Mar 13, 2026 14:00:00

14,000 routers are infected with malware that is difficult to remove.

Security researchers have reported that approximately 14,000 network devices, mainly ASUS routers, are infected with malware called ' KadNap ,' which is extremely difficult to remove.

KadNap Malware Turning Asus Routers Into Botnets

https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/

14,000 routers are infected by malware that's highly resistant to takedowns - Ars Technica
https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns/

Chris Formosa, a researcher at Black Lotus Labs , a subsidiary of security firm Lumen , has reported to technology media outlet Ars Technica that malware called 'KadNap' has been detected on some network devices. KadNap spreads by exploiting vulnerabilities that network device owners have not patched.

KadNap has primarily been detected on ASUS routers, likely because the threat actors operating the malware possess reliable exploits for vulnerabilities affecting specific routers. However, Formosa stated that it is 'unlikely' that the threat actors exploited zero-day vulnerabilities in this attack.

Approximately 14,000 routers are currently infected with KadNap, down from 10,000 when Black Lotus Labs first detected it in August 2025. Infected devices are concentrated in the United States, but small numbers are also found in Taiwan, Hong Kong, and Russia. One of KadNap's most notable features is its sophisticated peer-to-peer design, based on

Kademlia , a network structure that uses a distributed hash table to conceal the IP address of the command and control server . This design allows botnets based on KadNap-infected network devices to evade detection and removal using conventional methods.

Formosa stated, 'The KadNap botnet stands out among other botnets that support anonymous proxies in that it utilizes a peer-to-peer network for distributed control. Their objective is clear: to evade detection and make it difficult for defenders to defend against them.'

Distributed hash tables are a technology that has been used for many years to build robust peer-to-peer networks. Instead of one or more central servers directly controlling nodes and providing IP addresses for other nodes, any node can poll other nodes to find the devices or servers it is looking for. This makes the network highly resilient to downtime and denial-of-service attacks.

Devices infected with KadNap are used to transmit traffic for the paid proxy service 'Doppelganger.' Doppelganger tunnels customers' internet traffic primarily through their home internet connections. By using high bandwidth and clean IP addresses, this service provides a reliable way for customers to efficiently and anonymously access sites they might not otherwise be able to access.

Because KadNap saves a shell script that runs when the infected router is restarted, simply restarting the device will not remove the infection. Therefore, if you want to completely remove KadNap, you need to restore it to factory settings. Ars Technica also advises that network equipment owners should ensure that all available firmware updates are installed, that the administrator password is strong, and that remote access is disabled unless necessary.