Cybersecurity researchers have uncovered a growing KadNap botnet that hijacks ASUS routers and other edge networking devices to power a large proxy network used in cybercrime. The malware quietly infects vulnerable devices and converts them into traffic relays that attackers can rent or use to conceal malicious activity.
The campaign demonstrates how home and small-business networking hardware can become valuable infrastructure for criminals. Once compromised, routers operate silently in the background, forwarding malicious traffic while the device owners remain unaware of the compromise.
Researchers say the botnet has already infected thousands of devices across several regions, creating a distributed network that attackers can leverage for a wide range of illicit activities.
A Peer-to-Peer Botnet Designed to Avoid Detection
The KadNap botnet relies on a decentralized architecture that helps it remain resilient against disruption attempts. Instead of relying on traditional command-and-control servers, the malware uses a peer-to-peer network built on the Kademlia distributed hash table protocol.
This structure allows infected devices to locate other nodes and retrieve instructions from the network itself. By avoiding a single central server, the botnet becomes much harder for defenders to identify and dismantle.
Researchers estimate that the network currently includes roughly 14,000 infected routers and edge devices. Many of these systems sit on residential internet connections, making the traffic appear legitimate and difficult to filter.
The approach gives attackers a flexible and durable infrastructure that can continue operating even if portions of the network become blocked.
How the Malware Infects Routers
The attack chain begins when a malicious script downloads a payload from a remote server. That script installs an ELF binary called “kad,” which acts as the botnet client on the infected device.
Once installed, the malware establishes persistence by creating a cron task that executes roughly every 55 minutes. This ensures the program remains active and automatically reconnects to the network if the router restarts.
After the infection process completes, the compromised router connects to the peer-to-peer network and begins communicating with other infected devices. The malware also gathers basic system information, including the device’s external IP address, uptime, and current time obtained from network time servers.
This information helps synchronize the network and enables operators to manage infected systems more efficiently.
Building a Global Proxy Infrastructure
The primary purpose of the KadNap botnet is to transform compromised routers into residential proxy nodes. Criminal operators can route traffic through these infected devices, masking the true origin of malicious activity.
Security researchers believe the infrastructure supports a proxy service known as Doppelganger, which appears to be connected to the previously known Faceless proxy network.
Such proxy services allow cybercriminals to rent access to large pools of residential IP addresses. Because the traffic originates from legitimate consumer connections, many security systems treat it as normal internet activity.
Attackers commonly rely on these proxy networks for activities such as credential stuffing campaigns, brute-force login attempts, and distributed denial-of-service attacks. The proxies also help conceal the identity and location of the attackers behind the operation.
Where the Infections Are Concentrated
Analysis of the botnet’s infected nodes shows that a majority of the compromised devices are located in the United States, which accounts for roughly sixty percent of the observed infections.
Other notable clusters appear in Taiwan, Hong Kong, and Russia. The geographic spread highlights how widely distributed consumer networking equipment can become part of large cybercrime ecosystems.
The reliance on consumer routers also demonstrates how overlooked infrastructure can play a central role in malicious operations. Devices often remain unpatched for years, creating attractive targets for automated malware campaigns.
Mitigation Efforts and Ongoing Risks
Security researchers have taken steps to disrupt the KadNap infrastructure where possible. Lumen’s Black Lotus Labs has already blocked communication between infected devices and certain parts of the botnet infrastructure within its own network.
However, these mitigation measures only affect traffic inside that specific provider’s environment. The decentralized design of the botnet allows it to continue operating in other parts of the internet.
Experts recommend that router owners regularly update device firmware, disable unnecessary remote access features, and replace unsupported hardware. These measures can significantly reduce the risk of compromise.
Final Thoughts
The KadNap botnet highlights a growing threat targeting the devices that sit quietly at the edge of the internet. By hijacking routers and turning them into proxy nodes, attackers gain access to a large pool of residential connections that can power a wide range of cybercrime operations.
Its decentralized architecture makes the network resilient and difficult to dismantle, allowing it to persist even as defenders attempt to block parts of its infrastructure. As botnets increasingly target consumer networking hardware, maintaining secure and updated devices has become an essential part of defending the broader internet ecosystem.
