Tag

Kadnap

All articles tagged with #kadnap

cybersecurity6 minutes ago•3 min saved

KadNap Botnet Converts ASUS Routers into a Global Residential Proxy Network

KadNap, a new botnet, hijacks ASUS routers and other edge devices to form a peer-to-peer proxy network for malicious traffic. By August 2025 it controlled about 14,000 devices, using a custom Kademlia DHT to locate C2s, though two fixed nodes connect early to the C2s, aiding takedowns. Infections start by pulling aic.sh from 212.104.141.140, establish persistence via a cron job every 55 minutes, and install an ELF payload kad. KadNap’s DHT design aims to decentralize control, but the two steady nodes undermine this to some extent. The botnet is linked to the Doppelganger proxy service, which rents infected devices as residential proxies for DDoS, credential stuffing, and brute-force campaigns. Lumen has blocked KadNap traffic on its network and will publish IOC to help others disrupt the botnet.

via BleepingComputer|

#asus-routers #botnet #cybersecurity

security3 hours ago•4 min saved

KadNap DHT Botnet Turns 14k Edge Devices into Stealth Proxies; ClipXDaemon Hijacks Linux Wallet Addresses

Security researchers uncovered KadNap, a new malware targeting Asus routers and other edge devices that forms a decentralized, Kademlia DHT–based proxy botnet with over 14,000 infected hosts (majority in the U.S.). It uses a shell script downloaded from a C2 at 212.104.141.140 to install persistence, fetch a kad ELF, and join a peer-to-peer network that hides C2 traffic and feeds a Doppelgänger proxy service; the operators tier targets, close SSH (port 22), and collect host time and uptime to build peer hashes for network coordination. The same report also details ClipXDaemon, a memory-only Linux clipboard hijacker that replaces copied cryptocurrency wallet addresses in real time for multiple coins, with no C2 or beaconing and designed to avoid Wayland sessions.

via The Hacker News|

#botnet #clipxdaemon #iot