New KadNap malware targets Asus routers and other edge devices, using Kademlia DHT protocol to create a resilient proxy botnet that evades detection while offering anonymous traffic services.
Cybersecurity researchers have uncovered a sophisticated new malware campaign called KadNap that has infected over 14,000 edge networking devices, primarily Asus routers, to create a resilient proxy botnet capable of anonymizing malicious traffic.
The Scale and Scope of the Infection
The malware, first detected in August 2025, has rapidly expanded to compromise more than 14,000 devices across the globe. According to the Black Lotus Labs team at Lumen, over 60% of infected devices are located in the United States, with additional infections reported in Taiwan, Hong Kong, Russia, the U.K., Australia, Brazil, France, Italy, and Spain.
What makes KadNap particularly concerning is its innovative use of technology to evade detection. The malware employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is traditionally used in legitimate peer-to-peer networks. By leveraging this protocol, KadNap can conceal its command-and-control infrastructure within the noise of normal P2P traffic, making it extremely difficult for traditional network monitoring tools to identify malicious activity.
Technical Architecture and Infection Chain
The infection process begins when vulnerable devices are targeted through a shell script named "aic.sh" downloaded from a command-and-control server at IP address 212.104.141.140. This script establishes persistence by creating a cron job that executes every hour at the 55-minute mark, ensuring the malware remains active even after system reboots.
Once persistence is established, the script downloads a malicious ELF binary, renames it to "kad," and executes it. The malware is designed to target both ARM and MIPS processor architectures, allowing it to infect a wide range of edge devices beyond just Asus routers.
Decentralized Command and Control
KadNap's use of the Kademlia DHT protocol represents a significant evolution in botnet design. Instead of relying on traditional centralized or even typical distributed command-and-control servers, compromised nodes use the DHT protocol to locate and connect with other peers in the network. This decentralized approach makes the botnet highly resilient to takedown attempts, as there is no single point of failure.
The malware also incorporates clever timing mechanisms. It connects to Network Time Protocol (NTP) servers to fetch the current time and combines this with host uptime information to generate hashes. These hashes are then used to locate other peers in the decentralized network, enabling the botnet to receive commands and download additional files as needed.
The Doppelgänger Proxy Service
Infected devices are marketed through a proxy service called Doppelgänger (doppelganger[.]shop), which researchers assess is a rebrand of Faceless, another proxy service previously associated with TheMoon malware. Doppelgänger claims to offer resident proxies in over 50 countries with "100% anonymity."
The service reportedly launched in May/June 2025, suggesting a relatively recent but rapidly growing operation. The connection between KadNap and Doppelgänger indicates a sophisticated business model where malware operators not only compromise devices but also monetize them through proxy services.
Device-Specific Targeting and C2 Infrastructure
Analysis has revealed that not all compromised devices communicate with every command-and-control server, suggesting the infrastructure is organized based on device type and model. This targeted approach allows the operators to optimize their proxy services for specific device capabilities and geographic locations.
Security Recommendations for Users
For users running SOHO (Small Office/Home Office) routers and other edge devices, security experts recommend several protective measures:
- Keep devices updated with the latest firmware
- Reboot routers regularly to disrupt potential malware operations
- Change default passwords to strong, unique credentials
- Secure management interfaces by disabling remote access when not needed
- Replace end-of-life devices that no longer receive security updates
Broader Implications for Network Security
The emergence of KadNap highlights the evolving sophistication of malware targeting edge devices. By combining peer-to-peer networking protocols with traditional botnet functionality, attackers have created a system that is both powerful and difficult to detect or disrupt.
"The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control," Lumen concluded. "Their intention is clear, avoid detection and make it difficult for defenders to protect against."
The discovery of KadNap comes alongside other significant cybersecurity developments, including the emergence of ClipXDaemon, a new Linux threat targeting cryptocurrency users by intercepting and altering copied wallet addresses in X11 environments.
As edge devices continue to proliferate in homes and businesses worldwide, the security of these often-overlooked devices becomes increasingly critical. The KadNap campaign serves as a stark reminder that routers and other network infrastructure can be powerful tools in the hands of cybercriminals when left unprotected.
Comments
Please log in or register to join the discussion