14,000 routers infected by KadNap botnet using takedown‑resistant P2P design

Security researchers uncovered a takedown‑resistant botnet that has conscripted roughly 14,000 routers and other network devices—primarily Asus models—into a proxy network that anonymously carries traffic used for cybercrime. The malware, dubbed KadNap, gains access by exploiting vulnerabilities that device owners have left unpatched, Chris Formosa, a researcher at Lumen’s Black Lotus Labs, said.

The number of infected routers averages about 14,000 per day, up from about 10,000 last August when Black Lotus first discovered the botnet. Compromised devices are concentrated in the United States, with smaller populations in Taiwan, Hong Kong, and Russia. The high share of Asus devices likely reflects operators obtaining a reliable exploit for those models, and Formosa said it’s unlikely the attackers are relying on zero‑day flaws.

KadNap’s most notable feature is a peer‑to‑peer architecture based on Kademlia, which uses distributed hash tables to hide the IP addresses of command‑and‑control servers.

United States, Taiwan, Hong Kong, Russia

kadnap, botnet, routers, asus, peer-to-peer, kademlia, proxy network, black lotus, vulnerabilities, c2 servers