Researchers have identified a botnet named KadNap that has infected approximately 14,000 routers and other network devices, predominantly manufactured by Asus. This botnet operates as a proxy network, facilitating anonymous traffic for various cybercriminal activities.
Infection Mechanism and Device Distribution
The malware exploits vulnerabilities that remain unpatched by device owners, according to Chris Formosa from Lumen’s Black Lotus Labs. The prevalence of Asus routers in this botnet suggests that operators have successfully leveraged known exploits for these specific models. Notably, there is no indication that the attackers are utilizing zero-day vulnerabilities.
Growth of the Botnet
The number of infected routers has increased from around 10,000 in August to an average of 14,000 daily. Most of the compromised devices are located in the United States, with smaller numbers in Taiwan, Hong Kong, and Russia.
Technical Structure of KadNap
One of the defining characteristics of KadNap is its sophisticated peer-to-peer architecture based on Kademlia, which employs distributed hash tables (DHTs) to obscure the IP addresses of its command-and-control servers. This design enhances the botnet’s resistance to detection and takedown efforts. As noted by Black Lotus researchers, this decentralized control mechanism complicates defensive measures against the botnet.
Impact and Mitigation Strategies
Infected devices are being utilized to support Doppelganger, a paid proxy service that routes customer internet traffic through the connections of compromised routers. Users concerned about potential infections can refer to a designated page for IP addresses and file hashes associated with the malware. To remove the infection, affected devices must be factory reset, as a simple reboot will not eliminate the malware due to a persistent shell script that reactivates upon restart. Device owners are advised to install all available firmware updates, strengthen administrative passwords, and disable remote access unless necessary.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
