146/69 Friday, March 13, 2026
Cybersecurity researchers have discovered the spread of KadNap malware, which has compromised more than 14,000 edge network devices, most of them ASUS routers, to form a botnet used for relaying malicious internet traffic. The campaign was first detected in August 2025, with the United States accounting for more than 60% of all infections. Infections have also been identified in several other countries, including Taiwan, Hong Kong, the United Kingdom, Brazil, France, Italy, and Spain.
The malware conceals its command-and-control (C2) infrastructure using a peer-to-peer (P2P) network based on the Kademlia Distributed Hash Table (DHT) protocol, making detection significantly more difficult. Compromised devices are used as proxies to relay traffic through a service known as Doppelganger, believed to be a new proxy network linked to infrastructure previously associated with the TheMoon malware. Researchers found that many devices were infected through malicious scripts that download ELF binary files onto the system and establish persistence using scheduled tasks.
After installation, the malware collects device information such as the external IP address and synchronizes system time with public Network Time Protocol (NTP) servers. It then generates a hash value to join the peer-to-peer network. Infected devices exchange encrypted data with other nodes and download additional payloads, including scripts that modify firewall rules or open new communication channels. Although the network is designed as a decentralized architecture, analysis revealed that infected devices consistently connect through two intermediary nodes before reaching the C2 server, indicating that attackers still maintain operational control over the network.
The KadNap botnet is reportedly used as part of a proxy service to conduct various malicious activities, including brute-force attacks and targeted attacks against specific systems. As a result, IP addresses associated with this network pose a significant security risk for organizations and internet users worldwide.