KadNap botnet IOC (mainly Asus router)
KadNap botnet IOC (mainly Asus router)
AI Analysis
Technical Summary
KadNap is a botnet observed mainly affecting Asus routers, with indicators of compromise reported through OSINT sources. The threat involves payload delivery but lacks detailed technical data or confirmed exploitation. No patches or official fixes are available, and the botnet's activity is currently assessed with moderate certainty. This threat is primarily intelligence for monitoring rather than immediate incident response.
Potential Impact
The impact is currently low as there are no known exploits in the wild and no confirmed widespread compromise. The botnet's presence indicates potential for payload delivery, which could lead to further malicious activity if exploited. However, without confirmed exploitation or detailed technical information, the immediate risk is limited.
Mitigation Recommendations
No patches or official fixes are available for this threat. Since the vendor advisory or detailed remediation guidance is not provided, organizations should monitor for indicators of compromise related to KadNap and apply general best practices for securing Asus routers, such as updating firmware when available and restricting external access. Patch status is not yet confirmed — check vendor advisories for updates.
Indicators of Compromise
- hash: 0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe
- hash: ebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8
- ip: 45.135.180.38
- ip: 45.135.180.177
- link: https://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/KadNap_IOCs.txt
- text: Report
- ip: 91.193.19.51
- ip: 79.141.163.155
- ip: 23.227.203.221
- ip: 85.158.111.100
- ip: 89.46.38.74
- ip: 154.7.253.12
- ip: 79.141.161.152
- link: https://www.virustotal.com/gui/file/0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe
- text: 15/65
- hash: 5e0ab4ab2b53e8e1dbb74dd97c03979d
- hash: b81e1dcd55e9b6b169d52ee72dc061f90c123515
- hash: 0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe
- tlsh: t195644c07ff94aed7c857cd320878c753148ce59b5298213e31f8ca4dff6a60a4a578a9
- vhash: dc7e4b158cee8ed39dd2bf6e86fca227
- ssdeep: 6144:yDRe/kAR9jEeTTN8R15u9f/c+RZK4V3mD2RrD8gQmDjixe5xzjYF0XWj0fJd2XRW:yDRe/kAR9jEeTTN8R15u9f/c+RZV3mD/
- link: https://www.virustotal.com/gui/file/ebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8
- text: 19/65
- hash: 103710ebc767772eb0e033e0bb6c77da
- hash: 82d62c92d1e5d2e4b4571401b8dbd225d9216a0e
- hash: ebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8
- tlsh: t1d03408a1f8909e82c6906abffb1e828d330357bcd3ee31069e145b7427d7d594e3a941
- vhash: 76becfa7727549d2bfb044bb67a602cb
- ssdeep: 3072:DafTo5xJB61i+NODxTpSDMVrg88x2XxkncamNAHwEFjeAQ8kOWxtWGGaxXsWC/zi:iP1irxT3z80xknC6eAQ+LalC7UP
- link: https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/
- text: The Black Lotus Labs team at Lumen has discovered a sophisticated new malware named “KadNap.” This threat primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic. Since August 2025, we have been monitoring the growth of this network, which is now above 14,000 infected devices. KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring. Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists. In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt by hiding in the noise of legitimate peer-to-peer traffic. Once added to the network, bots are then marketed by a proxy service called “Doppelganger,” which is specifically tailored for criminal activity and appears to be a rebrand of the Faceless service, which was powered by victims of TheMoon malware. Using the expansive Lumen global backbone to observe KadNap’s infrastructure, we found that more than 60% of KadNap’s victims are based in the United States. While Asus routers are the primary targets, the operators are using the malware effectively against a variety of edge networking devices and set aside a number of C2s used to silo their infrastructure by victim type. As of this publication, Lumen has proactively blocked all network traffic to or from the control infrastructure. Given the obfuscation of C2 servers inherent to this protocol, Black Lotus Labs will share the indicators of compromise (IoCs) and will begin distributing the indicators of compromise (IoCs) into public feeds to enable others to help disrupt this threat. Lumen Technologies would like to thank our partners at Spur for their contributions to our efforts to track and mitigate this threat.
- text: Report
KadNap botnet IOC (mainly Asus router)
Description
KadNap botnet IOC (mainly Asus router)
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
KadNap is a botnet observed mainly affecting Asus routers, with indicators of compromise reported through OSINT sources. The threat involves payload delivery but lacks detailed technical data or confirmed exploitation. No patches or official fixes are available, and the botnet's activity is currently assessed with moderate certainty. This threat is primarily intelligence for monitoring rather than immediate incident response.
