KadNap Botnet: ASUS Routers Hijacked for Faceless Proxy Network

Recent cybersecurity investigations have uncovered a sophisticated malware botnet dubbed KadNap, which specifically targets ASUS routers to integrate them into a massive residential proxy network. According to BleepingComputer, the botnet facilitates the operations of ‘Faceless,’ a known cybercrime proxy service that allows threat actors to route malicious traffic through legitimate home networks. By hijacking these devices, attackers can bypass geolocation-based security controls and perform activities such as credential stuffing, Phishing, and DDoS attacks while appearing as domestic residential traffic.

Technical Analysis: Faceless Proxy Network Analysis

The KadNap malware is a custom-developed TTP that utilizes the Kademlia (Kad) distributed hash table for decentralized discovery. This allows the botnet to maintain a resilient C2 infrastructure without relying on centralized servers that are easily taken down by law enforcement. Upon infection, the malware identifies the device’s external IP address and establishes communication with other peers in the Kad network.

The primary objective of KadNap is to turn the compromised router into a SOCKS5 proxy. This transformation is achieved by manipulating the device’s internal routing tables and opening ports using UPnP (Universal Plug and Play) or manual configuration via the router’s shell. Once the proxy is active, it reports back to the Faceless backend, making the router’s bandwidth available to paying customers of the proxy service. This specific Faceless proxy network analysis suggests that the operators are highly focused on maintaining a high-quality pool of residential IPs to maximize the anonymity of the traffic for their clients.

Exploitation of CVE-2024-3080 in ASUS Hardware

The botnet primarily propagates by exploiting a critical CVE identified as CVE-2024-3080. This vulnerability is an unauthenticated RCE flaw that allows an attacker to execute arbitrary commands on the target router. The CVSS score for this vulnerability is 9.8, indicating its critical nature and ease of exploitation.

Affected devices include popular consumer and small-office models:

• RT-AX88U
• RT-AX58U
• RT-AX86U
• RT-AC68U

Attackers scan the internet for routers with exposed management interfaces. Once a vulnerable device is found, they use an exploit payload to gain initial access and achieve Privilege Escalation. From there, the KadNap binary is downloaded and executed in memory or persisted within the /jffs/ partition, a common storage area for custom scripts on ASUS routers. This persistence ensures that the malware remains active even after a reboot, which is a standard MITRE ATT&CK technique for maintaining long-term access.

ASUS Router CVE-2024-3080 Remediation and Detection

To defend against this threat, network administrators and home users must prioritize ASUS router CVE-2024-3080 remediation steps immediately. The most effective mitigation is the installation of the latest firmware updates provided by the manufacturer. ASUS has released patches for all affected models that specifically address the RCE vulnerability.

In addition to patching, defenders should implement the following security measures:

• Disable WAN-side access to the router’s administration web interface.
• Disable UPnP if it is not strictly necessary for network operations.
• Use unique, high-entropy passwords for all administrative accounts.
• Implement a Zero Trust approach by restricting internal network access from edge devices.

How to Detect KadNap Botnet Activity

For SOC analysts and incident responders, identifying compromised hardware involves monitoring for specific network anomalies. How to detect KadNap botnet infections typically involves looking for high volumes of UDP traffic on non-standard ports, which is characteristic of Kademlia DHT overhead. Furthermore, unusual outbound connections to known Faceless infrastructure or an influx of SOCKS5 proxy traffic originating from the router’s IP address serve as strong IoC indicators. If a compromise is suspected, administrators should check for unauthorized scripts in the /jffs/scripts/ directory and review system logs for unrecognized logins.

The rise of KadNap highlights the ongoing trend of targeting edge devices to facilitate large-scale cybercrime operations. As these devices often lack traditional EDR or SIEM visibility, they remain a preferred target for APT groups and profit-motivated actors alike.