New KadNap Botnet Hijacks ASUS Routers to Fuel Cybercrime Proxy Network

The emergence of KadNap highlights a growing trend where attackers weaponize consumer‑grade networking hardware to build resilient botnets. By hijacking ASUS routers, the malware gains a foothold in home broadband environments, leveraging the devices’ always‑on connectivity and NAT traversal capabilities. Its use of a modified Kademlia Distributed Hash Table creates a peer‑to‑peer overlay that obscures the location of command‑and‑control servers, rendering conventional blacklist approaches less effective and forcing defenders to adopt graph‑based detection techniques.

Beyond the technical novelty, KadNap’s integration with the Doppelganger proxy marketplace underscores the monetization of compromised infrastructure. Residential proxies sourced from hijacked routers provide attackers with low‑latency, geographically diverse exit points, ideal for launching distributed denial‑of‑service attacks, credential‑stuffing campaigns, and bypassing IP‑based defenses. The service’s rebranding from the earlier Faceless platform indicates an evolving business model where botnet operators package access as a subscription service, blurring the line between traditional malware and cybercrime‑as‑a‑service.

Industry response is critical to curtailing this threat. Lumen’s proactive traffic blocking demonstrates the value of network‑level interventions, while the forthcoming release of indicators of compromise equips other providers and enterprises with actionable intelligence. Organizations should prioritize firmware hygiene on consumer routers, enforce regular updates, and monitor for anomalous outbound connections to NTP or unknown DHT nodes. Collaborative threat‑sharing and rapid containment can mitigate the spread of KadNap and reduce the pool of devices available for illicit proxy services.