{"id":222035,"date":"2026-03-10T12:00:00","date_gmt":"2026-03-10T16:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/10\/kadnap-malware-infects-14000-edge-devices-to-power-stealth-proxy-botnet\/"},"modified":"2026-03-10T14:15:08","modified_gmt":"2026-03-10T18:15:08","slug":"kadnap-malware-infects-14000-edge-devices-to-power-stealth-proxy-botnet","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/10\/kadnap-malware-infects-14000-edge-devices-to-power-stealth-proxy-botnet\/","title":{"rendered":"KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/kadnap-malware-infects-14000-edge.html\">KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/kadnap-malware-infects-14000-edge.html\">https:\/\/thehackernews.com\/2026\/03\/kadnap-malware-infects-14000-edge.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-10 12:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Cybersecurity researchers have discovered a new malware called <strong>KadNap<\/strong> that&#8217;s primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic.<\/p>\n<p>The malware, first detected in the wild in August 2025, has expanded to over 14,000 infected devices, with more than 60% of victims located in the U.S., according to the Black Lotus Labs team at Lumen. A lesser number of infections have been detected in Taiwan, Hong Kong, Russia, the U.K., Australia, Brazil, France, Italy, and Spain.<\/p>\n<p>&#8220;KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring,&#8221; the cybersecurity company said in a report shared with The Hacker News.<\/p>\n<p>Compromised nodes in the network leverage the DHT protocol to locate and connect with a command-and-control (C2) server, thereby making it resilient to detection and disruption efforts.<\/p>\n<p>Once devices are successfully compromised, they are marketed by a proxy service named Doppelg\u00e4nger (&#8220;doppelganger[.]shop&#8221;), which is assessed to be a rebrand of Faceless, another proxy service associated with TheMoon malware. Doppelg\u00e4nger, according to its website, claims to offer resident proxies in over 50 countries that provide &#8220;100% anonymity.&#8221; The service is said to have launched in May\/June 2025. <\/p>\n<p>Despite the focus on Asus routers, the operators of KadNap have been found to deploy the malware against an assorted set of edge networking devices.<\/p>\n<p>Central to the attack is a shell script (&#8220;aic.sh&#8221;) that&#8217;s downloaded from the C2 server (&#8220;212.104.141[.]140&#8221;), which is responsible for initiating the process of conscripting the victim to the P2P network. The file creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to &#8220;.asusrouter,&#8221; and run it.<\/p>\n<p>Once persistence is established, the script pulls a malicious ELF file, renames it to&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/kadnap-malware-infects-14000-edge.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet https:\/\/thehackernews.com\/2026\/03\/kadnap-malware-infects-14000-edge.html Publish Date: 2026-03-10&#8230;<\/p>\n","protected":false},"author":1,"featured_media":222036,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjL6yjElOGPcYBf276MHunx4KJvvDBj2k0LIMcaz8NZN6c9NM-EPhn5wGG8jiQab-zkwUzGWDNnqMo7F_mIq_HbuS4KKV9TNn3oebk_nWkZKcm3BRT0EIEqut61LgUodpHvtGYBB3bjeT_zJ_TxjxLgmO7DPwaFqXryrkQ7X8BpWz2GucoDtcTcXP6XbLQ_\/s1600\/router-botnet.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,35,32],"class_list":["post-222035","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-hacker","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222035"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=222035"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222035\/revisions"}],"predecessor-version":[{"id":222037,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222035\/revisions\/222037"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/222036"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=222035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=222035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=222035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}