⭐⭐⭐⭐ 4/5
KadNap Botnet: 14,000 Router Malware Highly Resistant to Takedowns
Key Highlights
- Scale: 14,000+ routers infected (up from 10,000 in August 2025)
- Primary Target: Asus routers, predominantly located in US
- Architecture: Peer-to-peer design based on Kademlia DHT for takedown resistance
- Method: Exploits unpatched vulnerabilities, no zero-days used
- Purpose: Proxy network for anonymous cybercrime traffic
Technical Innovation: KadNap uses Kademlia's distributed hash tables (DHT) to hide command-and-control servers, making traditional takedown methods ineffective. Each node only knows its immediate neighbors.
How KadNap Works
- Infection Vector: Exploits unpatched router vulnerabilities (primarily Asus)
- Network Structure: Kademlia-based P2P using 160-bit key space
- C2 Communication: Uses BitTorrent nodes to discover C2 addresses through DHT lookups
- Resilience: No central server to target - must sever all connected nodes
- Defense: Black Lotus Labs developed method to block all traffic to/from C2 infrastructure
Geographic Distribution
- United States: Majority of infected devices
- Other regions: Taiwan, Hong Kong, Russia
Why It Matters
This represents evolution in botnet design - using sophisticated P2P architecture makes these networks extremely difficult to take down. Traditional methods of shutting down command servers won't work when there's no central command.