KadNap is a takedown-resistant botnet formed by around 14,000 infected routers and other network devices, primarily Asus models, used to relay anonymous proxy traffic for cybercrime.

The malware selectively infects Asus routers to create a malicious proxy botnet, exploiting broadly vulnerable devices rather than relying on zero-days.

Its architecture mirrors other DHT-backed networks like BitTorrent and IPFS, enabling nodes to query peers to locate devices without centralized control.

Researchers describe KadNap as using a DHT to establish robust, hard-to-disrupt communication channels that blend with legitimate peer-to-peer traffic.

KadNap’s decentralized design distributes control and hides critical infrastructure, making takedowns and law-enforcement actions more difficult.

Infections average about 14,000 devices daily, with the majority in the United States and smaller numbers in Taiwan, Hong Kong, and Russia.

Experts believe operators leveraged unpatched firmware on Asus routers rather than zero-days, pointing to firmware neglect as the root cause.

The campaign does not target Asus specifically; it exploits broadly vulnerable routers, suggesting widespread product security gaps.

The threat is framed as a dangerous cybercrime proxy network, with infected devices relaying malicious traffic rather than directly stealing user data.

KadNap uses a custom Kademlia-based DHT to build a peer-to-peer network that conceals IP addresses of command-and-control servers and enhances resilience.

The DHT-P2P design makes KadNap resistant to traditional takedowns and difficult to detect or disrupt.

Since its emergence, KadNap has infected over 14,000 devices, with about 60% in the United States and the rest spread across Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy, and Spain.