14,000 Routers Hit by Takedown-Resistant KadNap Botnet

A Botnet That Refuses to Die

Security researchers at Lumen's Black Lotus Labs have uncovered a sophisticated botnet that has quietly enslaved roughly 14,000 routers and network devices — predominantly Asus consumer models — into a proxy network serving cybercriminal operations. The malware, which the researchers have named KadNap, distinguishes itself from the vast majority of botnets through a peer-to-peer architecture that makes it extraordinarily difficult to take down.

The infection count has grown from approximately 10,000 devices when Black Lotus first discovered the botnet last August to 14,000 as of early March. The overwhelming majority of compromised devices are located in the United States, with smaller clusters in Taiwan, Hong Kong, and Russia. The high concentration of Asus routers among the victims suggests the botnet operators have acquired a reliable exploit targeting vulnerabilities in specific Asus firmware versions.

How KadNap Spreads and Persists

According to Black Lotus researcher Chris Formosa, KadNap gains its initial foothold by exploiting known but unpatched vulnerabilities in consumer-grade routers. These are not zero-day exploits requiring specialized skills — they are publicly documented security flaws that manufacturers have issued patches for, but that device owners have never applied. The gap between patch availability and patch installation remains one of the most persistent problems in cybersecurity, and botnets like KadNap ruthlessly exploit it.

Once installed on a router, KadNap transforms the device into a node in a distributed proxy network. Traffic from cybercriminal operations — fraud, credential stuffing, web scraping, and other malicious activities — is routed through the compromised routers, making it appear to originate from legitimate residential IP addresses. This residential proxy service is then sold to other criminals, providing the botnet operators with a steady revenue stream.

What makes KadNap particularly dangerous is its use of a peer-to-peer communication protocol based on Kademlia, a well-known distributed hash table algorithm originally developed for legitimate file-sharing applications. In a traditional botnet, compromised devices receive instructions from a central command-and-control server. Law enforcement and security teams can disrupt these botnets by identifying and seizing the command server, effectively cutting off the head of the snake.

The Kademlia Advantage

KadNap's Kademlia-based architecture eliminates this single point of failure. Instead of connecting to a central server, each infected router maintains a routing table of other infected devices. Commands propagate through the network in a distributed fashion, hopping from node to node using the Kademlia protocol's efficient routing algorithm. There is no central server to seize, no single IP address to block, and no obvious chokepoint where the network can be disrupted.

If some nodes are cleaned up or taken offline, the remaining nodes automatically reorganize their routing tables to maintain network connectivity. The Kademlia protocol was specifically designed to be resilient to node churn — devices joining and leaving the network — which makes it naturally resistant to partial takedowns. The botnet can lose a significant fraction of its nodes and continue operating with minimal disruption.

This design represents a meaningful evolution in botnet architecture. While peer-to-peer botnets have existed for years, KadNap's implementation of Kademlia is notably sophisticated, using cryptographic verification of routing table entries to prevent security researchers from injecting false nodes into the network as a disruption tactic.

The Asus Connection

The heavy concentration of Asus routers among KadNap's victims raises questions about the security posture of these widely used consumer devices. Asus consumer routers have been the subject of multiple security advisories in recent years, with vulnerabilities ranging from authentication bypasses to remote code execution flaws. While Asus regularly releases firmware updates to address these issues, the vast majority of consumer router owners never update their firmware.

Unlike smartphones and computers, which typically update automatically, most consumer routers require manual firmware updates that involve downloading files from the manufacturer's website and uploading them through the router's administration interface. Many users are unaware that their router even has firmware, let alone that it needs updating. This creates a permanent population of vulnerable devices that botnet operators can harvest at will.

Defending Against KadNap

For individual router owners, the most effective defense is straightforward: update your router's firmware. Asus provides firmware updates through its support website and has introduced an automatic update feature in newer models. Changing default administrator passwords and disabling remote management access from the internet are also essential steps that close the most commonly exploited attack vectors.

For the broader security community, KadNap highlights the need for new approaches to botnet takedowns. Traditional methods that rely on seizing command-and-control infrastructure are ineffective against peer-to-peer designs. Alternative strategies might include coordinated vulnerability disclosure and forced patching through ISP cooperation, automated detection of botnet traffic patterns at the network level, or legal frameworks that hold device manufacturers accountable for shipping products with known security deficiencies.

As consumer Internet of Things devices proliferate — routers, cameras, smart speakers, and appliances — the pool of poorly maintained, internet-connected devices available for botnet recruitment continues to grow. KadNap is a warning of what happens when that pool meets sophisticated malware engineering.

This article is based on reporting by Ars Technica. Read the original article.