A sophisticated new malware operation has successfully conscripted more than 14,000 edge networking devices into a global botnet designed to facilitate anonymous criminal activity. According to a recent report by Lumen Technologies’ Black Lotus Labs, the malware, dubbed KadNap, primarily targets ASUS routers to turn them into proxies that route malicious traffic while remaining nearly invisible to traditional security defenses.
The campaign was first detected in August 2025 and has seen a rapid expansion over the last several months. While the infections are spread globally, researchers found that over 60% of the victims are located within the United States, with additional significant clusters identified in the UK, Brazil, Taiwan, and Hong Kong.
A New Era of Decentralized Hiding
What sets KadNap apart from typical botnets is its use of a custom version of the Kademlia Distributed Hash Table (DHT) protocol. Usually found in legitimate peer-to-peer (P2P) services like BitTorrent, this protocol allows the malware to communicate in a decentralized manner.
Instead of reaching out to a single, easily identifiable command-and-control (C2) server, infected devices find their instructions by “hopping” through a chain of other infected peers. This method effectively hides the IP addresses of the attackers’ core infrastructure within the noise of normal web traffic, making it exceptionally difficult for defenders to dismantle.
The Business of Hijacked Hardware
The ultimate goal of KadNap appears to be financial. Once a device is compromised, it is marketed through a proxy service known as Doppelgänger (an alleged rebrand of the now-defunct “Faceless” service). This platform sells access to the hijacked devices’ IP addresses to other cybercriminals.
These “residential proxies” are highly valued because they allow attackers to perform brute-force attacks, credential stuffing, and large-scale data scraping while appearing to be ordinary home users. By routing attacks through a family’s router in Ohio or a small business in London, hackers can bypass traditional security filters that would otherwise block traffic from known malicious data centers.
Silent Persistence
For the average user, a KadNap infection is almost impossible to detect. The malware operates silently in the background, often only causing minor, intermittent sluggishness in internet speeds. The infection process involves a malicious shell script—frequently named .asusrouter to blend in—which sets up a recurring task to ensure the malware remains on the device even after a reboot.
Security experts at Black Lotus Labs note that the malware targets both ARM and MIPS processor architectures, meaning it can infect a wide variety of “Internet of Things” (IoT) hardware beyond just routers.
How to Protect Your Network
As of March 2026, the botnet remains active. Security researchers and government agencies, including the U.S. CISA, recommend that owners of SOHO (Small Office/Home Office) routers take the following immediate steps:
- Update Firmware: Ensure your router is running the latest security patches provided by the manufacturer.
- Reboot Regularly: While KadNap attempts to stay persistent, some components are stored in memory and can be temporarily cleared by a restart.
- Change Default Credentials: Never use the factory-set username and password for your router’s administration panel.
- Replace End-of-Life Gear: If your router no longer receives security updates from the manufacturer, it is a prime target for modern botnets and should be replaced.
