A newly discovered botnet called KadNap is turning ASUS routers and edge networking devices into covert proxies for cybercriminal operations. Since August 2025, the malware has infected over 14,000 devices across the globe, with researchers from Black Lotus Labs (Lumen Technologies) revealing a sophisticated command-and-control (C2) infrastructure that leverages a customized version of the Kademlia Distributed Hash Table (DHT) protocol to evade detection.
Why Kademlia Makes KadNap Dangerous
The Kademlia DHT protocol is typically used in legitimate peer-to-peer applications for distributed data storage. KadNap weaponizes this technology to decentralize its C2 infrastructure, making it significantly harder for defenders to identify and block control servers.
“KadNap employs a custom version of the Kademlia DHT protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring,” Black Lotus Labs researchers explain. “Infected devices use the DHT protocol to locate and connect with a C2 server, while defenders cannot easily find and add those C2s to threat lists.”
Global Infection Distribution
The United States accounts for 60% of all infected devices, followed by significant concentrations in Taiwan, Hong Kong, and Russia. Nearly half of the KadNap network connects to C2 infrastructure specifically dedicated to ASUS-based bots, with the remainder communicating through two separate control servers.
Infection Chain: From Script to Persistence
KadNap infections begin with a malicious shell script (aic.sh) downloaded from 212.104.141[.]140. The script:
- Establishes persistence via a cron job that executes every 55 minutes
- Downloads an ELF binary named
kadthat installs the KadNap client - Determines the host’s external IP address
- Contacts multiple NTP servers to obtain current time and system uptime
Monetization Through Proxy-as-a-Service
Black Lotus Labs has linked KadNap to the Doppelganger proxy service, believed to be a rebrand of the notorious Faceless service previously associated with the TheMoon malware botnet, which also targeted ASUS routers.
Doppelganger sells access to infected devices as residential proxies, enabling threat actors to:
- Route malicious traffic through legitimate residential IPs
- Create pseudonymization layers for operational security
- Evade IP-based blocklists and security controls
- Launch DDoS attacks, credential stuffing, and brute-force campaigns
Disruption Efforts Underway
Lumen has taken proactive measures against KadNap, blocking all network traffic to and from the known control infrastructure on their network. However, the botnet’s use of DHT-based C2 makes complete disruption challenging.
Researchers discovered a weakness in KadNap’s Kademlia implementation: infected devices consistently connect to two specific nodes before reaching C2 servers, which undermines the full decentralization the protocol could achieve.
Indicators of Compromise
Network IOCs:
- Initial payload server:
212.104.141[.]140 - Initial script:
aic.sh - Payload binary:
kad(ELF executable)
Defensive Recommendations
- Update router firmware — Ensure ASUS routers run the latest firmware with security patches
- Disable remote management — Turn off WAN-side administration if not required
- Monitor cron jobs — Check for unauthorized scheduled tasks running at unusual intervals (55 minutes)
- Block known IOCs — Add the payload server IP to network blocklists
- Check for unusual outbound connections — Monitor for DHT-like P2P traffic patterns from edge devices
Source: BleepingComputer | Black Lotus Labs
