New KadNap Malware Hijacks 14,000 Asus Routers to Build Massive Botnet

In a chilling escalation of cyber threats, researchers have uncovered KadNap, a sophisticated malware campaign that has already compromised over 14,000 Asus routers worldwide, transforming them into a sprawling botnet capable of masking criminal activities through a complex peer-to-peer network.

The Anatomy of a Digital Invasion

The discovery, made by Black Lotus Labs at Lumen Technologies, reveals a meticulously engineered attack that began spreading in August 2025. The malware has achieved alarming penetration, with more than 60% of infections concentrated in the United States, while also establishing footholds across Taiwan, Hong Kong, Russia, the UK, Australia, Brazil, France, Italy, and Spain.

What makes KadNap particularly dangerous is its innovative use of the Kademlia Distributed Hash Table (DHT) protocol—the same technology that powers legitimate peer-to-peer networks. By weaponizing this protocol, attackers have created a communication channel that blends seamlessly with normal internet traffic, making detection extraordinarily difficult.

A Digital Chameleon

“The innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt, by hiding in the noise of legitimate peer-to-peer traffic,” Lumen researchers explained. This camouflage strategy represents a significant evolution in botnet architecture, as traditional security tools struggle to distinguish between legitimate and malicious P2P communications.

The malware’s primary objective is clear: provide 100% anonymous proxy services through a front company called Doppelgänger (doppelganger[.]shop). This service, believed to be a rebranding of the previously known Faceless proxy service, markets itself as offering “resident proxies in over 50 countries”—a thinly veiled cover for criminal infrastructure.

The Infection Chain

The attack begins when vulnerable routers download a malicious shell script (aic.sh) from command-and-control servers. This script establishes persistence by creating scheduled tasks that execute every hour at the 55-minute mark, ensuring the malware remains active even after reboots.

Once installed, KadNap deploys its core component—a malicious ELF file renamed “kad”—which targets both ARM and MIPS processors commonly found in networking devices. The malware then connects to Network Time Protocol servers to establish its operational timeline and begins scanning for other infected peers in the decentralized network.

Beyond Asus: A Broader Threat

While Asus routers remain the primary target, KadNap’s operators have demonstrated flexibility in their approach, deploying the malware against various edge networking devices. This adaptability suggests the campaign may expand to target additional manufacturers and device types in the future.

The botnet’s infrastructure shows signs of sophisticated organization, with different command-and-control servers appearing to categorize devices by type and model. This segmentation allows attackers to optimize their proxy services and potentially target specific geographic regions or industries.

The Proxy Service Economy

Doppelgänger’s business model represents a concerning trend in cybercrime: the professionalization and commercialization of malicious infrastructure. By offering proxy services that guarantee anonymity, the operators are essentially providing criminals with a “clean” pathway to conduct illegal activities while hiding behind thousands of compromised routers.

The service’s emergence in May/June 2025, coinciding with KadNap’s appearance, suggests a coordinated effort to monetize the botnet infrastructure quickly and efficiently.

Protection in a Compromised World

For the millions of small office and home office (SOHO) router users, the discovery of KadNap serves as a stark reminder of the importance of basic security hygiene. Lumen recommends several critical steps:

• Keep router firmware updated with the latest security patches
• Reboot devices regularly to disrupt potential malware operations
• Change default passwords to strong, unique credentials
• Secure management interfaces by disabling remote access when unnecessary
• Replace end-of-life devices that no longer receive security updates

A Parallel Threat Emerges

Adding to the cybersecurity landscape’s complexity, researchers at Cyble have identified ClipXDaemon, a new Linux malware targeting cryptocurrency users through a completely different attack vector. This memory-resident clipper malware monitors clipboard activity in X11 environments, automatically replacing copied cryptocurrency wallet addresses with those controlled by attackers.

Unlike traditional malware, ClipXDaemon operates autonomously without command-and-control communication, making it exceptionally difficult to detect. The malware deliberately avoids Wayland sessions due to their enhanced security features, focusing instead on the more vulnerable X11 environments.

ClipXDaemon targets multiple cryptocurrencies including Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON, demonstrating the attackers’ broad ambitions in the cryptocurrency theft market.

The Future of Malware Innovation

These two discoveries—KadNap and ClipXDaemon—represent the cutting edge of malware evolution. Attackers are increasingly leveraging legitimate protocols and services, creating malware that can hide in plain sight while maintaining sophisticated operational capabilities.

The professionalization of cybercrime infrastructure, exemplified by Doppelgänger’s proxy services, suggests we’re entering an era where malicious tools are becoming as polished and user-friendly as legitimate software products. This trend makes powerful cyber weapons accessible to a broader range of criminals, potentially escalating the frequency and sophistication of attacks.

As cybersecurity defenders race to develop new detection methods for these evolving threats, users must remain vigilant about basic security practices. In a world where your router could be unwittingly participating in criminal activities, the importance of maintaining updated, secure devices has never been more critical.

Tags: #KadNap #AsusRouters #Botnet #Malware #Cybersecurity #Doppelgänger #ProxyService #Kademlia #DHT #LumenTechnologies #CryptocurrencyTheft #ClipXDaemon #LinuxMalware #NetworkSecurity #CyberCrime #RouterSecurity

Viral Phrases: “14,000 routers hijacked”, “hiding in plain sight”, “100% anonymous proxy”, “peer-to-peer camouflage”, “digital invasion”, “cybercriminal infrastructure”, “malware evolution”, “autonomous cryptocurrency theft”, “professionalized cybercrime”, “router security crisis”

,