication stays flat.
Industrial operators who have historically dismissed cyber threats as the concern of IT departments rather than operations teams need to recalibrate. The attack surface has expanded to include your routers, your gateways, your edge devices, and your network perimeter — and the commercial market for attacking them is open for business.
Technical details in this article are drawn from Trellix research on the Masjesu botnet published April 8, 2026, and corroborating reporting from Security Affairs and SecurityWeek. Organizations should consult current threat intelligence feeds for the latest IOCs and mitigation guidance.
