Executive Summary
In August 2025, cybersecurity researchers identified a new malware strain named KadNap, which primarily targets Asus routers to conscript them into a botnet used for proxying malicious traffic. By March 2026, over 14,000 devices had been infected, with more than 60% located in the United States. KadNap employs a customized version of the Kademlia Distributed Hash Table (DHT) protocol, enabling it to conceal command-and-control (C2) infrastructure within a peer-to-peer network, thereby evading traditional network monitoring and enhancing resilience against detection and disruption efforts. The malware is distributed through a shell script that establishes persistence via cron jobs, downloads a malicious ELF file, and executes it, effectively integrating the compromised device into the botnet. (thehackernews.com)
The emergence of KadNap underscores a growing trend of sophisticated malware targeting edge networking devices, exploiting their vulnerabilities to build resilient botnets. This incident highlights the critical need for organizations and individuals to secure their network infrastructure, as such compromised devices can be leveraged for various malicious activities, including anonymizing cybercriminal operations and facilitating large-scale attacks. (bleepingcomputer.com)
Why This Matters Now
The KadNap botnet's rapid expansion and sophisticated evasion techniques exemplify the escalating threat posed by malware targeting edge devices. As these devices often lack robust security measures, they present attractive targets for cybercriminals. The incident serves as a stark reminder of the importance of securing network infrastructure to prevent exploitation and mitigate potential large-scale cyberattacks.
Attack Path Analysis
The KadNap malware campaign began with the exploitation of vulnerabilities in Asus routers, leading to the download and execution of a malicious shell script. This script established persistence and deployed the KadNap malware, which then connected to a peer-to-peer network using a modified Kademlia Distributed Hash Table protocol to locate command-and-control servers. The infected devices were subsequently utilized as proxies for malicious traffic, facilitating various cybercriminal activities.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerabilities in Asus routers to gain unauthorized access and download a malicious shell script ('aic.sh') from a command-and-control server.
Related CVEs
CVE-2024-3080
CVSS 9.8An authentication bypass vulnerability in multiple ASUS router models allows remote attackers to log in without authentication.
Affected Products:
ASUS ZenWiFi XT8 – < 3.0.0.4.386_52332
ASUS RT-AX88U – < 3.0.0.4.386_52332
ASUS RT-AX58U – < 3.0.0.4.386_52332
ASUS RT-AX57 – < 3.0.0.4.386_52332
ASUS RT-AC86U – < 3.0.0.4.386_52332
ASUS RT-AC68U – < 3.0.0.4.386_52332
Exploit Status:
exploited in the wildCVE-2024-3912
CVSS 9.8An arbitrary firmware upload vulnerability in multiple ASUS router models allows unauthenticated remote attackers to execute arbitrary system commands.
Affected Products:
ASUS ZenWiFi XT8 – < 3.0.0.4.386_52332
ASUS RT-AX88U – < 3.0.0.4.386_52332
ASUS RT-AX58U – < 3.0.0.4.386_52332
ASUS RT-AX57 – < 3.0.0.4.386_52332
ASUS RT-AC86U – < 3.0.0.4.386_52332
ASUS RT-AC68U – < 3.0.0.4.386_52332
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Application Layer Protocol: Web Protocols
Proxy: External Proxy
Protocol Tunneling
Create or Modify System Process: Windows Service
Command and Scripting Interpreter: Windows Command Shell
Indicator Removal: File Deletion
Remote Services: Remote Desktop Protocol
System Information Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Device Security
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
KadNap botnet targeting 14,000+ edge devices creates critical infrastructure vulnerabilities, compromising network segmentation and enabling malicious traffic proxying through telecom equipment.
Computer Networking
Asus routers and networking devices compromised by DHT-based botnet expose enterprise networks to lateral movement, command-and-control communications, and encrypted traffic exfiltration.
Financial Services
ClipXDaemon cryptocurrency clipper malware targeting Linux environments threatens financial institutions' digital asset operations through real-time wallet address substitution attacks.
Internet
Peer-to-peer botnet infrastructure using Kademlia DHT protocol enables anonymous proxy services, facilitating cybercriminal activities while evading traditional network monitoring and detection.
Sources
- KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnethttps://thehackernews.com/2026/03/kadnap-malware-infects-14000-edge.htmlVerified
- High-severity vulnerabilities affect a wide range of Asus router modelshttps://arstechnica.com/security/2024/06/high-severity-vulnerabilities-affect-a-wide-range-of-asus-router-models/Verified
- Critical Vulnerabilities in ASUS' Router Productshttps://www.csa.gov.sg/alerts-and-advisories/alerts/al-2024-073/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the KadNap malware incident as it could likely limit the malware's ability to exploit vulnerabilities, establish unauthorized communications, and utilize infected devices for malicious activities.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF would likely limit unauthorized access by enforcing strict identity-based policies, reducing the attack surface available for exploitation.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely limit the malware's ability to escalate privileges by enforcing least-privilege access controls, reducing the scope of potential damage.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely limit potential lateral movement by monitoring and controlling internal traffic, even though the malware did not exhibit such behavior.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely limit unauthorized command-and-control communications by providing real-time monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely limit the use of infected devices as proxies by controlling and monitoring outbound traffic.
The integration of infected devices into a botnet would likely be constrained, reducing their availability for cybercriminal activities.
Impact at a Glance
Affected Business Functions
- Network Infrastructure
- Internet Connectivity
- Remote Access Services
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of network traffic data and device configurations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust patch management to address vulnerabilities in edge devices promptly.
- • Enforce strict access controls and regularly update default credentials to prevent unauthorized access.
- • Deploy intrusion prevention systems capable of detecting and blocking malicious scripts and unauthorized cron job creations.
- • Utilize network segmentation to limit the impact of compromised devices and prevent their use as proxies.
- • Monitor network traffic for anomalies indicative of peer-to-peer communications with unknown entities.
