14,000 ASUS Routers Turned Into Criminal Proxies by KadNap Botnet
Last month, I watched our traffic analysis light up with anomalous patterns from what looked like legitimate residential IPs. Turns out, those "home users" were actually compromised ASUS routers running a criminal proxy service called Doppelgänger.
Welcome to KadNap - a botnet that's infected over 14,000 edge devices since August 2025, with 60% of infections hitting the United States. This isn't your typical malware story.
ASUS Gets Owned (Again)
Here's what makes this particularly frustrating: ASUS routers are getting hammered again. Remember TheMoon malware from 2014? That botnet also targeted ASUS devices for proxy services. Now we have KadNap, which powers the rebranded Doppelgänger service (previously called Faceless).
The attack sequence is almost elegant:
- Shell script aic.sh downloads from C2 server 212.104.141[.]140
- Sets persistence via cron job running every 55 minutes
- Renames itself to .asusrouter (cute)
- Deploys ELF binary kad for the real work
CISA has already warned about ASUS firmware flaws. Yet here we are.
The DHT Trick That Almost Works
What makes KadNap genuinely interesting is its use of a custom Kademlia Distributed Hash Table (DHT) protocol. Instead of traditional C2 infrastructure, it mimics peer-to-peer traffic to hide command servers.
<> "KadNap employs a custom version of the Kademlia DHT protocol... to conceal IP addresses... difficult for defenders to protect against."/>
Black Lotus Labs at Lumen said this, and they're right about the sophistication. But here's the thing - the implementation is actually weak. The attackers relied on fixed intermediary nodes, which Lumen promptly blocked on March 10, 2026.
So close to bulletproof. So far from competent execution.
Your Router Is Probably a Criminal
The infected devices aren't just sitting there looking pretty. They're actively routing traffic for:
- DDoS attacks
- Credential stuffing campaigns
- Brute-force operations
- General cybercrime anonymization
Victims face collateral liability if their IP addresses proxy attacks. Insurance costs go up. Legal headaches multiply. All because someone couldn't be bothered to update router firmware.
The Real Problem Hiding in Plain Sight
This botnet reveals three systemic failures:
1. End-of-life device abandonment - SOHO routers get zero security updates after 2-3 years
2. DHT protocol abuse - P2P traffic looks legitimate to most monitoring tools
3. Residential proxy monetization - Criminal services rebrand faster than takedowns happen
The underground economy adapts. Faceless becomes Doppelgänger. TheMoon becomes KadNap. Same business model, new infrastructure.
For developers building IoT devices: firmware auto-updates aren't optional anymore. Secure boot isn't negotiable. If you're shipping devices that can't update themselves, you're contributing to the problem.
My Bet
Lumen's traffic blocking will slow KadNap temporarily, but the operators will pivot to new infrastructure within weeks. ASUS will issue firmware updates that 80% of users won't install. Meanwhile, the next botnet is already in development, probably targeting a different vendor's routers.
The real solution isn't playing whack-a-mole with individual botnets. It's mandatory firmware update requirements and liability for vendors who abandon device security. Until that happens, we'll keep seeing the same story with different malware names.
