Takedown Resistant KadNap Botnet Infects Fourteen Thousand Asus Routers For Illicit Cybercrime Proxy Network Traffic

Security labs find a takedown resistant botnet targeting Asus routers. Learn how KadNap uses peer-to-peer tech to hide cybercrime traffic across the US.

By: AXL Media

Published: Mar 11, 2026, 6:08 PM EDT

Source: The information in this article was sourced from Ars Technica

Decentralized Architecture Defies Traditional Security Measures

Cybersecurity researchers at Lumen’s Black Lotus Labs have uncovered a resilient botnet consisting of approximately 14,000 infected routers and network devices. The malware, identified as KadNap, distinguishes itself through a sophisticated peer-to-peer design that avoids the use of centralized command and control servers. By utilizing a network structure known as Kademlia, the botnet employs distributed hash tables to conceal the identities and locations of its operators. This decentralized approach makes the network exceptionally difficult for authorities to dismantle, as there is no single point of failure that can be targeted to sever the connection between the infected nodes and the controlling infrastructure.

Exploitation of Residential Network Vulnerabilities

The infection primarily targets Asus routers located within the United States, though smaller clusters have been detected in Taiwan, Hong Kong, and Russia. According to Chris Formosa, a researcher at Black Lotus Labs, the high concentration of specific hardware models suggests that the attackers have acquired or developed a reliable exploit for unpatched vulnerabilities common to these devices. While the malware is highly advanced, researchers indicate that it is likely leveraging known security flaws rather than undisclosed zero day exploits. This highlights a persistent risk in residential networking, where home users frequently neglect firmware updates, leaving their devices open to conscription into criminal proxy networks.

The Mechanics of Peer to Peer Evasion

KadNap’s resilience is rooted in its use of a 160 bit space to assign unique keys and node IDs, organizing the network through a mathematical concept called XOR distance. Rather than reaching out to a static IP address, an infected device polls its neighbors within the peer-to-peer network to find the specific "passphrase" or key required to receive instructions. This process allows the botnet to scale and remain fault tolerant, as the network simply reroutes its data lookups if individual nodes are taken offline. According to Formosa, the malware even utilizes BitTorrent entry nodes to initiate the search for its control files, further masking the traffic within legitimate peer-to-peer data streams.