Researchers at Lumen’s Black Lotus Labs found a botnet of about 14,000 routers, mostly Asus, that have been infected with malware called KadNap. The infected devices are being used as a proxy network to anonymously tunnel traffic for a fee-based service called Doppelganger. Most of the compromised routers are in the US. The malware exploits unpatched vulnerabilities and uses a peer-to-peer design based on Kademlia, the same structure that powers BitTorrent, which makes it highly resistant to traditional takedowns.

My Take
The technical design here is worth understanding. Most botnets have centralized command servers that researchers can identify and shut down. KadNap uses distributed hash tables instead, so there’s no single point to target. Each infected router stores pieces of the network map and can find other nodes without ever connecting to a central server. The only way to fully kill it is to sever every connected device at once, which isn’t realistic when you’re talking about 14,000 routers in people’s homes.

The infection persists through reboots because the malware stores a shell script that runs on startup. A simple restart won’t fix it. You have to factory reset the router, update the firmware, change the admin password, and disable remote access. Most people won’t do any of that because most people don’t know their router is compromised. Black Lotus says the number of infected devices has grown from 10,000 to 14,000 since August, so whatever is happening, it’s not slowing down.

https://x.com/HedgieMarkets/status/2032242736963993922