The Black Lotus Labs team at Lumen has discovered KadNap, a sophisticated malware targeting Asus routers and conscripting them into a botnet used for proxying malicious traffic. KadNap utilizes a custom Kademlia DHT protocol to conceal its infrastructure and evade detection, making disruption difficult. The botnet, with over 14,000 infected devices, is marketed through a proxy service called "Doppelganger", linked to the previously known Faceless service. A significant portion of the victims (60%) are located in the United States. Lumen has proactively blocked traffic to KadNap’s control infrastructure and is sharing indicators of compromise.
