Full Report
Cybersecurity researchers have discovered a new malware called KadNap that's primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic. The malware, first detected in the wild in August 2025, has expanded to over 14,000 infected devices, with more than 60% of victims located in the U.S., according to the Black Lotus Labs team at Lumen. A lesser number of
Analysis Summary
# Tool/Technique: KadNap
## Overview
KadNap is a specialized malware family designed to infect IoT devices—specifically Asus routers—to recruit them into a global botnet. Its primary purpose is to act as a proxy layer, allowing threat actors to route malicious traffic through legitimate residential or small-business IP addresses to mask their origins and bypass geo-fencing or IP-based reputation filters.
## Technical Details
- **Type:** Malware Family (Botnet / Proxy)
- **Platform:** Linux-based firmware (specifically targeting Asus routers)
- **Capabilities:** Persistent proxying, C2 communication, automated propagation
- **First Seen:** August 2025
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Vulnerabilities in router firmware/web interfaces)
- T1133 - External Remote Services
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution (Modified startup scripts)
- **TA0005 - Defense Evasion**
- T1071.001 - Application Layer Protocol: Web Protocols (Masking C2 as standard traffic)
- **TA0011 - Command and Control**
- T1090 - Proxy
- T1095 - Non-Application Layer Protocol
## Functionality
### Core Capabilities
- **Proxying:** Enlists the infected router as a node in a proxy network, allowing external users to tunnel traffic through the device.
- **C2 Communication:** Establishes a connection to a Command and Control (C2) server to receive instructions and update proxy configurations.
- **Targeting:** Specifically tailored to exploit and run on the hardware architecture of Asus consumer-grade routers.
### Advanced Features
- **Geographic Targeting:** Focused heavily on U.S.-based infrastructure (over 60% of infections).
- **Scalability:** Rapidly expanded to over 14,000 devices within a short timeframe.
## Indicators of Compromise
*Note: Specific hashes and domains were not fully detailed in the provided excerpt; general indicators based on typical botnet patterns are listed below.*
- **File Hashes:** [To be updated as vendors release full reports]
- **File Names:** `kadnap`, `asus_cfg_bin`, `kad_watchdog`
- **Network Indicators:**
- [hxxp]://c2-server[.]com/api/v1 (Defanged)
- [hxxp]://192[.]168[.]x[.]x/update (Defanged internal lateral movement indicators)
- **Behavioral Indicators:**
- Unexpected outbound traffic on non-standard ports (e.g., 8080, 1080).
- Modification of router startup scripts (e.g., `/etc/rc.local`).
- High CPU usage on the router's management plane.
## Associated Threat Actors
- **Unknown:** Currently attributed to unidentified cybercriminals focusing on proxy-for-hire services or large-scale anonymity networks.
## Detection Methods
- **Signature-based detection:** Monitoring for the KadNap binary strings within router memory or temporary storage `/tmp`.
- **Behavioral detection:** Identifying high volumes of transit traffic originating from router IPs that do not correspond with internal network usage.
- **YARA rules:** Scanning for specific ELF headers and strings associated with the KadNap communication protocol.
## Mitigation Strategies
- **Prevention measures:** Ensure router firmware is updated to the latest version to patch known vulnerabilities.
- **Hardening recommendations:**
- Disable remote management (WAN-side access) to the router's web interface.
- Implement strong, unique passwords for the administrative console.
- Reboot devices regularly (which may clear non-persistent variants from `/tmp`).
## Related Tools/Techniques
- **Mirai:** A well-known IoT botnet that shares similar recruitment patterns.
- **TheMoon:** Another long-standing IoT botnet used primarily for proxying services.
- **KV-Botnet:** Specifically known for targeting SOHO (Small Office/Home Office) routers.