KadNap bot compromises 14,000+ devices to route malicious traffic

KadNap malware infects 14,000+ edge devices, mainly Asus routers, turning them into a stealth proxy botnet used to route malicious internet traffic.

KadNap malware infects more than 14,000 edge devices, mainly ASUS routers, and turns them into a proxy botnet used to route malicious traffic. First detected in August 2025, the campaign heavily targets the United States, which accounts for over 60% of infections. Researchers also observed victims across several countries, including Taiwan, Hong Kong, the U.K., Brazil, France, Italy, and Spain.

The malware hides its command infrastructure using a peer-to-peer system based on the Kademlia protocol, making detection harder. Infected devices route malicious traffic through a proxy service called Doppelganger, likely a rebrand of the Faceless network linked to TheMoon malware.

In August 2025, researchers identified over 10,000 ASUS routers communicating with suspicious servers. A malicious script downloaded and installed KadNap malware, setting up persistence through scheduled tasks and executing a malicious binary. Using a custom version of the Kademlia peer-to-peer system allows the malware to hide command-and-control servers, and infected devices to locate them without exposing their real IP addresses.

“KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring.” reads the report published by Lumen. “Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists.”

KadNap installs as an ELF binary on infected devices and runs on both ARM and MIPS systems. The bot hides activity by redirecting input and output to /dev/null, then collects the device’s external IP and synchronizes time using public NTP servers. The malware uses this data to generate hashes and join a peer-to-peer network based on the Kademlia protocol.

It connects to peers, exchanges encrypted data, and downloads additional payloads such as scripts that modify firewall rules or open new communication channels.

One payload stores command-and-control addresses, allowing the malware to contact remote servers, receive instructions, and execute files. This process lets infected devices join the botnet and maintain persistent communication with attacker’s infrastructure.

Analysis shows KadNap uses a weak custom implementation of the Kademlia network. Instead of dynamically reaching different peers, infected devices always contact the same two intermediary nodes before connecting to command-and-control servers.

“In a true Kademlia peer-to-peer network, the final peer changes over time, reflecting its decentralized nature. However, in analyzing our KadNap samples dating back to August 2025, we consistently found the same two final hop nodes before reaching the C2 servers.” continues the report. “This indicates the attackers maintain persistent nodes to retain control over the network. Those two longstanding nodes were 45.135.180[.]38 and 45.135.180[.]177”

The experts conclude that the KadNap botnet differs from many proxy botnets because it uses a decentralized peer-to-peer network based on the Kademlia protocol.

“Their intention is clear: avoid detection and make it difficult for defenders to protect against. KadNap’s bots are sold through Doppelganger, a service whose users leverage these hijacked devices for a range of malicious purposes, including brute-force attacks and highly targeted exploitation campaigns.” concludes the report. “As a result, every IP address associated with this botnet represents a significant, persistent risk to organizations and individuals alike.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)