Asus Routers Hijacked by KadNap Botnet for Malicious Proxies, Comprising Over 14,000 Devices
Published
Key Takeaways
- Primary Target: A new malware, KadNap, is actively targeting Asus routers, conscripting them into a botnet of over 14,000 devices.
- Evasive Tactics: The botnet uses a custom Kademlia DHT protocol to conceal its command-and-control (C2) infrastructure, making it difficult to track and disrupt.
- Criminal Enterprise: Infected devices are sold as part of a malicious proxy service called Doppelganger, which facilitates criminal activity by anonymizing traffic.
A new malware strain, KadNap, is creating a widespread botnet primarily composed of compromised Asus routers. The KadNap botnet has grown to over 14,000 infected devices since it was first detected in August 2025, with a significant concentration of victims located in the U.S., cybersecurity researchers say.Â
The malware's operators use the compromised devices to create malicious botnet proxy networks, which are then sold through a service called Doppelganger. This service appears to be a successor to the now-defunct Faceless proxy network, which previously leveraged TheMoon malware.
Asus Router Malware
The Asus router malware distinguishes itself by using a custom implementation of the Kademlia Distributed Hash Table (DHT) protocol, Lumen’s Black Lotus Labs researchers say. This peer-to-peer system is strategically employed to obscure the IP addresses of its command-and-control (C2) servers. Lumen has blocked all network traffic to or from the control infrastructure.
By hiding C2 communications within what appears to be legitimate peer-to-peer traffic, the botnet’s infrastructure becomes highly resilient to traditional takedown efforts and blacklist-based defenses.Â
The malware, delivered via a malicious shell script, establishes persistence on the router and enrolls it into the decentralized network, where it awaits commands and begins proxying traffic for malicious customers.
Cybersecurity Risks and Mitigation
The proliferation of the KadNap botnet via hijacked residential routers provides threat actors with a vast pool of IP addresses to launch brute-force attacks, credential stuffing campaigns, and other malicious activities while evading geofencing and ASN-based blocking.Â
For consumers, the primary defense involves:
- regularly rebooting routers,Â
- installing all available firmware security patches,Â
- replacing devices that have reached their manufacturer's end of life.Â
In January, Silent Push revealed that SystemBC botnet infections exceed 10,000, including systems linked to government hosting, and CheckPoint Research pointed out that the GoBruteforcer botnet evolved to use AI-driven tactics to target Linux servers. Around the same time, a critical Broadcom chipset vulnerability disrupted Asus router networks.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular