A newly discovered botnet malware dubbed KadNap has compromised approximately 14,000 ASUS routers and edge networking devices since August 2025. The malware utilizes a custom implementation of the Kademlia Distributed Hash Table (DHT) protocol to create a decentralized peer-to-peer network, making it difficult for defenders to locate and block the command-and-control (C2) infrastructure. Initial infection occurs via a malicious script that establishes persistence through a cron job before installing an ELF binary payload.
Black Lotus Labs has linked the KadNap botnet to the Doppelganger proxy service, which is believed to be a successor to the Faceless proxy service previously tied to TheMoon botnet. These hijacked devices are monetized as residential proxies, allowing cybercriminals to mask malicious activities such as DDoS attacks and credential stuffing. Although the majority of victims are currently located in the United States, security researchers have begun taking proactive measures by blocking network traffic to known control nodes.
Top comments (0)