KadNap Malware Hijacks 14,000 Routers for Underground Proxy Network

A router-targeting malware called KadNap has quietly infected over 14,000 edge devices since August 2025, primarily conscripting Asus routers into an underground proxy network that cybercriminals rent for anonymous traffic routing.

TL;DR

• What happened: KadNap malware builds a P2P botnet using compromised home routers
• Who's affected: Primarily Asus routers, other SOHO devices also targeted
• Scale: 14,000+ devices infected, 60%+ in the United States
• Action required: Update router firmware, change default passwords, restrict management access

The Kademlia Twist

What sets KadNap apart from typical router botnets is its command-and-control infrastructure. Lumen's Black Lotus Labs documented how the malware uses a custom implementation of the Kademlia Distributed Hash Table (DHT) protocol.

Kademlia was designed for legitimate peer-to-peer applications like BitTorrent. Each node in the network can locate any other node through a series of hops, without centralized servers. KadNap weaponizes this architecture to hide its C2 infrastructure within the peer-to-peer mesh itself.

The result: traditional network monitoring can't easily identify command servers because compromised routers communicate with each other, not a fixed attacker IP. Taking down one node barely impacts the botnet's operation.

Infection Chain

The attack begins with a shell script named "aic.sh" downloaded from a known C2 server at 212.104.141[.]140. Once executed, the script:

1. Creates a cron job that runs every hour at the 55-minute mark
2. Retrieves and executes the malicious payload
3. Renames the payload to ".asusrouter" to blend with system files
4. Establishes persistence through scheduled task execution

The malware targets ARM and MIPS processor architectures common in consumer routers. While Asus devices are primary targets, researchers note other SOHO (small office/home office) edge devices are also susceptible.

Geographic Distribution

The infection map tells an interesting story:

• United States: 60%+ of infections
• Taiwan and Hong Kong: Significant presence
• Russia, UK, Australia: Scattered infections
• Brazil, France, Italy, Spain: Lower numbers

The heavy US concentration suggests attackers are prioritizing American IP addresses for their proxy network. US residential IPs are valuable for evading geographic restrictions and blending malicious traffic with legitimate home internet usage.

Connection to Faceless Proxy Service

Black Lotus Labs assesses that KadNap-compromised devices feed into a proxy service called "Doppelganger," likely a rebrand of the Faceless proxy network previously associated with TheMoon malware.

These residential proxy services are rented to cybercriminals who need to:

• Conduct credential stuffing attacks from diverse IPs
• Bypass geographic restrictions and rate limiting
• Mask the origin of phishing and fraud operations
• Evade IP-based blocklists during malware delivery

The business model turns infected routers into revenue-generating assets for operators, with victims unknowingly hosting criminal infrastructure on their home networks.

Detection Challenges

KadNap employs several anti-detection techniques:

NTP-Based Hash Generation: The malware queries legitimate NTP servers to fetch timestamps, then generates hashes used to locate peers in the DHT network. This makes C2 communication indistinguishable from normal time synchronization.

P2P Architecture: Without centralized C2 servers, there's no single domain or IP to block. The botnet regenerates its overlay network topology as nodes join and leave.

Minimal Footprint: The malware runs quietly, avoiding resource-intensive operations that might alert users to infection. Compromised routers continue functioning normally while proxying malicious traffic.

This stealth approach has allowed KadNap to operate for over seven months before researchers published detailed analysis.

How to Protect Your Router

Router owners, especially those with Asus devices, should take immediate action:

1. Update firmware - Check for and apply the latest security updates from your router manufacturer
2. Reboot regularly - Many router malware variants don't survive reboots without persistent access
3. Change default credentials - Admin passwords should be strong and unique
4. Disable remote management - Turn off WAN-side administrative access if not needed
5. Replace EOL devices - Routers no longer receiving updates should be retired

Organizations should also monitor for unusual outbound connections from network edge devices and consider segmenting IoT and router management traffic.

Why This Matters

Router botnets represent a growing threat category that security teams often overlook. Consumer routers sit outside corporate security controls but can still impact enterprise networks when employees work remotely or when business-grade SOHO equipment shares similar vulnerabilities.

The residential proxy angle adds financial incentive for attackers. Rather than using compromised routers solely for DDoS or spam, operators now monetize the access directly by renting it to other criminals. This sustainable business model ensures continued investment in router exploitation.

We've seen similar BYOVD techniques used to disable EDR in enterprise environments, and router malware follows comparable patterns of abusing legitimate functionality for malicious purposes.

The 14,000 infection count likely represents detected cases. The actual botnet size could be significantly larger given P2P networks' inherent difficulty to enumerate completely.

FAQ

How do I check if my router is infected?

Look for unexpected cron jobs, unusual processes with names like ".asusrouter," or connections to the known C2 IP. Most consumer routers don't provide easy visibility into these details, which is part of why router malware persists.

Does a factory reset remove KadNap?

Yes, a full factory reset should clear the infection. However, you must also update firmware and change credentials to prevent reinfection. If the router is end-of-life with no available updates, replacement is the safer option.