KadNap Malware Infects 14,000+ Edge Devices to Power

What Happened

Security researchers have identified a new botnet, dubbed KadNap, which has infected over 14,000 edge networking devices, primarily ASUS routers. The malware compromises these devices to forcibly enroll them into a large-scale, stealth proxy network. This botnet acts as an intermediary layer, routing malicious traffic for cybercriminal operations while obscuring the true origin of attacks. The campaign is ongoing, with the botnet’s infrastructure actively recruiting new devices.

Why It Matters

This incident highlights the critical yet often overlooked security risks inherent in edge devices like consumer and small office/home office (SOHO) routers. These devices form the perimeter of many networks but are frequently under-secured, rarely patched, and lack robust monitoring. By co-opting them, threat actors gain a distributed, resilient, and difficult-to-trace network for activities such as credential stuffing, ad fraud, data exfiltration, or launching distributed denial-of-service (DDoS) attacks. For organizations, traffic originating from these hijacked residential IPs can bypass geo-blocking and some reputation-based security filters.

Technical Details

KadNap malware targets edge devices, exploiting weak or default administrative credentials rather than a specific software vulnerability. Initial infection vectors likely involve automated scans for devices with exposed management interfaces (e.g., Telnet, SSH, or web admin panels) followed by brute-force or credential-stuffing attacks. Once compromised, the malware establishes persistence and connects to a command-and-control (C2) server. The primary payload reconfigures the device to act as a proxy, often a SOCKS5 proxy, silently forwarding traffic on behalf of the botnet operators. The use of ASUS routers suggests the attackers may be targeting specific firmware versions or models with known configuration weaknesses.

Immediate Risk

The immediate risk is MEDIUM. While the malware itself does not directly steal data from the infected device’s local network, it poses significant indirect threats. The compromised device becomes an unwitting participant in criminal activity, which could lead to its IP address being blacklisted, disrupting legitimate services for the device owner. Furthermore, the proxy network lowers the barrier for other attacks, making attribution harder and increasing the overall threat landscape. Organizations should be aware that attack traffic may now originate from seemingly legitimate residential IP ranges.

Security Insight

This campaign underscores the necessity of extending security hygiene to all network assets, including edge devices. Security teams, especially those managing remote workforces or branch offices, should enforce policies for SOHO equipment. Critical actions include changing default credentials, disabling remote management features unless absolutely necessary, and ensuring routers run the latest firmware. Network monitoring should watch for unexpected outbound proxy traffic (e.g., unusual SOCKS5 connections) from any endpoint, as this can be an indicator of a compromised device acting as a botnet node.