KadNap botnet IOC (mainly Asus router)
KadNap botnet IOC (mainly Asus router)
AI Analysis
Technical Summary
KadNap is a botnet that primarily targets Asus routers, leveraging vulnerabilities or misconfigurations to compromise these devices. Once infected, the routers become part of a botnet infrastructure used for payload delivery and potentially other malicious activities such as distributed denial-of-service (DDoS) attacks or further propagation. The current intelligence from the CIRCL OSINT feed indicates the presence of Indicators of Compromise (IOCs) related to KadNap but does not specify affected firmware versions or detailed exploitation methods. The threat is tagged with a 50% certainty level, indicating moderate confidence in the data. No known exploits are currently active in the wild, and no patches are available, suggesting either zero-day exploitation or exploitation through default credentials or weak security configurations. The botnet's persistence and ability to deliver payloads make it a continuing threat to network infrastructure relying on Asus routers. The lack of detailed technical indicators limits immediate detection capabilities, but the threat remains relevant due to the widespread use of Asus routers globally.
Potential Impact
If successfully exploited, KadNap can compromise Asus routers, leading to unauthorized control over network devices. This can result in the routers being used as part of a botnet for launching DDoS attacks, distributing malware, or intercepting network traffic, thereby impacting confidentiality, integrity, and availability. Organizations may experience degraded network performance, increased bandwidth consumption, and potential data breaches. The compromise of network infrastructure devices like routers can also serve as a foothold for attackers to pivot into internal networks, escalating the severity of the impact. Although no active exploits are currently known, the potential for rapid exploitation exists, especially in environments where routers are not properly secured or updated. The impact is particularly significant for enterprises and ISPs relying on Asus routers as critical network components.
Mitigation Recommendations
Organizations should implement the following specific mitigations: 1) Conduct an inventory of all Asus routers and verify firmware versions, applying any available updates or security patches from Asus. 2) Change default credentials and enforce strong, unique passwords on all network devices. 3) Disable remote management features unless absolutely necessary, and restrict access via IP whitelisting or VPN. 4) Monitor network traffic for unusual patterns indicative of botnet activity, such as unexpected outbound connections or spikes in bandwidth usage. 5) Segment network infrastructure to isolate routers from sensitive internal systems, limiting lateral movement opportunities. 6) Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures that may detect KadNap-related activity. 7) Stay informed through threat intelligence feeds for updates on KadNap indicators and emerging exploits. 8) Educate network administrators on secure router configuration best practices to reduce attack surface.
Affected Countries
United States, Germany, France, United Kingdom, Japan, South Korea, China, India, Brazil, Australia
Indicators of Compromise
- hash: 0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe
- hash: ebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8
- ip: 45.135.180.38
- ip: 45.135.180.177
- link: https://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/KadNap_IOCs.txt
- text: Report
- ip: 91.193.19.51
- ip: 79.141.163.155
- ip: 23.227.203.221
- ip: 85.158.111.100
- ip: 89.46.38.74
- ip: 154.7.253.12
- ip: 79.141.161.152
- link: https://www.virustotal.com/gui/file/0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe
- text: 15/65
- hash: 5e0ab4ab2b53e8e1dbb74dd97c03979d
- hash: b81e1dcd55e9b6b169d52ee72dc061f90c123515
- hash: 0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe
- tlsh: t195644c07ff94aed7c857cd320878c753148ce59b5298213e31f8ca4dff6a60a4a578a9
- vhash: dc7e4b158cee8ed39dd2bf6e86fca227
- ssdeep: 6144:yDRe/kAR9jEeTTN8R15u9f/c+RZK4V3mD2RrD8gQmDjixe5xzjYF0XWj0fJd2XRW:yDRe/kAR9jEeTTN8R15u9f/c+RZV3mD/
- link: https://www.virustotal.com/gui/file/ebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8
- text: 19/65
- hash: 103710ebc767772eb0e033e0bb6c77da
- hash: 82d62c92d1e5d2e4b4571401b8dbd225d9216a0e
- hash: ebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8
- tlsh: t1d03408a1f8909e82c6906abffb1e828d330357bcd3ee31069e145b7427d7d594e3a941
- vhash: 76becfa7727549d2bfb044bb67a602cb
- ssdeep: 3072:DafTo5xJB61i+NODxTpSDMVrg88x2XxkncamNAHwEFjeAQ8kOWxtWGGaxXsWC/zi:iP1irxT3z80xknC6eAQ+LalC7UP
- link: https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/
