Weekly Threat Roundup: Masjesu IoT Botnet and 13-Year Apache ActiveMQ RCE

The Hacker News’ weekly ThreatsDay bulletin highlights 20 security stories, led by the Masjesu botnet and a long-dormant Apache ActiveMQ remote code execution flaw. Masjesu, also tracked as XorBot, is a commercially operated DDoS-for-hire botnet that has quietly recruited IoT devices - routers, gateways, and embedded systems across architectures including MIPS, ARM, and SPARC - since early 2023. Advertised via Telegram, the botnet uses XOR-based multi-stage encryption to evade static analysis and has demonstrated attack capacity approaching 300 Gbps, with compromised nodes concentrated in Vietnam, Ukraine, Iran, Brazil, and other regions.

The bulletin’s other headline story is CVE-2026-34197 (CVSS 8.8), a remote code execution vulnerability in Apache ActiveMQ Classic that went undetected for 13 years. Discovered by Horizon3.ai researchers - reportedly with assistance from Anthropic’s Claude - the flaw allows attackers to abuse the Jolokia API to force the message broker into fetching a remote configuration file and executing arbitrary OS commands. It bypasses an earlier patch for CVE-2022-41678. While the bug nominally requires authentication, default credentials (admin:admin) are widespread, and on ActiveMQ versions 6.0.0 through 6.1.1, a separate issue (CVE-2024-32114) exposes the Jolokia API without any authentication at all, making CVE-2026-34197 effectively unauthenticated RCE. Apache has patched the flaw in ActiveMQ Classic 5.19.4 and 6.2.3.