Security researchers are tracking a botnet spread across roughly 14,000 routers, many of them Asus devices, with the biggest share of infections now seen in the United States on any given day.
The campaign is not just about access, it quietly repurposes home and office gear to hide origin points and blend abuse into ordinary traffic. In practice, a malicious proxy network turns compromised network hardware into a cybercrime traffic relay, keeping the operation active even when parts of its control system are blocked for longer periods.
How KadNap turns routers into anonymous proxies
KadNap does not need flashy behavior to be useful to its operators. After exploiting unpatched device flaws, it secures a malware foothold on routers and keeps that access stable enough to repurpose the hardware.
From there, the infected router becomes a quiet relay for outside traffic. Black Lotus Labs says this enables proxy service abuse through covert traffic forwarding, helping malicious connections blend in while about 14,000 devices stay active on a typical day, many in the United States.
Why are Asus devices so common in the infected pool?
The Asus share stands out in Lumen’s Black Lotus Labs data for a simple reason. Researchers say attackers are leaning on Asus router vulnerabilities exposed by a known exploit chain, not mystery zero-days, which matches Chris Formosa’s comments about older bugs left unpatched.
That pattern helps explain why consumer gear dominates the infected set. Persistent firmware exposure across many home network devices leaves internet-facing routers reachable long after updates appear, with infections centered in the United States and smaller clusters in Taiwan, Hong Kong, and Russia.
A peer-to-peer structure built to resist disruption
KadNap avoids the weak point that sinks many botnets. Instead of relying on one server, it uses a decentralized control channel backed by a distributed hash table, letting infected routers find instructions through peers rather than a single hub.
That layout gives defenders fewer obvious targets to seize. Black Lotus Labs says the model improves takedown resistance and supports command node concealment, which helps explain why the network averaged about 14,000 devices per day, up from 10,000 last August.
The Kademlia lookup process behind hidden command links
The hidden lookup path starts in familiar territory. KadNap reaches out through BitTorrent entry nodes and then narrows the search with the XOR distance metric, a core Kademlia method that identifies the peer closest to a requested key in a 160-bit space.
Chris Formosa described the later step in plainer terms. A secret passphrase exchange leads the bot toward a file tied to firewalling port 22, followed by another file that reveals a hidden C2 address for the next connection.
Black Lotus Labs moves to block the control infrastructure
Directly removing every infected router is not the route Black Lotus Labs chose. The team, including Chris Formosa and Steve Rudd, built traffic blocking measures meant to interrupt communication with the botnet’s control infrastructure rather than chase each device one by one.
The wider goal is to help other defenders move faster. By publishing indicators of compromise through public threat feeds, the researchers give network operators a practical way to spot infected routers, block contact, and shrink KadNap’s reach.
