KadNap malware infects 14,000+ edge devices, mainly Asus routers, turning them into a stealth proxy botnet used to route malicious internet traffic. KadNap malware infects more than 14,000 edge devices, mainly ASUS routers, and turns them into a proxy botnet used to route malicious traffic. First detected in August 2025, the campaign heavily targets the […] KadNap “find_peers” implementation of the Kademlia DHT protocol. Creates a custom hash and then stores that value. One payload stores command-and-control addresses, allowing the malware to contact remote servers, receive instructions, and execute files. This process lets infected devices join the botnet and maintain persistent communication with attacker’s infrastructure. Analysis shows KadNap uses a weak custom implementation of the Kademlia network. Instead of dynamically reaching different peers, infected devices always contact the same two intermediary nodes before connecting to command-and-control servers. “In a true Kademlia peer-to-peer network, the final peer changes over time, reflecting its decentralized nature. However, in analyzing our KadNap samples dating back to August 2025, we consistently found the same two final hop nodes before reaching the C2 servers.” continues the report. “This indicates the attackers maintain persistent nodes to retain control over the network. Those two longstanding nodes were 45.135.180[.]38 and 45.135.180[.]177” The experts conclude that the KadNap botnet differs from many proxy botnets because it uses a decentralized peer-to-peer network based on the Kademlia protocol. “Their intention is clear: avoid detection and make it difficult for defenders to protect against. KadNap’s bots are sold through Doppelganger, a service whose users leverage these hijacked devices for a range of malicious purposes, including brute-force attacks and highly targeted exploitation campaigns.” concludes the report. “As a result, every IP address associated with this botnet represents a significant, persistent risk to organizations and individuals alike.” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, botnet)
Published: 2026-03-11T09:03:38