Researchers at Black Lotus Labs have identified a botnet infecting around 14,000 routers daily, mostly Asus models in the US, using advanced peer-to-peer technology to evade detection. The malware, known as KadNap, turns these devices into proxies for cybercrime activities. Infected users are advised to factory reset their routers and apply firmware updates to remove the threat.
The KadNap botnet, discovered by Black Lotus Labs in August, has grown to infect an average of 14,000 routers and network devices per day as of March 2026, up from 10,000 infections at the time of initial detection. The majority of compromised devices are Asus routers, primarily located in the US, with smaller clusters in Taiwan, Hong Kong, and Russia. According to Chris Formosa, a researcher at Lumen’s Black Lotus Labs, the malware exploits unpatched vulnerabilities in these devices, without relying on zero-day exploits.
What sets KadNap apart is its use of a peer-to-peer network structure based on Kademlia, a distributed hash table (DHT) system originally popularized in technologies like BitTorrent. This design decentralizes control, concealing command-and-control server IP addresses and making the botnet highly resistant to traditional takedown methods. "The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control," Formosa and fellow researcher Steve Rudd wrote. "Their intention is clear: avoid detection and make it difficult for defenders to protect against."
In operation, KadNap functions by having nodes query others using a passphrase to locate control infrastructure, eventually receiving files with command-and-control addresses. The infected devices serve as proxies for Doppelganger, a fee-based service that routes customer traffic through residential internet connections to enable anonymous access to restricted sites.
Black Lotus Labs has developed methods to block traffic to the botnet's control infrastructure and is sharing indicators of compromise, such as specific IP addresses and file hashes, through public feeds. Users suspecting infection can check device logs against these indicators. To disinfect, owners must perform a factory reset—restarting alone is insufficient, as the malware persists via a shell script—and ensure firmware is updated, passwords are strong, and remote access is disabled when unnecessary.
