Full Report
A newly discovered botnet malware called KadNap is targeting primarily ASUS routers and other edge networking devices to turn them into proxies for malicious traffic. [...]
Analysis Summary
# Tool/Technique: KadNap
## Overview
KadNap is a sophisticated botnet malware discovered in early 2026 (with activity dating back to August 2025) that primarily targets edge networking devices, specifically ASUS routers. Its primary purpose is to conscript these devices into a peer-to-peer (P2P) network used as a residential proxy service, marketed under the "Doppelganger" brand. It utilizes a customized DHT protocol to obfuscate its command-and-control (C2) infrastructure.
## Technical Details
- **Type:** Malware Family / Botnet
- **Platform:** Linux-based edge devices (MIPS/ARM architectures common in routers); ELF binaries.
- **Capabilities:** Persistence, P2P communication, residential proxying, C2 concealment via DHT.
- **First Seen:** August 2025 (Reporting emerged March 2026).
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1053.003 - Scheduled Task/Job: Cron]
- **[TA0011 - Command and Control]**
- [T1568.002 - Dynamic Resolution: Domain Generation Algorithms] (Note: Used via DHT-based peer discovery)
- [T1205.001 - Traffic Signaling: Port Knocking] (Modified Kademlia protocol signaling)
- [T1090.002 - Proxy: External Proxy]
- **[TA0005 - Defense Evasion]**
- [T1564 - Hide Artifacts] (DHT decentralization to hide C2 IPs)
## Functionality
### Core Capabilities
- **Infection & Persistence:** Deploys via a shell script (`aic.sh`) which installs a cron job to execute every 55 minutes, ensuring the malware remains active after reboots.
- **System Reconnaissance:** Determines the host's external IP address and queries multiple NTP servers to synchronize system time and calculate uptime.
- **Proxying:** Turns the infected router into a node for the "Doppelganger" proxy service, allowing third-party malicious traffic to be routed through the victim's residential IP.
### Advanced Features
- **Custom Kademlia DHT:** Uses a modified version of the Kademlia Distributed Hash Table protocol. This allows decentralized peer discovery, making it difficult for defenders to map the full extent of the C2 infrastructure or sinkhole the botnet.
- **Tiered Infrastructure:** Infrastructure is segmented; nearly half of the botnet is dedicated specifically to ASUS-based bots, while others communicate with separate control clusters.
## Indicators of Compromise
- **File Hashes (SHA256):**
- *Note: Specific hashes not provided in text, but the following files are associated:*
- `aic.sh` (Installation script)
- `kad` (Main ELF executable)
- **File Names:**
- `aic.sh`
- `kad`
- **Network Indicators:**
- `212.104.141[.]140` (Payload delivery/Initial contact)
- Custom Kadmelia DHT traffic (P2P)
- **Behavioral Indicators:**
- Unexpected cron jobs running every 55 minutes.
- Outbound NTP requests to multiple external servers from networking hardware.
- High volume of proxy traffic on non-standard ports.
## Associated Threat Actors
- **Doppelganger (Proxy Service):** Believed to be a rebrand of the "Faceless" service.
- **TheMoon:** Historically associated with the same infrastructure and techniques targeting ASUS routers.
## Detection Methods
- **Signature-based detection:** Scanning for the `kad` ELF binary and the `aic.sh` script on router filesystems.
- **Behavioral detection:** Monitoring for unauthorized modifications to `crontab` on edge devices.
- **Network Monitoring:** Identifying traffic patterns consistent with the Kademlia DHT protocol originating from edge devices that typically do not perform P2P functions.
## Mitigation Strategies
- **Prevention measures:** Ensure router management interfaces are not exposed to the public internet. Change default administrative credentials immediately.
- **Hardening recommendations:** Keep router firmware updated to the latest version to patch vulnerabilities typically exploited for initial access.
- **Device Auditing:** Regularly audit cron jobs and active processes on edge networking equipment.
## Related Tools/Techniques
- **TheMoon Botnet:** A predecessor/related malware that also targeted ASUS routers for proxy services.
- **Kademlia DHT:** The legitimate P2P protocol upon which KadNap’s C2 mechanism is built.
- **Faceless Proxy Service:** The suspected predecessor to the Doppelganger service.