Cybersecurity experts have uncovered KadNap, a novel malware that primarily targets Asus routers, integrating them into a secretive botnet to redirect malicious network traffic. Detected initially in August 2025, KadNap has infected over 14,000 devices, with the majority situated in the United States, as reported by Black Lotus Labs at Lumen. Other affected regions include Taiwan, Hong Kong, Russia, and several European countries.
Advanced Techniques for Evasion
KadNap utilizes a modified Kademlia Distributed Hash Table (DHT) protocol to obscure the IP addresses of its infrastructure, effectively evading standard network surveillance. This peer-to-peer approach allows compromised devices to connect with a command-and-control (C2) server, enhancing resistance to disruption attempts. Once compromised, these devices are marketed through a proxy service known as Doppelgänger, a rebranded version of a similar service connected to TheMoon malware.
The operators of KadNap have not limited their attacks to Asus routers, targeting a variety of edge networking devices. A shell script, identified as “aic.sh,” is downloaded from the C2 server and is key in enlisting the devices into the botnet. The script executes hourly, renaming itself and establishing persistence on the device. Following this setup, a malicious ELF file is deployed, further integrating the device into the botnet.
Decentralized Network Control
KadNap also connects to a Network Time Protocol (NTP) server to synchronize time and track host uptime, which is used to generate hashes that identify peers within the network. This design facilitates the malware’s robust communication capabilities, making it challenging to disrupt as it blends with legitimate peer-to-peer traffic. Notably, not all compromised devices communicate with every C2 server, suggesting a categorized infrastructure based on the type and model of devices.
Black Lotus Labs notes that the bots, managed by Doppelgänger, are exploited by cybercriminals, complicating attribution due to potential co-infections with other malware. Users of small office and home office (SOHO) routers are advised to regularly update their devices, change default passwords, and replace outdated models to bolster security against such threats.
Emerging Linux Threat: ClipXDaemon
The KadNap discovery coincides with the emergence of a new Linux threat known as ClipXDaemon, a malware that targets cryptocurrency users by altering copied wallet addresses. Delivered through the ShadowHS framework, ClipXDaemon is a clipboard hijacker operating in Linux X11 environments. It monitors clipboard activity, replacing legitimate wallet addresses with those controlled by attackers.
ClipXDaemon avoids execution in Wayland sessions to reduce detection risk, as Wayland requires explicit user interaction for clipboard access. Unlike traditional malware, it operates without C2 logic or remote tasking, directly monetizing victims by hijacking wallet addresses in real-time.
These developments underline the growing sophistication of cyber threats, emphasizing the need for enhanced vigilance and updated security measures to protect vulnerable devices and networks.
