14,000 routers infected with KadNap malware form a takedown resistant botnet that anonymously carries cybercrime traffic. The botnet currently averages around 14,000 active devices, up from 10,000 when researchers at Lumen Black Lotus Labs discovered it in August 2025. Most infected devices are Asus routers located in the United States. The high concentration of Asus routers is likely because botnet operators found reliable exploits for vulnerabilities affecting those models.
KadNap uses a custom Kademlia distributed hash table implementation to hide command and control infrastructure. The peer to peer design conceals C2 server IP addresses and makes traditional centralized takedowns far more difficult. Chris Formosa and Steve Rudd from Black Lotus Labs wrote, "The KadNap botnet stands out among others that support anonymous proxies in its use of a peer to peer network for decentralized control. Their intention is clear. Avoid detection and make it difficult for defenders to protect against."
Kademlia uses a 160 bit space to designate keys and node IDs. Keys are unique bitstrings derived by hashing a chunk of data. Each node is assigned an ID and maintains routing table entries for other nodes. These entries are organized by their similarity to the storing node's ID. Proximity is measured using XOR distance. When a node polls another node, it uses this metric to locate nodes whose IDs are closest to the key it is searching for until it finds a match.
Formosa explained the process using an analogy similar to how lookups work in the distributed hash table used by BitTorrent. A node enters the network with a secret passphrase and asks nearby peers who might recognize it. Those peers return addresses of other nodes that are closer to the target. The search continues across the network until a node recognizes the passphrase and responds with configuration data and the command and control address the malware should contact.
Black Lotus Labs developed methods to block network traffic to and from the control infrastructure despite the decentralized design. The lab is distributing indicators of compromise to public feeds so network defenders can identify and block infected devices. Infected routers carry traffic for Doppelganger proxy network, a fee based proxy service that tunnels customer traffic through the internet connections of unsuspecting people. Most connections are residential. With high bandwidth and IP addresses that appear legitimate, the service allows customers to route traffic through networks that many websites trust.
Check device logs for IP addresses and file hashes listed on the Black Lotus Labs indicators of compromise page. Restarting infected routers will not fix the problem. KadNap installs persistence through shell scripts and cron jobs that re download the malware after reboot. A factory reset is required to disinfect the device. After resetting the router, install all available firmware updates, set strong administrative passwords, and disable remote access unless it is absolutely necessary.
The infections stem from unpatched firmware vulnerabilities. The exploits are not zero days. Security updates exist but many devices never received them. As a result thousands of routers now carry anonymous traffic for criminals who subscribe to the Doppelganger proxy service. These residential connections are used to route cybercrime traffic through legitimate household internet links. Your router could be part of this network right now. Compromised devices are overwhelmingly located in the United States, with smaller clusters in Taiwan, Hong Kong, and Russia. A residential IP address with a clean reputation provides cover for criminal activity. The infected router supplies the bandwidth while the operator profits from proxy subscriptions.
The peer to peer architecture spreads control across thousands of nodes. Traditional sinkholing and centralized takedown methods are far less effective against distributed hash table designs. The same resilience that makes BitTorrent difficult to shut down is now being used to operate a botnet that carries cybercrime traffic. KadNap succeeds because large numbers of routers remain exposed to known vulnerabilities. Installing firmware updates, changing default credentials, and disabling unnecessary remote administration removes the attack surface the malware depends on.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is KadNap?
KadNap is malware that infects routers using unpatched vulnerabilities and uses distributed hash table architecture to hide command and control servers. The botnet currently averages 14,000 active devices, mostly Asus routers in the United States.
How does KadNap resist takedowns?
KadNap uses a custom Kademlia distributed hash table implementation that spreads control across thousands of nodes. The peer-to-peer design conceals C2 server IP addresses and makes traditional centralized takedowns far more difficult.
What is Doppelganger?
Doppelganger is a fee-based proxy service that tunnels customer traffic through infected routers. Criminals subscribe to route cybercrime traffic through residential IP addresses with clean reputations and high bandwidth.
How do I remove KadNap from my router?
Restarting will not fix the infection because KadNap uses shell scripts and cron jobs to re-download malware after reboot. Factory reset is required, followed by installing all firmware updates, changing default passwords, and disabling remote access.
How did routers get infected?
KadNap exploits unpatched firmware vulnerabilities. The exploits are not zero-days. Security updates exist but many router owners never installed them, leaving devices exposed to known vulnerabilities.