The newly observed KadNap botnet is actively compromising Asus routers and other network devices, enrolling them into a peer-to-peer residential proxy network. Since August 2025, this campaign has infected an estimated 14,000 devices, giving attackers access to thousands of legitimate home and small-office IP addresses for hiding malicious traffic.
KadNap botnet scale, targets, and affected regions
According to research from Black Lotus Labs (Lumen Technologies), KadNap organizes compromised devices into a P2P (peer-to-peer) botnet, avoiding a single central command server. This decentralised design improves resilience and complicates takedown efforts.
The operators show a marked preference for Asus routers. Nearly half of KadNap’s control infrastructure is dedicated specifically to Asus hardware, while other device types communicate with two central command-and-control (C2) servers. This split architecture suggests tailored tooling and monetization strategies for different device classes.
Roughly 60% of observed KadNap nodes are located in the United States, with notable clusters in Taiwan and Hong Kong. This distribution aligns with previous router botnets such as Mirai and TheMoon, which similarly exploited consumer and SOHO (small office/home office) networking gear to gain stable, high-availability connections that resemble ordinary user traffic.
Initial compromise: aic.sh script and persistence via cron
The KadNap infection chain begins with the download of a malicious shell script named aic.sh from the IP address 212.104.141[.]140. Once executed, the script establishes persistence using a cron job scheduled to run every 55 minutes. Cron is a standard Unix scheduler used for automated tasks; here it is abused to continually re-launch the malware, ensuring that KadNap survives restarts and basic cleanup efforts.
kad ELF binary, external reconnaissance, and time synchronization
After the script phase, KadNap drops and launches an ELF binary called kad, the main bot client. This component:
— determines the device’s external IP address, revealing how the router appears on the public internet;
— queries multiple NTP (Network Time Protocol) servers to obtain the current network time;
— compares NTP time with local system time to assess clock drift and uptime characteristics.
Time synchronization allows attackers to coordinate activities such as DDoS attacks or large-scale credential-stuffing campaigns across many nodes simultaneously. It also helps evade simple detections based purely on predictable attack schedules or periodic bursts of traffic.
KadNap’s custom Kademlia DHT: hiding C2 inside a P2P overlay
A defining feature of KadNap is its use of a custom implementation of the Kademlia Distributed Hash Table (DHT). A DHT is a distributed index where each node stores only a fragment of the overall data; information is spread across many participants. In KadNap’s case, this architecture is used to obscure C2 infrastructure inside the P2P network rather than exposing a static list of server IPs.
Compromised devices rely on the DHT overlay to discover C2 nodes dynamically. This approach significantly complicates traditional botnet disruption tactics, which often focus on enumerating and blocking a small set of hard-coded command servers. With KadNap, defenders must instead map and analyze a constantly shifting network graph.
Architectural weakness: mandatory bootstrap nodes
Despite its advanced P2P design, Black Lotus Labs identified a structural weakness in KadNap’s Kademlia implementation. Before bots can locate real C2 nodes through the DHT, they must maintain persistent connections to two specific bootstrap nodes. These fixed points partially undermine KadNap’s decentralisation goal.
From a defensive standpoint, this behavior provides a critical foothold. Monitoring, blocking, or sinkholing these bootstrap nodes can reveal substantial portions of the botnet’s infrastructure and disrupt the discovery of active C2 servers, enabling more effective network-level mitigation.
Link to Doppelganger residential proxy service and earlier Faceless/TheMoon activity
Researchers assess with high confidence that KadNap is tied to the Doppelganger residential proxy service. Doppelganger appears to offer paying customers access to compromised devices as on-demand residential proxies—intermediary nodes that relay traffic through real home or office IP addresses to conceal its origin.
Doppelganger is likely a rebranding or evolution of the previously documented Faceless proxy service, historically associated with the TheMoon malware family. TheMoon has been extensively linked to prior campaigns compromising Asus routers, indicating a long-standing focus by this threat actor group on exploiting consumer networking equipment for proxy monetization.
Criminal use cases for residential proxy botnets
Residential proxy networks like KadNap-backed Doppelganger are valuable because traffic appears to originate from legitimate users rather than known data centers or VPN ranges. Such infrastructure is frequently abused for:
— DDoS attacks against websites and online services;
— large-scale credential stuffing and brute-force attacks against user accounts;
— automated web scraping, price scraping, and competitive intelligence gathering;
— ad fraud, fake traffic generation, and other online fraud schemes.
This convergence of router malware and commercial proxy services reflects a broader trend: criminals industrialize compromised infrastructure, packaging it as “proxy-as-a-service” products on underground marketplaces.
ISP response and practical recommendations for protecting Asus routers
Lumen Technologies reports that it has already implemented network-level blocks against KadNap, filtering traffic to and from identified elements of the botnet’s command infrastructure within its backbone. The company intends to publish detailed Indicators of Compromise (IoCs) so that other internet service providers, enterprises, and security teams can detect and quarantine infected assets.
Owners of Asus routers and other home or office network devices can significantly reduce their exposure to KadNap and similar threats by following key security practices:
— keep router firmware up to date with the latest vendor patches;
— change default administrator usernames and passwords to unique, strong credentials;
— disable remote administration from the internet unless absolutely necessary;
— limit or disable UPnP and other unnecessary services exposed externally;
— monitor for unusual outbound connections, particularly to unknown IP addresses and unexpected NTP servers;
— if compromise is suspected, perform a factory reset, then reconfigure the device securely from scratch.
As botnets like KadNap continue to weaponize everyday routers as stealth residential proxy infrastructure, basic network hygiene and proactive monitoring become critical. Treating home and SOHO routers as first-class security assets—regularly maintained, patched, and observed—greatly reduces the likelihood that personal or corporate networks will be quietly folded into the next generation of proxy-for-rent botnets.