- text: The Black Lotus Labs team at Lumen has discovered a sophisticated new malware named “KadNap.” This threat primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic. Since August 2025, we have been monitoring the growth of this network, which is now above 14,000 infected devices. KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring. Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists. In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt by hiding in the noise of legitimate peer-to-peer traffic. Once added to the network, bots are then marketed by a proxy service called “Doppelganger,” which is specifically tailored for criminal activity and appears to be a rebrand of the Faceless service, which was powered by victims of TheMoon malware. Using the expansive Lumen global backbone to observe KadNap’s infrastructure, we found that more than 60% of KadNap’s victims are based in the United States. While Asus routers are the primary targets, the operators are using the malware effectively against a variety of edge networking devices and set aside a number of C2s used to silo their infrastructure by victim type. As of this publication, Lumen has proactively blocked all network traffic to or from the control infrastructure. Given the obfuscation of C2 servers inherent to this protocol, Black Lotus Labs will share the indicators of compromise (IoCs) and will begin distributing the indicators of compromise (IoCs) into public feeds to enable others to help disrupt this threat. Lumen Technologies would like to thank our partners at Spur for their contributions to our efforts to track and mitigate this threat.
- text: Report
KadNap botnet IOC (mainly Asus router)
Description
KadNap botnet IOC (mainly Asus router)
AI-Powered Analysis
Technical Analysis
KadNap is a botnet that primarily targets Asus routers, leveraging vulnerabilities or misconfigurations to compromise these devices. Once infected, the routers become part of a botnet infrastructure used for payload delivery and potentially other malicious activities such as distributed denial-of-service (DDoS) attacks or further propagation. The current intelligence from the CIRCL OSINT feed indicates the presence of Indicators of Compromise (IOCs) related to KadNap but does not specify affected firmware versions or detailed exploitation methods. The threat is tagged with a 50% certainty level, indicating moderate confidence in the data. No known exploits are currently active in the wild, and no patches are available, suggesting either zero-day exploitation or exploitation through default credentials or weak security configurations. The botnet's persistence and ability to deliver payloads make it a continuing threat to network infrastructure relying on Asus routers. The lack of detailed technical indicators limits immediate detection capabilities, but the threat remains relevant due to the widespread use of Asus routers globally.
Potential Impact
If successfully exploited, KadNap can compromise Asus routers, leading to unauthorized control over network devices. This can result in the routers being used as part of a botnet for launching DDoS attacks, distributing malware, or intercepting network traffic, thereby impacting confidentiality, integrity, and availability. Organizations may experience degraded network performance, increased bandwidth consumption, and potential data breaches. The compromise of network infrastructure devices like routers can also serve as a foothold for attackers to pivot into internal networks, escalating the severity of the impact. Although no active exploits are currently known, the potential for rapid exploitation exists, especially in environments where routers are not properly secured or updated. The impact is particularly significant for enterprises and ISPs relying on Asus routers as critical network components.
Mitigation Recommendations
Organizations should implement the following specific mitigations: 1) Conduct an inventory of all Asus routers and verify firmware versions, applying any available updates or security patches from Asus. 2) Change default credentials and enforce strong, unique passwords on all network devices. 3) Disable remote management features unless absolutely necessary, and restrict access via IP whitelisting or VPN. 4) Monitor network traffic for unusual patterns indicative of botnet activity, such as unexpected outbound connections or spikes in bandwidth usage. 5) Segment network infrastructure to isolate routers from sensitive internal systems, limiting lateral movement opportunities. 6) Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures that may detect KadNap-related activity. 7) Stay informed through threat intelligence feeds for updates on KadNap indicators and emerging exploits. 8) Educate network administrators on secure router configuration best practices to reduce attack surface.
