KadNap is a newly identified malware strain that targets Asus routers and other edge networking devices to conscript them into a large-scale botnet used for proxying malicious traffic. Unlike traditional botnets that rely on centralized command-and-control servers, KadNap employs a custom variant of the Kademlia Distributed Hash Table (DHT) protocol, a peer-to-peer network design that conceals its C2 infrastructure. This decentralized approach complicates detection and takedown efforts because the botnet nodes communicate directly with each other rather than through a single point of failure. The botnet has grown to over 14,000 infected devices, with a majority located in the United States. KadNap is marketed by a proxy service named Doppelganger, which is tailored for criminal use cases such as anonymizing malicious traffic or evading IP-based blocking. The malware demonstrates adaptability by targeting various edge devices and using different C2 servers depending on the victim profile, indicating a modular and flexible architecture. The infection vectors are not explicitly detailed, but the targeting of IoT and networking devices suggests exploitation of weak credentials, unpatched vulnerabilities, or default configurations. Indicators of compromise include multiple IP addresses linked to the botnet’s infrastructure and specific malware file hashes. Although no active exploits have been reported, the malware’s use of advanced evasion techniques and decentralized control mechanisms marks it as a significant threat to network security.

The KadNap malware poses a considerable threat to organizations and individuals using Asus routers and similar edge networking devices. By conscripting these devices into a botnet, KadNap enables attackers to proxy malicious traffic, potentially facilitating a range of criminal activities such as anonymized cyberattacks, data exfiltration, or evasion of network-based defenses. The use of a peer-to-peer DHT-based C2 infrastructure makes traditional detection and mitigation techniques less effective, increasing the botnet’s resilience and longevity. Organizations may experience degraded network performance, increased bandwidth consumption, and potential reputational damage if their devices are implicated in malicious activities. The botnet’s size and geographic distribution, with a concentration in the United States, suggest a broad attack surface and potential for large-scale abuse. Additionally, the malware’s ability to target multiple device types and use different C2 servers complicates defensive measures and incident response. If left unmitigated, KadNap could be leveraged for large-scale proxying services that facilitate further cybercrime, impacting confidentiality, integrity, and availability of network resources.

1. Immediately audit and update firmware on all Asus routers and similar edge devices to the latest manufacturer-recommended versions, ensuring known vulnerabilities are patched. 2. Change default credentials on all network devices to strong, unique passwords to prevent brute-force or credential stuffing attacks. 3. Implement network segmentation to isolate IoT and edge devices from critical internal networks, limiting lateral movement and exposure. 4. Deploy network monitoring tools capable of detecting unusual peer-to-peer traffic patterns consistent with Kademlia DHT communications, focusing on anomalous outbound connections. 5. Block known malicious IP addresses associated with KadNap’s infrastructure at network perimeter firewalls and intrusion prevention systems. 6. Use endpoint detection and response (EDR) solutions on network management systems to detect signs of compromise or unauthorized configuration changes. 7. Educate users and administrators about the risks of IoT device compromise and enforce strict access controls and logging for device management interfaces. 8. Collaborate with ISPs and cybersecurity communities to share threat intelligence and coordinate takedown efforts against the botnet’s infrastructure. 9. Consider deploying DNS filtering to prevent infected devices from resolving C2 domains or IP addresses linked to KadNap. 10. Regularly review network traffic for proxying behavior that could indicate botnet activity and respond promptly to incidents.