KadNap Malware: 14,000 Asus Routers Enlisted in Stealth Proxy Botnet

Overview of the KadNap Proxy Botnet

Security researchers have identified a widespread malware campaign involving a new threat dubbed KadNap. This malware specifically targets edge devices, with a heavy concentration on Asus routers, to build a sprawling C2 infrastructure dedicated to proxying internet traffic. According to The Hacker News, the malware has successfully infected over 14,000 devices globally since its initial appearance in August 2025.

The primary objective of KadNap is not direct data theft from the host device, but rather the transformation of the compromised hardware into a proxy node. This allows threat actors to route their malicious activity through legitimate residential or small-business IP addresses, significantly complicating the efforts of a SOC to differentiate between benign user traffic and adversary operations. At the time of reporting, approximately 60% of the identified victims are located within the United States.

Technical Analysis: Execution and C2 Communication

KadNap functions as a specialized TTP for anonymization. Once the malware gains a foothold on a device, it establishes a persistent connection with its command-and-control servers. The malware often leverages common RCE vulnerabilities or weak administrative credentials as primary KadNap malware infection vectors.

Unlike traditional DDoS botnets that focus on high-volume traffic generation, KadNap prioritizes stealth. It creates a tunnel that allows the attacker to use the infected router as an exit point. For defenders, this is particularly problematic because the traffic originating from the infected device appears to be coming from a trusted geographical location and a legitimate ISP. This technique is frequently used by an APT or advanced cybercriminal groups to bypass geo-fencing and IP-based reputation filters during the exploitation phase of an attack.

How to Detect KadNap Malware on Compromised Devices

Identifying KadNap requires a focus on anomalous network behavior rather than traditional file-based IoC detection, as many edge devices lack the capability to host a standard EDR agent. Security professionals should monitor for the following indicators:

• Unusual Outbound Connections: Look for persistent TCP connections to unknown external IP addresses that do not align with standard firmware update patterns or manufacturer telemetry.
• Resource Spikes: While designed to be stealthy, the proxying of high-bandwidth traffic may cause noticeable spikes in CPU or memory usage on the router.
• Unauthorized Configuration Changes: Check for the presence of unauthorized SSH keys, modified firewall rules, or new administrative accounts.

Analysts should map these behaviors against the MITRE ATT&CK framework, specifically focusing on the Proxy (T1090) technique. Because this malware targets the edge, traditional internal network visibility may be insufficient, necessitating the use of SIEM logs from upstream switches or ISP-level traffic analysis.

Asus Router Proxy Botnet Mitigation and Defense

Addressing the threat posed by KadNap requires a multi-layered approach to edge security. Organizations and home users should prioritize the following defensive measures:

1. Firmware Integrity: Regularly update Asus routers and other edge devices to the latest firmware versions to patch any underlying CVE that could be used for initial access.
2. Credential Hardening: Change default administrative passwords and disable remote management interfaces (WAN-side management) unless absolutely necessary and protected by a VPN.
3. Egress Filtering: Implement strict egress filtering rules to prevent edge devices from communicating with unapproved external networks over non-standard ports.
4. Network Segmentation: Isolate edge management interfaces from the rest of the production network to prevent Lateral Movement should the device be compromised.

Adopting Zero Trust principles at the network perimeter is essential. By treating every device—including the router itself—as a potential source of compromise, organizations can better identify the subtle signs of proxy botnet recruitment. Periodic reboots and factory resets can also be effective in clearing non-persistent malware, though KadNap’s persistence mechanisms may require a full firmware re-flash in confirmed infection cases.