Ddos 
Proxy service Doppelganger currently selling access to the KadNap botnet | Image: Black Lotus Labs
Cybersecurity researchers at Black Lotus Labs, the threat intelligence arm of Lumen Technologies, have unmasked a sophisticated new botnet dubbed “KadNap”. Since its emergence in August 2025, the malware has quietly infected over 14,000 devices, primarily targeting Asus routers to build a global proxy network for criminal activities.
What makes KadNap particularly dangerous is its use of a custom peer-to-peer (P2P) protocol to hide its tracks. By leveraging a modified version of the Kademlia Distributed Hash Table (DHT), the botnet avoids the traditional centralized “command-and-control” (C2) structure that defenders usually target.
As the researchers noted: “KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring”.
This approach allows infected routers to locate their controllers while “hiding in the noise of legitimate peer-to-peer traffic,” making the network incredibly difficult for security teams to disrupt.
The hijacked routers are being sold as high-value assets on the dark web. Black Lotus Labs identified that these bots are marketed through a proxy service called “Doppelgänger”. Analysts believe this service is a direct rebrand of the now-defunct Faceless proxy network, which famously utilized “TheMoon” malware in years past.
Despite its global footprint, KadNap has a very specific focus. Telemetry shows that more than 60% of its victims are located in the United States, followed by significant clusters in Taiwan, Hong Kong, and Russia.
- Primary Targets: Primarily Asus routers, though various edge networking devices are also affected.
- Segmented Infrastructure: The attackers appear to silo their C2 servers by device type, likely to optimize their proxy performance for specific criminal buyers.
- Persistence: The malware uses a clever shell script, aic.sh, to set up a cron job that runs every hour at the 55-minute mark, ensuring the device remains part of the botnet even after reboots.
While Lumen has proactively blocked traffic to the known KadNap infrastructure on its global backbone, the decentralized nature of the threat means individual users must take action.
“Every IP address associated with this botnet represents a significant, persistent risk to organizations and individuals alike,” the report concludes.
Recommendations for SOHO Users:
- Update Firmware: Ensure your router is running the latest manufacturer patches.
- Change Default Credentials: Never use factory-set usernames or passwords.
- Monitor Cron Jobs: Look for unusual scripts, particularly those renamed to
.asusrouteror running from/jffs/. - Retire Old Tech: If your router has reached its manufacturer’s “End of Life,” replace it immediately, as it will no longer receive critical security updates.
Lumen has released a full list of Indicators of Compromise (IoCs) to the public to help security teams across the globe disrupt this growing threat.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
