Asus Routers Hit by KadNap: Takedown-Resistant Botnet of 14,000 Devices
A botnet comprised of over 14,000 routers and other network devices—with a strong concentration of Asus models—is being exploited to anonymously proxy malicious traffic, presenting a significant challenge to cybersecurity defenses. The malware, dubbed KadNap, has been active since August 2025 and continues to grow, averaging around 14,000 infected devices daily. This isn’t simply a large-scale infection; the architecture of KadNap makes it unusually resistant to traditional takedown methods.
How KadNap Conceals Its Operations
The resilience of KadNap stems from its innovative use of the Kademlia Distributed Hash Table (DHT) protocol. Developed in the early 2000s, Kademlia is a peer-to-peer network structure designed to efficiently locate information across a distributed system. Unlike traditional client-server models, where a central authority controls connections, Kademlia allows any node in the network to directly query others for the location of a specific resource – in this case, a command-and-control (C2) server.
Chris Formosa, a researcher at Lumen’s Black Lotus Labs, explained that the botnet operators likely acquired a reliable exploit for vulnerabilities affecting Asus routers, contributing to the high concentration of compromised devices. He clarified that the operation doesn’t appear to be leveraging any previously unknown, or “zero-day,” vulnerabilities. The use of DHTs means that instead of directly listing the IP addresses of C2 servers, KadNap uses cryptographic hashes. This substitution makes it significantly harder for security researchers and law enforcement to identify and disrupt the botnet’s infrastructure. Essentially, the C2 servers hide “in the noise” of legitimate peer-to-peer traffic.
Proxy Services and the Doppelgänger Connection
Once a device is compromised, it isn’t simply part of the botnet; it’s offered as a proxy service. The Black Lotus Labs team has linked KadNap to a proxy service called Doppelgänger (“doppelganger[.]shop”), which they assess to be a rebranding of Faceless, another proxy service previously associated with TheMoon malware. Doppelgänger advertises “100% anonymity” and resident proxies in over 50 countries, launching its services around May/June 2025. This suggests a clear monetization strategy for the botnet operators: selling access to the compromised devices to individuals or groups seeking to mask their online activity for malicious purposes.
Geographic Distribution and Affected Devices
The majority of KadNap infections are currently located in the United States, with significant, but smaller, concentrations in Taiwan, Hong Kong, and Russia. Additional infections have been detected in the U.K., Australia, Brazil, France, Italy, and Spain. While Asus routers are the primary target, researchers have observed KadNap being deployed against a variety of edge networking devices, indicating the operators are attempting to broaden their reach. This suggests a flexible attack strategy, adapting to available vulnerabilities across different hardware.
The Broader Implications of DHT-Based Botnets
KadNap isn’t the first botnet to leverage DHTs, but it represents a sophisticated implementation that highlights a growing trend in cybersecurity. The decentralized nature of DHTs, originally designed for legitimate applications like BitTorrent and the InterPlanetary File System (IPFS), makes them inherently resilient to disruption. IPFS, for example, uses DHTs to locate content across a distributed network, ensuring data availability even if individual nodes go offline. Though, this same resilience can be exploited by malicious actors to create botnets that are difficult to dismantle.
The use of DHTs shifts the defensive burden. Traditional methods of botnet takedown – identifying and shutting down C2 servers – become less effective when those servers are constantly changing and hidden within a peer-to-peer network. Defenders must now focus on identifying and cleaning infected devices, as well as developing new techniques for detecting and disrupting DHT-based communication.
What Comes Next: Mitigation and Ongoing Research
Addressing the KadNap threat requires a multi-faceted approach. For users, the most critical step is ensuring their router firmware is up to date. Manufacturers like Asus regularly release updates that patch security vulnerabilities. However, the researchers at Lumen note that the success of KadNap relies on exploiting unpatched vulnerabilities, highlighting the importance of prompt updates.
Beyond individual user action, security vendors are working to develop detection mechanisms that can identify KadNap-infected devices based on their network behavior. This includes analyzing traffic patterns for characteristics associated with DHT communication and identifying connections to known malicious nodes. The Black Lotus Labs team continues to monitor the KadNap botnet, tracking its growth and evolution to better understand its tactics and develop effective countermeasures. Further research is needed to explore the full extent of the botnet’s activities and the potential impact on affected users, and organizations. The ongoing evolution of KadNap underscores the need for continuous vigilance and adaptation in the face of increasingly sophisticated cyber threats.
The researchers also suggest that a deeper understanding of the shell script (“aic.sh”) used to initiate the infection process could provide valuable insights into the botnet’s operation and potential mitigation strategies. The C2 server address (“212.104.141[.]140”) remains a key point of interest for ongoing investigation.