Potential Impact
The impact is currently low as there are no known exploits in the wild and no confirmed widespread compromise. The botnet's presence indicates potential for payload delivery, which could lead to further malicious activity if exploited. However, without confirmed exploitation or detailed technical information, the immediate risk is limited.
Mitigation Recommendations
No patches or official fixes are available for this threat. Since the vendor advisory or detailed remediation guidance is not provided, organizations should monitor for indicators of compromise related to KadNap and apply general best practices for securing Asus routers, such as updating firmware when available and restricting external access. Patch status is not yet confirmed — check vendor advisories for updates.
Technical Details
- Uuid
- 2bd1fa00-6450-479c-9387-3a7fcb5e15a9
- Original Timestamp
- 1773398318
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe | mips | |
hashebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8 | arm | |
hash5e0ab4ab2b53e8e1dbb74dd97c03979d | — | |
hashb81e1dcd55e9b6b169d52ee72dc061f90c123515 | — | |
hash0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe | — | |
hash103710ebc767772eb0e033e0bb6c77da | — | |
hash82d62c92d1e5d2e4b4571401b8dbd225d9216a0e | — | |
hashebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip45.135.180.38 | — | |
ip45.135.180.177 | — | |
ip91.193.19.51 | — | |
ip79.141.163.155 | — | |
ip23.227.203.221 | — | |
ip85.158.111.100 | — | |
ip89.46.38.74 | — | |
ip154.7.253.12 | — | |
ip79.141.161.152 | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/KadNap_IOCs.txt | — | |
linkhttps://www.virustotal.com/gui/file/0b3dbb951de7a216dd5032d783ba7d0a5ecda2bf872643c3a4ddd1667fb38ffe | — | |
linkhttps://www.virustotal.com/gui/file/ebf9de6b67e94b2bd2b0dcda1941e04fef1a1dad830404813e468ab8744b7ed8 | — | |
linkhttps://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textReport | — | |
text15/65 | — | |
text19/65 | — | |
textThe Black Lotus Labs team at Lumen has discovered a sophisticated new malware named “KadNap.” This threat primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic. Since August 2025, we have been monitoring the growth of this network, which is now above 14,000 infected devices.
KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring. Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists. In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt by hiding in the noise of legitimate peer-to-peer traffic.
Once added to the network, bots are then marketed by a proxy service called “Doppelganger,” which is specifically tailored for criminal activity and appears to be a rebrand of the Faceless service, which was powered by victims of TheMoon malware.
Using the expansive Lumen global backbone to observe KadNap’s infrastructure, we found that more than 60% of KadNap’s victims are based in the United States. While Asus routers are the primary targets, the operators are using the malware effectively against a variety of edge networking devices and set aside a number of C2s used to silo their infrastructure by victim type.
As of this publication, Lumen has proactively blocked all network traffic to or from the control infrastructure. Given the obfuscation of C2 servers inherent to this protocol, Black Lotus Labs will share the indicators of compromise (IoCs) and will begin distributing the indicators of compromise (IoCs) into public feeds to enable others to help disrupt this threat.
Lumen Technologies would like to thank our partners at Spur for their contributions to our efforts to track and mitigate this threat. | — | |
textReport | — |
Tlsh
| Value | Description | Copy |
|---|---|---|
tlsht195644c07ff94aed7c857cd320878c753148ce59b5298213e31f8ca4dff6a60a4a578a9 | — | |
tlsht1d03408a1f8909e82c6906abffb1e828d330357bcd3ee31069e145b7427d7d594e3a941 | — |
Vhash
| Value | Description | Copy |
|---|---|---|
vhashdc7e4b158cee8ed39dd2bf6e86fca227 | — | |
vhash76becfa7727549d2bfb044bb67a602cb | — |
Ssdeep
| Value | Description | Copy |
|---|---|---|
ssdeep6144:yDRe/kAR9jEeTTN8R15u9f/c+RZK4V3mD2RrD8gQmDjixe5xzjYF0XWj0fJd2XRW:yDRe/kAR9jEeTTN8R15u9f/c+RZV3mD/ | — | |
ssdeep3072:DafTo5xJB61i+NODxTpSDMVrg88x2XxkncamNAHwEFjeAQ8kOWxtWGGaxXsWC/zi:iP1irxT3z80xknC6eAQ+LalC7UP | — |
Threat ID: 69b4424d2f860ef94305fced
Added to database: 3/13/2026, 4:58:53 PM
Last enriched: 4/8/2026, 4:22:08 AM
Last updated: 4/28/2026, 7:22:02 AM
Views: 688
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.