14,000 Infected Routers Power a Covert Proxy Botnet
A botnet of roughly 14,000 routers and network devices — primarily Asus models located in the United States — has been silently conscripted into a criminal proxy network. Instead of obvious disruption, the infected devices operate quietly, routing anonymous cybercriminal traffic through ordinary residential internet connections.
The scale of infection has steadily grown. What began at approximately 10,000 compromised devices last August has now climbed to around 14,000 daily infections. While the overwhelming majority of affected routers are based in the U.S., additional clusters have surfaced in Taiwan, Hong Kong, and Russia.
Security researchers at Lumen’s Black Lotus Labs identified the operation and named the malware strain KadNap, highlighting its unusually resilient architecture and commercial purpose.
KadNap Malware Exploits Unpatched Router Vulnerabilities
Known Vulnerabilities — No Zero-Day Required
KadNap does not rely on newly discovered zero-day exploits. Instead, it capitalizes on known but unpatched vulnerabilities in specific Asus router models. The concentration of Asus hardware within the botnet suggests attackers discovered a reliable exploit targeting those devices.
The infection vector is simple but effective: device owners failed to install available security updates, leaving older security holes exposed. The result is a large-scale compromise driven by neglected maintenance rather than cutting-edge intrusion techniques.
Infection Growth and Geographic Distribution
The number of compromised routers has steadily increased from roughly 10,000 to approximately 14,000 infected devices per day. The United States accounts for the majority, though international clusters have emerged in:
- Taiwan
- Hong Kong
- Russia
The geographic distribution reflects both the prevalence of vulnerable hardware and the attackers’ targeted exploitation methods.
Peer-to-Peer Botnet Architecture Built on Kademlia
How KadNap Uses Distributed Hash Tables (DHTs)
What distinguishes KadNap from conventional botnets is its decentralized control model. Rather than relying on centralized command-and-control (C2) servers, KadNap is built on Kademlia, a peer-to-peer protocol powered by distributed hash tables (DHTs).
In traditional botnets, central servers coordinate malicious traffic. Disrupting those servers can dismantle the network. KadNap avoids that weakness by distributing control across all infected nodes.
Each node:
- Stores and queries data across the network
- Uses hashed identifiers instead of exposed IP addresses
- Relies on peer lookups rather than central instructions
This structure makes detection and takedown efforts significantly more complex.
How Kademlia Routing Obscures Command Infrastructure
Kademlia assigns each node a unique identifier within a 160-bit space. Nodes organize and locate peers using XOR-based distance calculations. When one node seeks a target, it queries neighboring nodes, progressively narrowing the search with each hop.
KadNap incorporates an additional mechanism: it retrieves its initial search key via a BitTorrent node. From there, the peer-to-peer discovery process unfolds:
- The infected node queries entry BitTorrent peers using a secret key.
- Those peers provide references to closer matches.
- The search continues hop by hop.
- Eventually, the node locates the correct peer holding command data.
Upon successful lookup, the infected device retrieves two files:
- A file instructing it to firewall port 22
- A second file containing the command-and-control address
Because IP addresses are replaced with hashes and routing is distributed, eliminating the botnet would theoretically require disabling every connected node simultaneously.
Doppelganger Proxy Service: The Commercial Engine Behind the Botnet
Residential IP Abuse for Anonymous Traffic
The infected routers serve a specific commercial function. They provide infrastructure for Doppelganger, a fee-based proxy service that tunnels customer internet traffic through unsuspecting residential connections.
This setup delivers significant advantages to paying clients:
- High-bandwidth residential connections
- IP addresses with clean reputations
- Reliable access to websites that might otherwise restrict or block them
In effect, compromised homeowners unknowingly supply infrastructure for anonymous web access and potentially illicit online activity.
Why Residential Proxies Are Valuable
Websites often scrutinize traffic from known data center IP ranges. Residential IP addresses, however, appear legitimate and organic. By routing traffic through infected home routers, Doppelganger customers gain:
- Reduced detection risk
- Improved access reliability
- Greater anonymity
The botnet’s peer-to-peer resilience ensures that even if some nodes are removed, the network remains operational.
Why Rebooting an Infected Router Won’t Remove KadNap
Persistent Shell Script Mechanism
KadNap stores a shell script on infected routers that executes automatically upon reboot. As a result, simply turning the device off and on again does not remove the infection.
The malware reinstalls or reactivates itself during startup, making basic troubleshooting ineffective.
Required Steps to Remove KadNap Malware
Cleaning an infected router requires decisive action:
- Perform a full factory reset — not just a reboot.
- Install all available firmware updates immediately after resetting.
- Set a strong administrative password to prevent unauthorized access.
- Disable remote access unless absolutely necessary.
Black Lotus Labs has published a list of IP addresses and file hashes that can help users identify whether their device logs contain indicators of compromise.
Defensive Measures and Industry Response
Despite KadNap’s hardened architecture, Black Lotus Labs reports developing a method to block network traffic flowing to and from the botnet’s control infrastructure. The team is also sharing indicators of compromise through public feeds, enabling other security organizations to implement defensive measures.
While full dismantlement of a decentralized DHT-based botnet is extremely challenging, coordinated network blocking and patch enforcement can significantly reduce operational effectiveness.