KadNap Botnet Hijacks ASUS Routers, Fuels Cybercrime Proxy Network
A newly identified botnet malware known as KadNap is specifically targeting ASUS routers and similar networking devices. This malware transforms these devices into proxies used for malicious activities. KadNap has expanded significantly since its emergence in August 2025, now involving approximately 14,000 devices operating within a decentralized peer-to-peer network.
KadNap’s Network and Operation
The botnet utilizes a customized version of the Kademlia Distributed Hash Table (DHT) protocol to connect to its command-and-control (C2) servers. This decentralized structure complicates efforts to identify and disrupt these servers. Researchers from Black Lotus Labs, the threat research unit of Lumen Technologies, note that nearly half of KadNap’s network is linked to C2s specifically designed for ASUS-based bots.
- 60% of infected devices are located in the United States.
- Other notable regions include Taiwan, Hong Kong, and Russia.
Infection Process
The KadNap infection begins when a malicious script, identified as aic.sh, is downloaded from a specific IP address: 212.104.141[.]140. This script creates a persistent cron job that executes every 55 minutes, deploying an ELF binary named kad, which installs the KadNap client.
Once operational, the malware retrieves the host’s external IP address and synchronizes with several Network Time Protocol (NTP) servers for system time and uptime details.
Evading Detection
To enhance its resilience against takedown efforts, KadNap employs a modified Kademlia-based DHT protocol. This approach is designed to obscure the IP addresses of its infrastructure within a peer-to-peer system, making traditional monitoring ineffective. Researchers highlighted that infected devices use this protocol to locate C2 servers without easy detection by cybersecurity defenders.
Connection to Malicious Services
Black Lotus Labs has established a connection between the KadNap botnet and the Doppelganger proxy service. This service, believed to be a rebranding of Faceless, had previous associations with TheMoon malware, which also targeted ASUS routers. Doppelganger sells access to these compromised devices as residential proxies.
- These proxies are utilized for various malicious purposes, including:
- Launching distributed denial-of-service (DDoS) attacks
- Credential stuffing
- Brute-force attacks
Countermeasures Implemented
Lumen Technologies has initiated proactive responses against the KadNap botnet. Currently, the company has blocked all network traffic to and from the identified control infrastructure. This intervention applies specifically to Lumen’s network, with plans to release guidelines for other organizations aimed at disrupting the botnet’s operations.
As cyber threats evolve, the ongoing developments emphasize the need for robust security measures. The Red Report 2026 highlights how new malware employs advanced techniques to evade detection, underlining the importance of constant vigilance in cybersecurity efforts.
