A new botnet malware named KadNap has been identified targeting ASUS routers and various edge networking devices to build a decentralized proxy network. Since August 2025, the botnet has infected approximately 14,000 devices, utilizing a custom implementation of the Kademlia Distributed Hash Table (DHT) protocol to hide its command-and-control (C2) infrastructure. By decentralizing communication, the threat actors make it significantly harder for security researchers to identify and block the primary control servers.
Researchers at Black Lotus Labs have linked KadNap to the Doppelganger proxy service, a suspected rebrand of the Faceless service previously associated with TheMoon malware. The infection typically begins with a malicious script that establishes persistence via a cron job, followed by the deployment of an ELF binary. The compromised devices are then sold as residential proxies to facilitate malicious activities such as DDoS attacks, credential stuffing, and brute-force campaigns. While the botnet is designed for evasion, Lumen Technologies has successfully implemented network blocks to disrupt traffic to the identified C2 infrastructure.
Top comments (0)