4,000+ Routers Compromised by KadNap Malware Exploiting Vulnerabilities

A newly uncovered malware campaign known as KadNap has silently infected over 14,000 internet-connected routers and edge devices, primarily targeting Asus models.

Over 60% of the known victims reside in the United States, with additional infections detected in Taiwan, Hong Kong, Russia, and other countries. How KadNap Infects Routers

The operation was initially detected in early August 2025 when more than 10,000 Asus devices were observed connecting to a cluster of suspicious servers.

Security research reveals a malicious download chain beginning with a shell script hosted at 212.104.141[.]140 named aic.sh, which establishes persistence and stages the KadNap payload.

aic.sh script initializing a cron job to run every hour (Source : Lumen’s Black Lotus).
 aic.sh script initializing a cron job to run every hour (Source : Lumen’s Black Lotus).

The script creates an hourly cron job that repeatedly retrieves a malicious shell script, renames it to “.asusrouter,” and executes it from the /jffs/.asusrouter path. This ensures the compromise survives reboots and configuration changes.

Discovered by Lumen’s Black Lotus Labs, the campaign has been active since at least August 2025. The compromised devices are now being used to route malicious traffic through home and small office networks globally.

Once persistence is established, the script pulls down an ELF binary for the router, renames it to “kad,” and executes it – this is the KadNap malware itself.

Samples have been identified for both ARM and MIPS architectures, enabling attackers to target a wide range of consumer and edge networking hardware beyond Asus models.

During initialization, KadNap daemonizes itself by forking and redirecting STDIN, STDOUT and STDERR to /dev/null. It then determines the device’s external IP address and synchronizes time with public NTP servers. The gathered time and uptime values are later used to construct cryptographic hashes that drive peer-to-peer communications.

Abusing Kademlia to Hide C2

KadNap’s most notable feature is its custom implementation of the Kademlia Distributed Hash Table (DHT) protocol, a peer-to-peer system also used in BitTorrent and eMule for decentralized lookups.

KadNap trying multiple different NTP servers for added resilience in the effect one is not active or reachable (Source : Lumen’s Black Lotus).
 KadNap trying multiple different NTP servers for added resilience in the effect one is not active or reachable (Source : Lumen’s Black Lotus).

In this botnet, Kademlia is repurposed to conceal the true IP addresses of command-and-control (C2) servers. Infected devices use DHT lookups to discover C2 endpoints. However, defenders only see noisy, seemingly benign P2P traffic that resists traditional blocklisting.

This design makes it difficult for security teams to enumerate and block KadNap’s infrastructure, giving operators resilience against sinkholing and takedowns.

Internally, KadNap spawns multiple threads to implement this logic. A “find peers” thread uses known BitTorrent bootstrap nodes, NTP-derived XOR keys, and SHA-1 hashes of hardcoded strings to craft a custom infohash that leads it to other KadNap-infected peers.

A separate “contact peers” thread reads peer IP:port entries from a pipe, connects to them, decrypts responses with hardcoded keys, and establishes AES-protected channels for further encrypted command traffic and secondary payload downloads such as fwr.sh and .sose.

Although KadNap uses a peer-to-peer model, researchers found a critical flaw in the operators’ custom Kademlia implementation.

In a properly functioning Kademlia network, the final hop before reaching a resource changes over time, reflecting true decentralization. However, all KadNap samples examined since August 2025 consistently contacted the same two final nodes, 45.135.180[.]38 and 45.135.180[.]177 immediately before reaching the C2 servers.

Prior to connecting to a C2, victims always contact one of two final nodes directly before becoming operational (Source : Lumen’s Black Lotus).
 Prior to connecting to a C2, victims always contact one of two final nodes directly before becoming operational (Source : Lumen’s Black Lotus).

This fixed “chokepoint” structure suggests attackers maintain long-lived, centrally controlled peers to retain strong operational control over the botnet while still benefiting from P2P traffic cover.

Monetization via Doppelganger Proxy Service

Once enrolled, KadNap bots are monetized through a residential proxy service called “Doppelganger,” which appears to be a direct rebrand of the Faceless platform previously powered by TheMoon malware.

The victims are distributed across several countries, with 60% located in the United States and 5% each in Taiwan, Hong Kong and Russia.

KadNap victim locations (Source : Lumen’s Black Lotus).
 KadNap victim locations (Source : Lumen’s Black Lotus).

Doppelganger markets access to these hijacked devices as highly anonymous residential proxies. This enables cybercriminals to conduct brute-force attacks, account takeovers and targeted exploitation while hiding behind the IP addresses of ordinary home users.

Because the botnet’s infrastructure is segmented by device type and model, not all infected routers talk to every C2 server, complicating attribution and making malicious activity harder to link back to specific campaigns.

 KadNap victims over time (Source : Lumen’s Black Lotus).
 KadNap victims over time (Source : Lumen’s Black Lotus).

According to Lumen, the KadNap botnet has stabilized at an average of around 14,000 distinct infected devices per day, with three to four active C2s in use at any time.

For network defenders, the campaign underscores the growing risk posed by vulnerable SOHO and IoT devices, highlighting the importance of actions such as disabling remote administration, applying the latest firmware updates, and enforcing strong router credentials.

Lumen reports that it has proactively blocked traffic to and from KadNap control infrastructure across its backbone and will be sharing indicators of compromise via public feeds to help the wider security community disrupt this threat, also acknowledging Spur’s role in tying the infrastructure to Doppelganger.

Related Articles

Back to top button