Technical Details
- Uuid
- 2bd1fa00-6450-479c-9387-3a7fcb5e15a9
- Original Timestamp
- 1773398318
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe | mips | |
hashebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8 | arm | |
hash5e0ab4ab2b53e8e1dbb74dd97c03979d | — | |
hashb81e1dcd55e9b6b169d52ee72dc061f90c123515 | — | |
hash0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe | — | |
hash103710ebc767772eb0e033e0bb6c77da | — | |
hash82d62c92d1e5d2e4b4571401b8dbd225d9216a0e | — | |
hashebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip45.135.180.38 | — | |
ip45.135.180.177 | — | |
ip91.193.19.51 | — | |
ip79.141.163.155 | — | |
ip23.227.203.221 | — | |
ip85.158.111.100 | — | |
ip89.46.38.74 | — | |
ip154.7.253.12 | — | |
ip79.141.161.152 | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/KadNap_IOCs.txt | — | |
linkhttps://www.virustotal.com/gui/file/0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe | — | |
linkhttps://www.virustotal.com/gui/file/ebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8 | — | |
linkhttps://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textReport | — | |
text15/65 | — | |
text19/65 | — | |
textThe Black Lotus Labs team at Lumen has discovered a sophisticated new malware named “KadNap.” This threat primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic. Since August 2025, we have been monitoring the growth of this network, which is now above 14,000 infected devices.
KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring. Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists. In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt by hiding in the noise of legitimate peer-to-peer traffic.
Once added to the network, bots are then marketed by a proxy service called “Doppelganger,” which is specifically tailored for criminal activity and appears to be a rebrand of the Faceless service, which was powered by victims of TheMoon malware.
Using the expansive Lumen global backbone to observe KadNap’s infrastructure, we found that more than 60% of KadNap’s victims are based in the United States. While Asus routers are the primary targets, the operators are using the malware effectively against a variety of edge networking devices and set aside a number of C2s used to silo their infrastructure by victim type.
As of this publication, Lumen has proactively blocked all network traffic to or from the control infrastructure. Given the obfuscation of C2 servers inherent to this protocol, Black Lotus Labs will share the indicators of compromise (IoCs) and will begin distributing the indicators of compromise (IoCs) into public feeds to enable others to help disrupt this threat.
Lumen Technologies would like to thank our partners at Spur for their contributions to our efforts to track and mitigate this threat. | — | |
textReport | — |
Tlsh
| Value | Description | Copy |
|---|---|---|
tlsht195644c07ff94aed7c857cd320878c753148ce59b5298213e31f8ca4dff6a60a4a578a9 | — | |
tlsht1d03408a1f8909e82c6906abffb1e828d330357bcd3ee31069e145b7427d7d594e3a941 | — |
Vhash
| Value | Description | Copy |
|---|---|---|
vhashdc7e4b158cee8ed39dd2bf6e86fca227 | — | |
vhash76becfa7727549d2bfb044bb67a602cb | — |
Ssdeep
| Value | Description | Copy |
|---|---|---|
ssdeep6144:yDRe/kAR9jEeTTN8R15u9f/c+RZK4V3mD2RrD8gQmDjixe5xzjYF0XWj0fJd2XRW:yDRe/kAR9jEeTTN8R15u9f/c+RZV3mD/ | — | |
ssdeep3072:DafTo5xJB61i+NODxTpSDMVrg88x2XxkncamNAHwEFjeAQ8kOWxtWGGaxXsWC/zi:iP1irxT3z80xknC6eAQ+LalC7UP | — |
Threat ID: 69b4424d2f860ef94305fced
Added to database: 3/13/2026, 4:58:53 PM
Last enriched: 3/13/2026, 5:14:37 PM
Last updated: 3/14/2026, 4:07:43 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.