Asus Routers Under Attack: Understanding the KadNap Botnet Threat

Asus Routers Under Attack: Understanding the KadNap Botnet Threat

Asus Routers Under Attack: Understanding the KadNap Botnet Threat

A recent discovery by Black Lotus Labs has uncovered a massive botnet of over 14,000 Asus routers, built by malware known as KadNap. This botnet is being used to spread malicious traffic, with 60% of the infected devices located in the US.

What is KadNap Malware?

KadNap malware was first spotted in August 2025 and is designed to target Asus routers and edge networking devices. It uses the Kademlia distributed hash table (DHT) protocol to hide its originating IP address, making it difficult for defenders to detect and disrupt the botnet.

Once a device is infected, it downloads a shell script and starts the process of adding the device to the botnet. The malware then uses the DHT protocol to locate and connect with a command-and-control (C2) server, allowing it to receive additional payloads and build a bot network.

How Does KadNap Work?

KadNap uses a custom version of the DHT protocol to hide the IP address of the C2 server. This allows newly infected routers to find and connect to previously infected nodes, sharing additional payloads and building a bot network.

The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control. The intention is clear: avoid detection and make it difficult for defenders to protect against.

What Can Enterprises Do?

Lumen advises security professionals to keep watch for attacks on weak credentials or suspicious logins, even if they seem to come from safe IP addresses. Additional advice includes protecting cloud assets from communicating with bots and making use of Web Application Firewalls.

For users of small office or home office (SOHO) routers, Lumen recommends ensuring routers are patched, updated, and rebooted regularly, bolstering password security, and replacing outdated or unsupported devices.

Protecting Against KadNap

To protect against KadNap, it’s essential to check if devices aren’t connecting to public BitTorrent trackers. Additionally, security professionals should be aware of the indicators of compromise (IoC) and take steps to protect against them.

By understanding the KadNap botnet threat and taking proactive steps to protect against it, enterprises and individuals can reduce the risk of falling victim to this malicious malware.

Conclusion

The KadNap botnet is a significant threat to organizations and individuals alike. By using a peer-to-peer network for decentralized control, the malware makes it difficult for defenders to detect and disrupt the botnet.

It’s essential to take proactive steps to protect against KadNap, including keeping routers patched and updated, bolstering password security, and being aware of the indicators of compromise.

By working together, we can reduce the risk of falling victim to this malicious malware and protect our devices and networks from the KadNap botnet threat.

Frequently Asked Questions

  • What is the KadNap botnet?
  • How does KadNap malware work?
  • What can enterprises do to protect against KadNap?
  • How can I protect my SOHO router from KadNap?
  • What are the indicators of compromise for KadNap?