KadNap Botnet Hijacks Asus Routers

The Black Lotus Team at Lumen has discovered a new malware strain called KadNap that has been creating a botnet of Asus routers since at least August 2025.

The network is now reportedly over 14,000 devices strong. The network uses clean residential IP addresses to proxy malicious traffic.

The infected routers are sold as a residential proxy service called Doppelganger marketed specifically to cybercriminals, allowing them to hide their traffic.

The network stands out for its use of peer-to-peer networking to communicate with the command-and-control (C2) servers. The custom Kademlia Distributed Hash Table (DHT) protocol they use to evade network monitoring.

The decentralized nature of the DHT protocol makes it difficult for defenders to find and add command-and-control servers to threat lists for blocking. It hides the IP address of these servers and also allows malicious traffic to blend in with legitimate traffic. Black Lotus Labs explains it like this:

To better understand this system, think of Kademlia like using a chain of friends to find someone’s phone number: each friend does not know the whole number but knows someone who can get you closer to the answer. Passing your request along this chain, you quickly put together the whole phone number. Likewise, Kademlia nodes forward queries to others that are “closer” to the target, enabling fast and efficient searches without knowing the whole network.

The malware mainly targets Asus routers but Lumen says other edge networking devices have been targeted as well, with separate C2 infrastructure separated by victim type.

This isn’t the first time Asus routers have been subject to attack and it certainly won’t be the last.

As Internet of Things devices become more and more common, we will have more and more chances for our everyday devices to be compromised and enlisted into malicious botnets used by criminals.

Lumen says they have blocked all traffic to the command and control servers and will begin sharing indicators of compromise into public feeds so everyone can fight back against this threat.

For consumers, Lumen recommends following best practices for updating routers as outlined by the Canadian Centre for Cybersecurity. They also recommend that you change the default password for the management interface and make sure it’s not accessible over the internet. Make sure you replace your connected devices once they reach their end of life and no longer receive updates as well.