KADNAP malware infects more than 14,000 edge devices, mainly ASUS routers, turning them into a stealth proxy botnet used to route malicious internet traffic. First detected in August 2025, the campaign heavily targets the United States, which accounts for over 60% of infections, with victims also scattered across Taiwan, Hong Kong, the U.K., Brazil, France, Italy, and Spain.
The malware hides its command infrastructure with a custom Kademlia-based peer-to-peer system, enabling infected devices to locate and connect to a C2 server while concealing real IP addresses, and it routes traffic through a proxy service called Doppelganger. In August 2025, researchers identified over 10,000 ASUS routers communicating with suspicious servers, and the malware sets up persistence via scheduled tasks, downloads additional payloads, and can modify firewall rules or open new channels.
Analysis notes that KadNap uses a weak, non-dynamic Kademlia implementation, with infected devices repeatedly contacting the same two intermediary nodes before reaching the C2 servers, specifically 45.135.180[.]38 and 45.135.180[.]177, a design indicating persistent control by the attackers, according to a report published by Lumen.