The KadNap malware has compromised over 14,000 edge devices, primarily ASUS routers, to create a stealthy proxy botnet for routing malicious traffic. By utilizing a peer-to-peer system based on the Kademlia protocol, the botnet masks its command infrastructure and sells access to its hijacked network through a service called Doppelganger.
The KadNap campaign was first identified in August 2025 after researchers noticed over 10,000 ASUS routers communicating with suspicious servers. The malware primarily targets the United States, which represents more than 60 percent of all infections, though victims have also been documented in Taiwan, Hong Kong, and throughout Europe and South America. Upon infection, a malicious script installs the malware as an ELF binary and sets up persistence through scheduled tasks, allowing the bot to run on both ARM and MIPS architectures while hiding its activity by redirecting output to null.
To remain undetected by traditional network monitoring, KadNap employs a custom version of the Kademlia Distributed Hash Table protocol. This peer-to-peer system allows infected devices to locate and connect with command-and-control servers without exposing the actual IP addresses of the attackers' infrastructure. Once the malware collects the device’s external IP and synchronizes its time with public servers, it generates specific hashes to join the decentralized network, making it difficult for defenders to identify and block the central control nodes.
The botnet operates by exchanging encrypted data with peers and downloading additional payloads that can modify firewall rules or open new communication channels. These payloads often contain specific command-and-control addresses that enable the malware to receive instructions and execute files remotely. By maintaining this persistent communication, the hijacked devices become part of a larger proxy network used to facilitate various cyberattacks while shielding the identity of the end users.
Despite its use of decentralized protocols, analysis shows that KadNap relies on a relatively weak and static implementation of the Kademlia network. Instead of the ever-changing peer connections typical of a true peer-to-peer system, infected devices were found to consistently contact the same two intermediary nodes before reaching the command servers. This pattern suggests the attackers maintain specific, longstanding nodes to ensure they retain stable control over the vast network of compromised routers.
The primary purpose of the KadNap botnet is to provide a stealthy infrastructure for other malicious actors through the Doppelganger proxy service. Those who purchase access to these hijacked devices use them for a variety of high-risk activities, including brute-force attacks and targeted exploitation campaigns. Because the botnet leverages residential and small business routers, every associated IP address poses a persistent threat, as the traffic originating from these devices appears legitimate to many security filters.
Source: FKadNap Bot Compromises 14,000+ Devices To Route Malicious Traffic