top of page
perceptive_background_267k.jpg

KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet

Published:

10 March 2026 at 16:00:00

Alert date:

10 March 2026 at 17:01:18

Source:

thehackernews.com

Click to open the original link from this advisory

Network Infrastructure, Mobile & IoT, Ransomware & Malware

Cybersecurity researchers have discovered KadNap malware targeting Asus routers to build a stealth proxy botnet. First detected in August 2025, the malware has infected over 14,000 devices globally. More than 60% of victims are located in the United States according to Black Lotus Labs at Lumen. The malware enlists infected edge devices into a botnet used for proxying malicious traffic. KadNap represents a significant threat to network infrastructure security.

Technical details

KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol to conceal C2 infrastructure within a peer-to-peer system. The attack begins with a shell script (aic.sh) downloaded from C2 server that creates persistence via cron job, retrieves and renames malicious ELF file to 'kad', and executes KadNap malware. The malware targets ARM and MIPS processors, connects to NTP server for time synchronization, creates hash for peer location in decentralized network, and closes SSH port 22. Infrastructure is categorized based on device type and models. Also detailed is ClipXDaemon Linux threat that targets cryptocurrency users by intercepting wallet addresses, delivered via ShadowHS framework, operates entirely in memory with process masquerading, monitors clipboard every 200ms, and avoids Wayland sessions due to security controls.

Mitigation steps:

Keep SOHO router devices up to date, reboot devices regularly, change default passwords, secure management interfaces, replace end-of-life models that are no longer supported

Affected products:

Asus routers
Edge networking devices (ARM and MIPS processors)
Linux X11 environments
SOHO routers

Related links:

https://en.wikipedia.org/wiki/Kademlia
https://codethechange.stanford.edu/guides/guide_kademlia.html
https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/
https://thehackernews.com/2024/03/themoon-botnet-resurfaces-exploiting.html
https://thehackernews.com/2025/04/cryptocurrency-miner-and-clipper.html
https://www.kali.org/docs/general-use/wayland/
https://cyble.com/blog/clipxdaemon-autonomous-x11-clipboard-hijacker/

Related CVE's:

Related threat actors:

IOC's:

212.104.141[.]140, aic.sh, .asusrouter, kad, fwr.sh, /tmp/.sose, doppelganger[.]shop, Port 22 (SSH) closure

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page