Thousands of Asus routers are being used to fuel a massive cyber crime spree

Malware targeting Asus routers has built a botnet of 14,000 devices to spread malicious traffic, according to researchers at Lumen's Black Lotus Labs.

Dubbed "KadNap", the malware was first spotted in August 2025, with 60% of the infected devices located in the US, with others spotted in the UK, across Europe, and Australia, among others. Alongside Asus routers, the malware is also targeting edge networking devices.

KadNap slips by existing network protections using the Kademlia distributed hash table (DHT) designed for peer-to-peer networks like BitTorrent to hide its own originating IP address.

"Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists," the researchers at Black Lotus Labs said in a blog post.

“In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt by hiding in the noise of legitimate peer-to-peer traffic."

Access to that network is then sold via a proxy service called "Doppelganger" to be used for criminal activity, researchers added.

"KadNap’s bots are sold through Doppelganger, a service whose users leverage these hijacked devices for a range of malicious purposes, including brute-force attacks and highly targeted exploitation campaigns," researchers said.

"As a result, every IP address associated with this botnet represents a significant, persistent risk to organizations and individuals alike."

ITPro contacted Asus for comment, but did not receive a response by time of publication.

Spotting KadNap

This particular botnet-building malware was spotted last summer by a Lumen algorithm that searches out dodgy networks as they pop up, with the company noticing 10,000 Asus devices all communicating with one set of servers.

Once the malicious file was on the router or other IoT or edge hardware, it would download a shell script and start the process of adding the kit to the botnet.

To hide, KadNap makes use of a legitimate distributed hash table known as Kademlia, which was designed to make it easier to find information across peers.

"To better understand this system, think of Kademlia like using a chain of friends to find someone’s phone number: each friend does not know the whole number but knows someone who can get you closer to the answer," the researchers explained.

"Passing your request along this chain, you quickly put together the whole phone number. Likewise, Kademlia nodes forward queries to others that are 'closer' to the target, enabling fast and efficient searches without knowing the whole network."

KadNap uses a custom version of the DHT to hide the IP address of the criminal's command and control server. That allows a newly infected router to find and connect to previously infected nodes to share additional payloads and build a bot network.

"The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control," the researchers said. "Their intention is clear: avoid detection and make it difficult for defenders to protect against."

What can enterprises do?

Lumen said its own customers have been protected from these attacks since last August, and that it would share indicators of compromise (IoC) publicly so others could be protected as well.

Beyond that, the lab advised security professionals working on network defense to keep watch for attacks on weak credentials or suspicious logins, even if they seem to come from safe IP addresses.

Additional advice includes protecting cloud assets from communicating with bots and make use of Web Application Firewalls.

Regarding KadNap specifically, it's worth checking if devices aren't connecting to public BitTorrent trackers.

For users of small office or home office (SOHO) routers, Lumen advice includes:

• Ensuring routers are patched, updated, and rebooted regularly
• Bolstering password security
• Replacing outdated or unsupported devices

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.