Listen to this Post

Introduction
A newly discovered malware campaign is quietly transforming thousands of everyday home routers into tools for cybercrime. Security researchers have identified a sophisticated malware strain known as KadNap, which has already infected more than 14,000 internet-connected devices, primarily targeting Asus routers used in homes and small offices.
The campaign reveals how cybercriminals are increasingly exploiting Small Office and Home Office (SOHO) networking equipment, devices that often run outdated firmware and receive minimal security monitoring. Once infected, these routers become part of a massive botnet-driven proxy network, allowing attackers to route malicious traffic through innocent users’ internet connections.
This strategy not only hides the criminals’ real identities but also enables large-scale cyber operations including fraud, credential theft, and distributed attacks against online infrastructure. The discovery highlights a growing and alarming trend in the cybersecurity landscape: the weaponization of consumer networking hardware.
A Malware Campaign Targeting Everyday Routers
Cybersecurity researchers from Lumen Technologies’ threat intelligence division Black Lotus Labs recently uncovered the malware, naming it KadNap. Their investigation revealed that the malware is specifically designed to infect internet-facing routers, particularly models produced by ASUS.
According to telemetry data gathered by the researchers, the botnet maintains an average of around 14,000 active infected devices each day. While routers are often overlooked in cybersecurity discussions, they represent a powerful resource for attackers. Each compromised router provides bandwidth, connectivity, and a legitimate IP address that can be used to disguise malicious activity.
By combining thousands of these devices into a coordinated network, attackers gain the ability to launch large-scale cyber operations without exposing their own infrastructure.
How KadNap Hides Its Command System
One of the most concerning aspects of KadNap is the way it conceals its command-and-control infrastructure. Instead of relying on a traditional centralized server, the malware leverages a modified version of the Distributed Hash Table (DHT) protocol.
This technology is commonly used in peer-to-peer systems such as BitTorrent, where it helps locate data across distributed networks without requiring a central authority. KadNap exploits this same principle for malicious purposes.
By embedding its control system inside a distributed network of nodes, the malware effectively hides its command servers within normal peer-to-peer traffic. For defenders attempting to track or shut down the botnet, this approach creates significant challenges. Traditional security methods that rely on blocking known command servers become far less effective.
The result is a botnet infrastructure that blends into legitimate network activity, making detection far more difficult.
The Infection Process
The infection process begins with a seemingly simple component: a malicious shell script named aic.sh.
Once a vulnerable router is exposed, the device downloads this script and executes it. The script then establishes persistence, ensuring the malware survives system activity and remains active over time. It accomplishes this by creating a scheduled task known as a cron job, which runs automatically every hour.
After persistence is established, the script downloads the main malware payload, a binary executable file named kad. This program transforms the router into a full participant in the KadNap botnet.
From that moment forward, the infected router can receive instructions from the distributed command system and begin routing malicious traffic on behalf of the attackers.
A Criminal Proxy Network Called Doppelganger
Once compromised, each router becomes part of a commercial criminal infrastructure known as Doppelganger, a proxy service that sells access to hijacked devices.
Cybercriminals who purchase access to this network can route their traffic through infected routers around the world. This makes their activity appear as though it originates from normal residential internet connections rather than from suspicious servers or data centers.
Security researchers believe Doppelganger may be a rebranded version of Faceless, another well-known underground proxy network previously linked to the TheMoon malware campaign.
These proxy networks are often used for a wide range of cybercriminal activities, including spam campaigns, credential stuffing attacks, financial fraud, and the distribution of additional malware.
Because the traffic comes from legitimate home networks, it is far harder for organizations and security systems to detect or block it.
Global Impact of the KadNap Botnet
The geographic distribution of infected routers reveals how widespread the campaign has become.
Approximately 60 percent of compromised devices are located in the United States, making it the largest concentration of victims. However, the malware is far from limited to one region. Significant infection clusters have also been observed in Taiwan, Hong Kong, and Russia.
The global nature of the botnet creates serious challenges for cybersecurity defenders. Since malicious activity originates from residential IP addresses across multiple countries, it often bypasses common security controls such as geofencing and simple IP blocking.
In effect, the botnet turns ordinary home internet connections into an anonymous infrastructure for cybercrime.
Protecting Routers from Malware Infections
Security experts emphasize that protecting against threats like KadNap requires proactive management of network devices.
The first and most important step is keeping router firmware up to date. Manufacturers frequently release security patches to fix vulnerabilities, but many users never install them.
Another recommended strategy is periodically rebooting routers. Some types of malware operate only in device memory, meaning a reboot can disrupt or temporarily remove the infection.
Users should also review their router configuration and disable remote management features unless absolutely necessary. Administrative interfaces exposed directly to the internet significantly increase the risk of compromise.
By applying these simple but critical security practices, users can greatly reduce the likelihood that their devices become part of a malicious botnet.
What Undercode Say:
The Rising Value of Home Routers in Cybercrime
KadNap highlights a broader shift in cybercrime strategy. Instead of focusing solely on traditional endpoints like laptops and servers, attackers are increasingly targeting network infrastructure devices. Routers sit at the gateway between users and the internet, making them valuable assets for criminals.
Why Router Botnets Are Harder to Detect
Home routers typically lack advanced monitoring tools, logging capabilities, and endpoint protection software. As a result, infections often go unnoticed for long periods. A compromised router may continue operating normally while quietly forwarding malicious traffic in the background.
The Power of Residential IP Addresses
One of the biggest advantages for attackers is access to residential IP addresses. Security systems often trust traffic coming from home networks more than traffic from data centers. This trust can allow malicious activity to slip through filters designed to block suspicious infrastructure.
Decentralized Command Systems Are the Future
The use of distributed technologies like DHT for command-and-control demonstrates how botnets are evolving. Decentralized architectures are far more resilient because there is no single server that defenders can take down. This design approach mirrors legitimate peer-to-peer systems, making malicious activity harder to separate from normal internet traffic.
Consumer Hardware Security Remains Weak
Many consumer networking devices still ship with weak security defaults. Remote administration, outdated firmware, and limited patch management make them easy targets. Manufacturers have improved security in recent years, but millions of older devices remain vulnerable.
The Economics of Criminal Proxy Services
Services like Doppelganger illustrate how cybercrime has become industrialized. Instead of building their own infrastructure, criminals can simply rent access to existing proxy networks. This model lowers the barrier to entry for attackers and increases the scale of cyber operations.
A Warning for Internet Infrastructure
If botnets built from consumer routers continue to grow, they could become a major threat to global internet stability. Large distributed proxy networks could support massive denial-of-service campaigns or enable coordinated attacks against governments and enterprises.
KadNap may only be the latest example, but it signals a future where compromised networking devices form the backbone of underground digital economies.
Fact Checker Results
✅ Security researchers confirmed KadNap has infected over 14,000 routers globally.
✅ The malware uses Distributed Hash Table (DHT) technology to hide its command infrastructure.
❌ There is no confirmed public attribution yet identifying the exact cybercriminal group behind the campaign.
Prediction
🔮 Router-based botnets will continue to expand as more smart home and networking devices connect to the internet.
🔮 Cybercriminals will increasingly rely on residential proxy networks to hide their operations.
🔮 Security researchers may soon discover larger decentralized botnets using similar peer-to-peer architectures.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




