Security researchers have uncovered a malware operation that has infected about 14,000 routers and network devices, most of them produced by Asus, and incorporated them into a distributed proxy network used to carry internet traffic for cybercrime.
The malware, called KadNap, was discovered by researchers at Black Lotus Labs, the research division of Lumen Technologies. According to Chris Formosa, a researcher at Black Lotus Labs who spoke with Ars Technica, the malware spreads by exploiting vulnerabilities that device owners have not patched.
The high number of infected Asus routers appears linked to attackers obtaining reliable exploits that affect those models. Formosa said it is “unlikely” the attackers used zero-day vulnerabilities during the campaign.
KadNap activity first appeared in August 2025, when a Lumen detection algorithm that scans for suspicious networks detected over 10,000 Asus devices communicating with the same infrastructure. Investigation of those servers uncovered the malicious software responsible for the communication. Since that discovery, the network has grown and stabilized. Black Lotus Labs says the botnet now averages about 14,000 infected devices per day.
The infected devices are distributed internationally. More than 60% of victims are located in the United States, with additional infections reported in Taiwan, Hong Kong, and Russia, as well as across Europe and Australia. Although Asus routers account for the majority of infections, researchers also detected the malware on other edge networking and IoT devices.
The malware’s architecture differs from many traditional botnets. Instead of relying on centralized command servers, KadNap uses a peer-to-peer network based on the Kademlia distributed hash table (DHT). This design conceals the location of command infrastructure and complicates attempts to block the network.
Formosa and Black Lotus Labs researcher Steve Rudd explained the design in their research report: “The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control. Their intention is clear: avoid detection and make it difficult for defenders to protect against.”
The Kademlia DHT protocol has been used in peer-to-peer systems such as BitTorrent, eMule, I2P, and Ethereum. In a distributed hash table, devices query other nodes in the network to locate information instead of requesting it from a central server. Nodes exchange hashed identifiers that represent resources or peers. Each node stores keys associated with other nodes and organizes them based on similarity to its own identifier. The distance between identifiers is measured using the XOR distance, which maps nodes across the network.
When a node searches for a resource, it sends a request to peers whose identifiers appear closest to the target key. Each of those peers returns the addresses of nodes closer to the target. The process continues until the correct node is located. The distributed design spreads information across many nodes and improves resilience. If one node leaves the network, other nodes continue answering requests. Because no single server controls the system, taking down the network requires disconnecting all participating nodes.
Researchers described the lookup process through a simple analogy. “To better understand this system, think of Kademlia like using a chain of friends to find someone’s phone number: each friend does not know the whole number but knows someone who can get you closer to the answer. Passing your request along this chain, you quickly put together the whole phone number.”
Formosa described how KadNap uses this system to locate command infrastructure. “You first reach out to some entry bittorrent nodes and basically say ‘hey I have this secret passphrase. I’m looking for who to give it to.’ So you give it to a couple of nearby ‘neighbors,’ and they say ‘ah ok I don’t fully understand this passphrase but it’s kind of familiar and here are some people who may know what that means.’ So now you go to those neighbors and the process continues. Eventually, you reach someone who says ‘Yes! This is my passphrase, welcome in.’ In our case, when we reach this person, they say here is a file to firewall port 22 and then here is a second file containing the C2 address you want to connect to.”
After attackers gain access to a vulnerable device, the infection begins with a script called aic.sh downloaded from the server 212.104.141[.]140. The script creates persistence by installing a cron job scheduled to run every hour at the 55-minute mark. The job downloads the malicious script repeatedly, renames it “.asusrouter”, and runs it from the /jffs/.asusrouter location.
The script then downloads a malicious ELF executable designed for Asus routers, renames it kad, and runs it. Versions compiled for ARM and MIPS processors enable the malware to run on several networking devices.
During initialization, the malware forks into the background and redirects STDIN, STDOUT, and STDERR to /dev/null. It determines the router’s external IP address and stores that value internally. The program then attempts to contact Network Time Protocol servers until it retrieves the current time. The server list includes time-a.nist.gov, time-b.nist.gov, time.windows.com, ntp.asql.co.uk, and chronos.csr.net. The retrieved time and the device’s uptime are later used to generate values used during peer discovery.
Once initialization completes, the malware connects to the BitTorrent network through bootstrap nodes. It constructs a custom distributed hash table request to locate other infected devices. The request uses a custom infohash generated from a hard-coded 0x40-byte string combined with an XOR key derived from time and uptime data. The string is:
6YL5aNSQv9hLJ42aDKqmnArjES4jxRbfPTnZDdBdpRhJkHJdxqMQmeyCrkg2CBQg
The malware hashes the value using SHA-1, inserts the result into the “pieces” field of a bencoded message, hashes the entire message again, and sends it to the distributed network to locate peers.
Once another node responds, the infected router reads six bytes representing the peer’s IP address and port, connects to that node, and receives a 0x1000-byte buffer. The data is decrypted with a hard-coded key. The decrypted payload is hashed again using SHA-1, and that value becomes the encryption key for subsequent communication.
If the handshake with the peer succeeds, the router downloads two files. The first file, fwr.sh, inserts a firewall rule using iptables to drop incoming TCP traffic on port 22, blocking SSH access to the device. The second file, .sose, is written to the /tmp directory. This file contains command-and-control IP addresses, ports, and configuration data used by the malware to connect to the botnet infrastructure.
Analysis of KadNap samples dating back to August 2025 revealed a pattern in the network’s routing. Although Kademlia networks normally use changing peers during lookups, infected devices consistently contacted the same two nodes before connecting to command servers. Those nodes are 45.135.180[.]38 and 45.135.180[.]177, which appear to be infrastructure maintained by the attackers.
Black Lotus Labs telemetry shows the botnet typically uses three to four command-and-control servers at a time. Not every infected router communicates with each server. Researchers determined that the attackers segment their infrastructure by device type and model. More than half of the botnet, consisting of Asus routers, connects to two Asus-specific command servers, while the remaining devices communicate with two other command servers.
Researchers initially did not know the purpose of the network. Through cooperation with security company Spur, the command infrastructure was linked to a proxy service called Doppelganger. The service sells access to the infected devices as residential proxies.
The proxy network routes customers’ internet traffic through the home internet connections of infected users. Residential connections provide high bandwidth and IP addresses with clean reputations, which makes the traffic appear legitimate. Customers can then visit websites or perform online activities that might otherwise be restricted.
Researchers also connected Doppelganger to the Faceless proxy service, which previously relied on infected devices compromised through TheMoon malware.
Black Lotus Labs wrote that “KadNap’s bots are sold through Doppelganger, a service whose users leverage these hijacked devices for a range of malicious purposes, including brute-force attacks and highly targeted exploitation campaigns.”
Within the Lumen network, customers using Lumen DefenderSM have been protected from KadNap traffic since August 2025. Black Lotus Labs has also blocked network traffic to and from the botnet’s control infrastructure and plans to distribute indicators of compromise (IoCs) through public feeds so other organizations can block access to the network.
Devices infected with KadNap continue running the malware after a simple restart because the persistence script launches automatically. Removing the infection requires performing a factory reset. Researchers also advise device owners to install all available firmware updates, set strong administrative passwords, and disable remote access unless necessary.
People concerned that their routers may be infected can check device logs for the IP addresses and file hashes associated with KadNap.
![how-cloud-exit-can-be-turned-into-strategic-advantage-[q&a]](https://thetechbriefs.com/wp-content/uploads/2026/03/120823-how-cloud-exit-can-be-turned-into-strategic-advantage-qa.jpg)
