Unpatched industrial IoT devices are exposing smart factory floors to commercial botnet extortion and severe operational downtime.
Operational technology environments are wiring millions of smart sensors, connected actuators, and IP cameras into their infrastructure. Building a responsive IIoT requires an army of routing hardware and edge gateways to funnel that telemetry back to central servers. That hardware creates a massive, poorly defended attack surface.
Trellix researchers are currently tracking the Masjesu botnet, a threat showing exactly how cybercriminals monetise this specific IoT periphery. Active since early 2023 and continuing into 2026, Masjesu operates as a DDoS-for-hire service, sold directly to buyers through Telegram channels.
Standard malware often goes for fast, noisy infections on desktop machines or standard servers. Masjesu behaves differently. The operators built it for stealth and long-term survival specifically on embedded IoT systems. It hunts for the processor architectures routinely running smart meters, warehouse robotics, and facility surveillance tools, including i386, MIPS, ARM, and AMD64.
The operators rent out this compromised IoT network, giving clients the firepower to launch network floods reaching hundreds of gigabits per second. For an industrial facility relying on continuous IoT data streams for automated logistics, a hit from this botnet equals unmanageable downtime.
Bridging legacy operational systems with modern IIoT platforms requires edge devices that often lack native security monitoring. Masjesu thrives in these blind spots. Plant managers frequently hesitate to apply routine firmware updates to peripheral smart devices, fearing a patch might disrupt a fragile production process. Cybercriminals rely on this hesitation to build their botnets out of forgotten surveillance cameras and neglected environmental sensors.
When smart sensors become hostile nodes
Hooking factory hardware to internet-facing connections leaves exploitable gaps. Masjesu actively looks for these weaknesses by scanning random IP addresses to find unpatched IoT gateways and embedded systems.
Facilities deploy these devices to aggregate temperature readings, monitor flow rates, or give remote access to maintenance contractors. When compromised, those peripheral assets turn into hostile nodes. They stop performing their intended industrial functions and instead attack the host network or join external assaults.
The volume of traffic this botnet generates will overwhelm well-provisioned industrial networks. In October 2025, the operators showed off an ACK flood attack hitting roughly 290 gigabits per second, translating to 290 million packets per second. If a regional utility provider or a highly automated logistics hub takes that hit, the latency immediately severs the link between physical sensors and the central control room.
Automated production lines need constant data exchange to run safely. Network flooding stops yield rates dead and actively risks physical equipment safety. If connected factory floor monitors dedicate their processing power to a DDoS attack, supply chain issues happen instantly.
The botnet runs on a globally distributed infrastructure. Telemetry shows nearly 50 percent of the attack traffic coming from Vietnam, with the rest scattered across networks in Ukraine, Iran, Brazil, Kenya, and India. This geographic spread makes it incredibly tough for standard enterprise firewalls to drop the bad traffic without also blocking legitimate operational data coming from international supply chain partners. Security teams end up struggling to maintain uptime while sifting through millions of spoofed IoT requests.
Concealing malware in low-power architecture
Securing a fleet of IoT devices demands hardware sustainability and strict access controls. Masjesu actively breaks both.
The malware uses XOR-based encryption to hide its command-and-control instructions, concealing strings, configurations, and payload data. This method easily bypasses the basic static detection tools occasionally deployed on corporate networks. The initial payload only decrypts at runtime, using a multi-stage XOR sequence with specific keys to reveal domains, IP addresses, and directory paths.
After execution on a smart gateway or sensor, the botnet starts aggressive persistence routines to hijack the hardware. It forks a new process and renames the original executable path to look like a standard 32-bit Linux dynamic linker: /usr/lib/ld-unix.so.2. It then sets up a scheduled task, writing a cron job that runs this disguised process every 15 minutes. The malware converts the process into a background daemon, allowing it to run invisibly on low-resource IoT operating systems and survive power cycles.
The process renames its argument value again to /usr/lib/systemd/systemd-journald to blend into the background of a standard industrial controller. The malware actively attacks the host environment to protect itself. It kills rival processes, especially those with filenames containing the string i386, and terminates administrative tools like wget, curl, and sshd.
Taking out the secure shell daemon intentionally stops OT engineers from remotely logging into the infected hardware to fix the problem. It then restricts file permissions in the shared temporary directory to CHMOD 400, locking the space to read-only access so it maintains absolute control over the embedded device.
Fragmented IoT supply chains and firmware neglect
Physical infrastructure heavily relies on a mixed ecosystem of IoT hardware vendors. Masjesu exploits known vulnerabilities across several major manufacturers, proving the danger of delayed patching.
The propagation routine scans for open ports tied to specific IoT hardware profiles. It hunts port 37215 to hit Huawei home gateways, port 49152 for D-Link routers, and port 80 or 8080 for Netgear and GPON vulnerabilities. It explicitly targets connected endpoint services, including Vacron NVRs, CCTV, and digital video recorder systems running on port 81, along with Universal Plug and Play services.
After exploiting a vulnerability, the compromised smart device dials back to a command-and-control server. The latest versions of the botnet rely on a resilient setup of multiple primary domains, such as conn.elbbird.zip and conn.f12screenshot.xyz, backed by fallback IP addresses. The botnet sets a 60-second receive timeout on the socket and waits for a validated encrypted payload. It drops invalid payloads entirely.
The hijacked IoT endpoints respond with their architecture type and the hardcoded version number 1.04, then deploy the network floods. Depending on integer lengths in the payload, attacks range from standard TCP and UDP floods to Generic Routing Encapsulation and Remote Desktop Protocol flooding. The exploit payloads also use a unique user-agent identifier labelled masjesu.
The operators built this threat to stay under the radar of military or federal retaliation. Trellix analysis points out that the malware uses an IP address blocklist filter to explicitly avoid military, federal, and educational networks.
By steering clear of targets like the US Department of Defense, the operators avoid triggering a coordinated international law enforcement response. This calculated restraint keeps the botnet running as a profitable commercial tool directed at private enterprise networks, leaving OT directors to shoulder the operational and financial fallout of unsecured IoT fleets.
See also: How digital twins are changing industrial machine operations
Want to learn more about the IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including AI & Big Data Expo and the Cyber Security Expo. Click here for more information.
IoT News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
