A newly discovered botnet malware called KadNap is targeting ASUS routers and other edge networking devices to turn them into proxies for malicious traffic.
Since August 2025, KadNap has grown to 14,000 devices that are part of a peer-to-peer network and connect to the command-and-control (C2) infrastructure through a custom version of the Kademlia Distributed Hash Table (DHT) protocol.
This makes identifying and disrupting the C2 servers more difficult because the information is decentralized, and each node manages a subset of the complete data.
According to researchers at Black Lotus Labs, the threat research and operations arm of Lumen Technologies, nearly half of the KadNap network is connected to C2 infrastructure dedicated to ASUS-based bots, and the rest communicate with two separate control servers.
Most infected devices are located in the United States, which accounts for 60% of the total, followed by significant percentages in Taiwan, Hong Kong, and Russia.
Source: Black Lotus Labs
Kademlia-based communication
A KadNap infection begins with downloading a malicious script (aic.sh) from 212.104.141[.]140, which establishes persistence via a cron job that runs every 55 minutes. The payload is an ELF binary named kad, which installs the KadNap client.
Once active, the malware determines the host’s external IP address and contacts multiple Network Time Protocol (NTP) servers to obtain the current time and system uptime.
Source: Black Lotus Labs
For evasion and resistance to takedowns, KadNap uses a modified Kademlia-based DHT protocol to locate botnet nodes and the C2 infrastructure.
“KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring,” the researchers explain.
“Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists.”
The researchers discovered that KanNap’s implementation of Kademlia is undermined by a consistent connection to two specific nodes, which occurs before reaching the C2 servers. This reduces the decentralization that the protocol could achieve in ideal cases and allows identifying the control infrastructure.
Source: Black Lotus Labs
Monetizing KadNap
Black Lotus Labs researchers say that the KadNap botnet is linked to the Doppelganger proxy service, believed to be a rebrand of the Faceless service, previously associated with the TheMoon malware botnet, which also targeted ASUS routers.
Doppelganger sells access to infected devices as residential proxies that can be used to funnel malicious traffic, create pseudonymization layers, and evade blocklists.
Source: Black Lotus Labs
As these services are typically used to launch distributed denial-of-service (DDoS), credential stuffing, and brute-force attacks, all leading initially to KadNap victims.
Lumen has taken proactive measures against the KadNap botnet. The company says that at the time of publishing this article, it “blocked all network traffic to or from the
control infrastructure.”
The disruption is only on Lumen’s network, and a list of indicators of compromise will be released to help others disrupt the botnet on their end.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Related Articles:
New Linux botnet SSHStalker uses old-school IRC for C2 comms
APT28 hackers deploy customized variant of Covenant open-source tool
Microsoft Teams phishing targets employees with A0Backdoor malware
Microsoft: Hackers abusing AI at every stage of cyberattacks
Chinese state hackers target telcos with new malware toolkit