KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet  Ravie Lakshmanan  Mar 10, 2026 Malware / Network Security Cybersecurity researchers have discovered a new malware called KadNap that's primarily targeting Asus routers to enlist them into a botnet for proxying malicious traffic. The malware, first detected in the wild in August 2025, has expanded to over 14,000 infected devices, with more than 60% of victims located in the U.S., according to the Black Lotus Labs team at Lumen. A lesser number of infections have been detected in Taiwan, Hong Kong, Russia, the U.K., Australia, Brazil, France, Italy, and Spain. "KadNap employs a custom version of the Kademlia Distributed Hash Table ( DHT ) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring," the cybersecurity company said in a report shared with The Hacker News. Compromised nodes in the network leverage the DHT protocol to locate and connect with a command-and-control (C2) server, thereby making it resilient to detection and disruption efforts. Once devices are successfully compromised, they are marketed by a proxy service named Doppelgänger ("doppelganger[.]shop"), which is assessed to be a rebrand of Faceless , another proxy service associated with TheMoon malware. Doppelgänger, according to its website, claims to offer resident proxies in over 50 countries that provide "100% anonymity." The service is said to have launched in May/June 2025. Despite the focus on Asus routers, the operators of KadNap have been found to deploy the malware against an assorted set of edge networking devices. Central to the attack is a shell script ("aic.sh") that's downloaded from the C2 server ("212.104.141[.]140"), which is responsible for initiating the process of conscripting the victim to the P2P network. The file creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to ".asusrouter," and run it. Once persistence is established, the script pulls a malicious ELF file, renames it to "kad," and executes it. This, in turn, leads to the deployment of KadNap. The malware is capable of targeting devices running both ARM and MIPS processors. KadNap is also designed to connect to a Network Time Protocol (NTP) server to fetch the current time and store it along with the host uptime. This information serves as a basis to create a hash that's used to locate other peers in the decentralized network to receive commands or download additional files. The files – fwr.sh and /tmp/.sose – contains functionality to close port 22, the standard TCP port for Secure Shell (SSH), on the infected device and extract a list of C2 IP address:port combinations to connect to. "In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt, by hiding in the noise of legitimate peer-to-peer traffic," Lumen said. Further analysis has determined that not all compromised devices communicate with every C2 server, indicating the infrastructure is being categorized based on device type and models. The Black Lotus Labs team told The Hacker News that Doppelgänger's bots are being abused by threat actors in the wild. "One issue there has been since these Asus (and other devices) are also sometimes co-infected with other malware, it is tricky to say who exactly is responsible for a specific malicious activity," the company said. Users running SOHO routers are advised to keep their devices up to date, reboot them regularly, change default passwords, secure management interfaces, and replace models that are end-of-life and are no longer supported. "The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control," Lumen concluded. "Their intention is clear, avoid detection and make it difficult for defenders to protect against." New Linux Threat ClipXDaemon Emerges The disclosure comes as Cyble detailed a new Linux threat dubbed ClipXDaemon that's designed to target cryptocurrency users by intercepting and altering copied wallet addresses. The clipper malware , delivered via Linux post-exploitation framework called ShadowHS, has been described as an autonomous cryptocurrency clipboard hijacker targeting Linux X11 environments. Staged entirely in memory, the malware employs stealth techniques, such as process masquerading and Wayland session avoidance, while simultaneously monitoring the clipboard every 200 milliseconds and substituting cryptocurrency addresses with attacker-controlled wallets. It's capable of targeting Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON wallets. The decision to avoid execution in Wayland sessions is deliberate, as the display server protocol's security architecture places additional controls, like requiring explicit user interaction, before applications can access the clipboard content. In disabling itself under such scenarios, the malware aims to eliminate noise and avoid runtime failure. "ClipXDaemon differs fundamentally from traditional Linux malware. It contains no command-and-control (C2) logic, performs no beaconing, and requires no remote tasking," the company said . "Instead, it monetizes victims directly by hijacking cryptocurrency wallet addresses copied in X11 sessions and replacing them in real time with attacker-controlled addresses." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  ASUS , botnet , cryptocurrency , cybersecurity , linux , Malware , network security , router security , Threat Intelligence Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps