KadNap Botnet Exploits Edge Devices: 14,000 Routers Hijacked for Stealth Proxying

The perimeter is no longer just the firewall; it is the router sitting in the receptionist's closet or the home office of your remote CEO. Cybersecurity researchers at Black Lotus Labs have uncovered a significant threat targeting this exact weak point: KadNap.

This emerging malware has successfully enslaved over 14,000 edge devices—primarily Asus routers—turning them into nodes for a stealth proxy botnet. First detected in the wild in August 2025, the campaign has rapidly expanded, with over 60% of the victims located right here in the United States. This isn't just about knocking devices offline; it is about weaponizing your internet connection for malicious anonymity.

The Threat Landscape: Why Routers?

Edge devices like routers are the perfect victims for botnet operators. They are always on, rarely patched, and possess significantly more bandwidth than a standard workstation. By infecting these devices, attackers gain a high-bandwidth gateway to route malicious traffic—masking the origin of attacks, phishing campaigns, or credential stuffing operations.

KadNap specifically targets these devices to create a proxy network. When an attacker launches an attack, the traffic appears to come from the compromised IP of an innocent small business or home user, effectively bypassing basic geolocation blocks and reputation-based filtering.

Deep Dive: Analysis and TTPs

Understanding the mechanics of KadNap is crucial for defense. While the campaign is still evolving, analysis indicates that the malware leverages common vulnerabilities and misconfigurations typical in IoT and edge device environments.

Attack Vectors and Vulnerabilities

While specific CVEs are still being attributed to the initial infection vector of KadNap, router-based botnets typically exploit:

1. Unpatched Firmware: Many users never update router firmware. Attackers actively scan for older firmware versions with known command injection vulnerabilities (often CVEs dating back several years).
2. Weak Default Credentials: Brute-forcing SSH or Telnet ports using default usernames (like admin) and passwords remains a primary entry point.
3. Exposed Management Interfaces: Routers with remote management (WAN access) enabled are low-hanging fruit.

Tactics, Techniques, and Procedures (TTPs)

Once KadNap gains a foothold, it establishes persistence by modifying system startup scripts or injecting itself into the firmware environment (depending on the specific variant). The primary objective is proxying.

• C2 Communication: The infected device connects to a Command and Control (C2) server to receive instructions, which usually include target IP addresses and ports for proxying traffic.
• Traffic Relay: The malware sets up a tunnel (often SOCKS5 or HTTP proxy) on the device, allowing the operator to route traffic through the victim's ISP.
• Obfuscation: To avoid detection, the malware may masquerade as legitimate system processes or use modified binaries to blend in with the router's OS.

Detection and Threat Hunting

Detecting a compromised router can be difficult because the device continues to function normally for the user. However, there are tell-tale signs that SOC analysts and network administrators can hunt for.

1. Hunting for High Outbound Connection Counts

A router acting as a proxy will maintain numerous simultaneous connections to various IP addresses that are not part of your organization's normal traffic patterns.

// KQL Query for Sentinel/Defender to detect suspicious outbound connection patterns from internal IPs
DeviceNetworkEvents
| where ActionType == "ConnectionAllowed"
| where RemotePort has_any (80, 443, 8080, 3128, 1080) // Common proxy ports
| summarize dcount(RemoteIP), make_set(RemoteIP) by DeviceId, bin(Timestamp, 5m)
| where dcount_RemoteIP > 50 // Threshold for high number of unique connections
| project Timestamp, DeviceId, UniqueRemoteIPCount = dcount_RemoteIP, SampleIPs = set_RemoteIP
| sort by UniqueRemoteIPCount desc

2. Checking for Suspicious Processes on Linux-Based Routers

If you have shell access (SSH) to your edge devices, you can inspect running processes. Many router botnets hide their processes with names resembling system binaries.

# Check for processes with high CPU usage or suspicious names
top -b -n 1 | grep -v "0.0%" | head -20

# Look for suspicious binaries in common execution paths
ls -la /tmp /var /proc/*/exe

3. Analyzing Firewall Logs for Data Exfiltration Indicators

You can use Python to parse firewall logs and identify internal devices that are acting as relays by checking for high volume traffic to distinct geographic locations or ASN ranges known for hosting bullet-proof hosting providers.

import pandas as pd

# Assume 'firewall_log.csv' contains columns: timestamp, src_ip, dst_ip, dst_port, bytes_sent
df = pd.read_csv('firewall_log.csv')

# Group by source IP and count unique destination IPs
suspect_devices = df.groupby('src_ip')['dst_ip'].nunique().reset_index(name='unique_dst_count')

# Filter for devices connecting to more than 100 unique external IPs in the timeframe
proxy_suspects = suspect_devices[suspect_devices['unique_dst_count'] > 100]

print(proxy_suspects)

4. PowerShell: Checking for Suspicious DNS Queries

If your internal DNS logs are accessible, you can hunt for domains associated with known C2 infrastructure or DGA (Domain Generation Algorithms).

# PowerShell script to find high frequency DNS requests to unique domains
Get-DnsServerCache -ComputerName "YourDNSServerIP" |
Where-Object { $_.TimeToLive -lt 300 } | 
Group-Object -Property Name | 
Where-Object { $_.Count -gt 10 } | 
Sort-Object -Property Count -Descending | 
Select-Object -First 20 Name, Count

Mitigation Strategies

Protecting your edge infrastructure requires a proactive approach. "Set it and forget it" is no longer a viable strategy for network hardware.

1. Immediate Firmware Updates: Check the manufacturer's website for the latest firmware for your specific router model. KadNap often exploits older vulnerabilities that have since been patched.

2. Disable Remote Management: Ensure that the web interface or SSH access is not reachable from the WAN side. Access to the administration panel should be restricted to LAN-only IPs or a VPN.

3. Enforce Strong Authentication: Change the default admin password immediately. Use a complex passphrase (16+ characters). Disable Telnet if it is enabled; use SSH only if necessary.

4. Network Segmentation: Isolate IoT devices and guest networks on a separate VLAN (Virtual Local Area Network). This prevents a compromised smart fridge or guest router from being used to pivot to critical corporate assets.

5. Outbound Traffic Filtering: Utilize your next-generation firewall to restrict outbound traffic from known non-work devices. If a printer shouldn't be talking to an IP in Eastern Europe on port 8080, block it.

The KadNap campaign is a stark reminder that the internet's backbone is built on vulnerable, under-managed hardware. By treating edge devices with the same rigor as servers and workstations, organizations can close this gap and stop being unwitting accomplices in global cybercrime.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub