Security researchers from Black Lotus Labs at Lumen Technologies have uncovered a new malware strain called KadNap that mostly targets routers from Asus, turning compromised devices into part of a large proxy botnet used to route malicious traffic.
According to researchers, the network has been growing since August 2025 and now includes more than 14,000 infected devices worldwide. The malware’s operators mainly exploit home and small-office networking equipment, though other edge devices have also been affected.
KadNap is using a customized implementation of the Kademlia Distributed Hash Table (DHT) protocol. The peer-to-peer technology allows infected devices to locate command-and-control (C&C) servers without directly revealing their infrastructure.
Once a device is compromised, it becomes part of a decentralized network that communicates with command servers to receive instructions or download additional files. The attackers establish persistence through a shell script named “aic.sh,” which installs a scheduled task to retrieve instructions from a remote server. The script eventually downloads a malicious executable that deploys the KadNap malware, which can run on both ARM and MIPS-based devices.
Researchers also discovered that the compromised routers are later sold through the Doppelgänger proxy service advertised as offering “100% anonymity” with residential proxies in more than 50 countries. Researchers believe the platform may be a rebranded version of Faceless proxy service, previously linked to infections caused by TheMoon malware.
More than 60% of infected devices were observed in the United States, with smaller clusters located in Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy, and Spain. Researchers noted that the attackers appear to separate their infrastructure by device type, meaning not every infected router communicates with the same command servers.
The malware also attempts to shut down SSH access on port 22, making remote removal more difficult, and uses time data from a Network Time Protocol server to generate hashes that help it locate other peers within the decentralized network.