Masjesu Rising: The Commercial IoT Botnet Built for Stealth, DDoS, and IoT Evasion

    Wednesday, April 8, 2026 In: Threat Research Print

    Date: 04/08/2026

    Severity: Medium

    Summary

    Masjesu is a commercially operated IoT botnet active since 2023, offering DDoS-for-hire services through Telegram. It targets a wide range of routers and embedded devices across multiple architectures, using vulnerability exploitation and scanning for propagation. Designed for stealth and persistence, the botnet employs obfuscation techniques, avoids high-profile networks, and maintains resilient C2 infrastructure. Its continued evolution and active promotion highlight a mature, low-profile threat focused on long-term operation and scalable DDoS capabilities.

    Indicators of Compromise (IOC) List

    Domains/Urls

    conn.masjesu.zip

    Gpbtpz.rodeo

    conn.elbbird.zip

    starlight.fans

    satanshop.net

    conn.f12screenshot.xyz

    IP Address

    158.94.208.122

    178.16.54.252

    192.168.5.220

    Hash

    f39b67fff1f106fb1b4fa9beb386427c8e7eb010f306ad0445da70bffc855f2e

    dfd830368724f6abcc542bc8b85e3d5fa2aedf8282d3805d0d6d53f45c7e0937

    de5fb68023465cb5d8ace412e11032d98a41bd6af2a83245c046020530130496

    d8018e31b77b135ed300a988757f409347d013b76f9c9a4972e48cb715f45967

    cb4a3665ebd12bdb094b9fc188793c67ec3008363a49b1dde00d488b54df984b

    b53d4781bbadb17014da280e274e11f2de9063a35f2eabd32d4596707b147306

    4190491b9006404cab256d66125bd77b1c3a0e63451fbb3d829617d7e87acc9b

    85758df12964024af3ae829e3630f9ad5de7c55dae00181198033da8816e3293

    8340ff8920412a70f0c29cdf72f6f218e61142b3f210e70e24811c413971a8ed

    620f6949b82f9ef987b7511fbbb09c2da57d8be47b019fa6a9686ce08b4c3e70

    87f11a3ee2486bc4845a28465c2e70d2d9f98725edf4a73c3359c23a43ed74b7

    9c683b0be86d4cd274a7a16073bdf092218f259b055a72f848d589574e9b8084

    8ce9145fee0d3d2444554d901b334c36e71bb1346280ada7ff366cf9d25c5938

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "Gpbtpz.rodeo" or url like "Gpbtpz.rodeo" or siteurl like "Gpbtpz.rodeo" or domainname like "conn.elbbird.zip" or url like "conn.elbbird.zip" or siteurl like "conn.elbbird.zip" or domainname like "starlight.fans" or url like "starlight.fans" or siteurl like "starlight.fans" or domainname like "conn.masjesu.zip" or url like "conn.masjesu.zip" or siteurl like "conn.masjesu.zip" or domainname like "satanshop.net" or siteurl like "satanshop.net" or url like "satanshop.net" or domainname like "conn.f12screenshot.xyz" or siteurl like "conn.f12screenshot.xyz" or url like "conn.f12screenshot.xyz"

    Detection Query 2 :

    dstipaddress IN ("158.94.208.122","178.16.54.252","192.168.5.220") or srcipaddress IN ("158.94.208.122","178.16.54.252","192.168.5.220")

    Detection Query 3 :

    sha256hash IN ("b53d4781bbadb17014da280e274e11f2de9063a35f2eabd32d4596707b147306","4190491b9006404cab256d66125bd77b1c3a0e63451fbb3d829617d7e87acc9b","de5fb68023465cb5d8ace412e11032d98a41bd6af2a83245c046020530130496","620f6949b82f9ef987b7511fbbb09c2da57d8be47b019fa6a9686ce08b4c3e70","87f11a3ee2486bc4845a28465c2e70d2d9f98725edf4a73c3359c23a43ed74b7","8340ff8920412a70f0c29cdf72f6f218e61142b3f210e70e24811c413971a8ed","8ce9145fee0d3d2444554d901b334c36e71bb1346280ada7ff366cf9d25c5938","d8018e31b77b135ed300a988757f409347d013b76f9c9a4972e48cb715f45967","dfd830368724f6abcc542bc8b85e3d5fa2aedf8282d3805d0d6d53f45c7e0937","cb4a3665ebd12bdb094b9fc188793c67ec3008363a49b1dde00d488b54df984b","85758df12964024af3ae829e3630f9ad5de7c55dae00181198033da8816e3293","9c683b0be86d4cd274a7a16073bdf092218f259b055a72f848d589574e9b8084","f39b67fff1f106fb1b4fa9beb386427c8e7eb010f306ad0445da70bffc855f2e")

    Reference:    

    https://www.trellix.com/blogs/research/masjesu-rising-stealth-iot-botnet-ddos-evasion/                


    Tags

    MalwareBotnetDDoS AttacksTelegramExploitationObfuscation

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.