An elaborate new malware campaign that turns vulnerable ASUS routers into a large, stealthy proxy network for cybercriminals has been uncovered. Dubbed KadNap, the botnet was built to evade traditional detection, highlighting how an ASUS router vulnerability can rapidly scale into a global infrastructure for abuse by exploiting unpatched and unmonitored devices.
If you’re wondering whether your router could be next, keep reading and discover how to automatically detect vulnerabilities later in the article using Fing.
ASUS Routers Hacked by KadNap
First seen in August 2025, KadNap has already infected more than 14,000 edge devices, with ASUS routers making up most victims and more than 60% located in the United States. The attack begins with a malicious shell script (aic.sh) that is downloaded to the router, sets up a cron job, renames itself to “.asusrouter,” and then pulls down a malicious ELF binary called “kad.” Once installed, this binary fully compromises the router, effectively an ASUS router hack that gives operators persistent remote control over an unassuming device.
KadNap then implements a custom version of the Kademlia Distributed Hash Table (DHT) protocol, a peer‑to‑peer system normally used by technologies such as BitTorrent. Instead of contacting a single, easily blockable command‑and‑control (C2) server, infected routers “phone friends” across the DHT, following a chain of peers to reach hidden KadNap infrastructure. This decentralized design lets the ASUS cyberattack blend into legitimate P2P traffic, making it much harder for defenders to spot and blacklist the C2 nodes.
Botnet Evolves into Criminal Proxy Service
Once a router joins KadNap, it is enrolled into a commercial proxy service called Doppelganger, believed to be a rebrand of the Faceless service previously powered by TheMoon malware. Criminal customers can then rent access to these ASUS routers hacked for the service, which route brute‑force attacks, credential‑stuffing campaigns, or targeted exploitation through what appear to be ordinary residential IP addresses. Not every infected device communicates with every C2, suggesting that operators segment their infrastructure by device type and model to monetize specific victim groups better.
Recent ASUS Router Cyberattacks
KadNap is, unfortunately, the latest participant in a broader pattern of ASUS routers hacked at scale. The previously covered Operation WrtHug documented how multiple AiCloud‑enabled ASUS models were exploited via authentication‑bypass bugs and other flaws, turning more than 50,000 devices into an espionage‑focused botnet. In 2025, operations such as PolarEdge and another backdoor uncovered by GreyNoise similarly abused an ASUS router vulnerability to conscript thousands more routers into stealthy proxy networks.
Secure Your Router Before It’s Too Late
To defend against ASUS router vulnerabilities and botnet recruitment, users should:
- Regularly update router firmware to ensure patches for any known ASUS router vulnerability are applied.
- Disable unnecessary services like AiCloud and remote management if not in use.
- Change default credentials to strong, unique passwords.
- Conduct vulnerability scans with tools such as the Fing Router Vulnerability Check, which identifies exposed ports and risky configurations.
- Consider a factory reset if compromise is suspected, and audit network devices for unauthorized changes.
For step-by-step security checks, users can refer to Fing’s comprehensive router security guide, which includes automated scan options and actionable alerts for vulnerable setups.
KadNap demonstrates the evolving danger posed by neglected and legacy hardware in home and office networks. Vigilance, proactive updates, and the use of security tools are crucial in disrupting these global botnet campaigns before they take root.
Uncover Router Vulnerabilities Automatically Using Fing
You don’t need to wait for an article like this to discover your router, and potentially your entire network, has been compromised. A practical tool for assessing your router’s security is the Fing Router Vulnerability Check, available with all Fing subscriptions. This feature scans your router for known issues — including open ports that leave the device exposed to remote attacks — and alerts you to configuration risks, helping you detect potential compromises early.
Via Lumen
