Sign up to save your podcasts
Or
Share 14,000 ASUS Routers Infected: KadNap Botnet Creates Nearly Untouchable Malware Network
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
14,000 ASUS Routers Infected: KadNap Botnet Creates Nearly Untouchable Malware Network
A new malware campaign has compromised more than 14,000 ASUS routers, creating a resilient botnet that security researchers say is unusually difficult to dismantle.
In this episode of IT SPARC Cast – CVE of the Week, John Barger and Lou Schmidt examine the KadNap router malware, which targets unpatched ASUS routers and installs a persistent backdoor designed to survive typical remediation efforts.
The malware was identified by researchers at Lumen’s Black Lotus Labs, who discovered that infected routers are being used as part of a botnet capable of proxying internet traffic and enabling other malicious activities.
Unlike many botnets that rely on centralized command servers, KadNap uses peer-to-peer control mechanisms similar to BitTorrent, making it significantly harder for security teams to disrupt.
⸻
🔎 What the KadNap Router Malware Does
The malware exploits vulnerabilities in ASUS routers that have not been patched or configured securely.
Once installed, KadNap:
•Creates a persistent backdoor on the router
•Survives reboots and firmware updates
•Enables remote control of the router
•Connects the device to a distributed botnet network
•Routes malicious traffic through compromised residential internet connections
Researchers also discovered the infected routers are being used by a fee-based proxy service called Doppelganger, allowing customers to route their internet traffic through unsuspecting victims’ home networks.
⸻
⚠ Why This Is Dangerous
Because the traffic originates from compromised home routers, victims could unknowingly appear responsible for malicious activity such as:
•Network attacks
•Surveillance operations
•Illegal browsing activity
•Staging points for additional cyber intrusions
This makes detection and attribution far more difficult.
⸻
🏢 Enterprise IT Risk
This vulnerability is not limited to home users.
ASUS also produces small-business routers, meaning organizations or small offices using these devices could be exposed.
IT professionals should also remember that compromised routers can provide attackers with a network foothold for lateral movement, especially if IoT or remote-user networks are poorly segmented.
⸻
🛠 How to Detect and Remove KadNap
Security experts recommend checking routers for signs of compromise:
Look for:
•SSH enabled unexpectedly
•Remote administration enabled
•Unknown certificates or scheduled tasks
•Suspicious entries in device logs
Because the malware attaches to configuration files, simply rebooting or restoring a configuration backup will not remove it.
The proper remediation process:
1.Perform a full factory reset
2.Update the router firmware immediately
3.Manually reconfigure the router (do not restore backups)
Experts also recommend changing default internal network ranges, such as moving away from the common 192.168.1.x subnet.
⸻
🔗 Source Article
https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns/
⸻
🔗 Connect With Us
IT SPARC Cast
@ITSPARCCast on X
https://www.linkedin.com/company/sparc-sales/ on LinkedIn
John Barger
@john_Video on X
https://www.linkedin.com/in/johnbarger/ on LinkedIn
Lou Schmidt
@loudoggeek on X
https://www.linkedin.com/in/louis-schmidt-b102446/ on LinkedIn
Hosted on Acast. See acast.com/privacy for more information.
View all episodes
By John BargerA new malware campaign has compromised more than 14,000 ASUS routers, creating a resilient botnet that security researchers say is unusually difficult to dismantle.
In this episode of IT SPARC Cast – CVE of the Week, John Barger and Lou Schmidt examine the KadNap router malware, which targets unpatched ASUS routers and installs a persistent backdoor designed to survive typical remediation efforts.
The malware was identified by researchers at Lumen’s Black Lotus Labs, who discovered that infected routers are being used as part of a botnet capable of proxying internet traffic and enabling other malicious activities.
Unlike many botnets that rely on centralized command servers, KadNap uses peer-to-peer control mechanisms similar to BitTorrent, making it significantly harder for security teams to disrupt.
⸻
🔎 What the KadNap Router Malware Does
The malware exploits vulnerabilities in ASUS routers that have not been patched or configured securely.
Once installed, KadNap:
•Creates a persistent backdoor on the router
•Survives reboots and firmware updates
•Enables remote control of the router
•Connects the device to a distributed botnet network
•Routes malicious traffic through compromised residential internet connections
Researchers also discovered the infected routers are being used by a fee-based proxy service called Doppelganger, allowing customers to route their internet traffic through unsuspecting victims’ home networks.
⸻
⚠ Why This Is Dangerous
Because the traffic originates from compromised home routers, victims could unknowingly appear responsible for malicious activity such as:
•Network attacks
•Surveillance operations
•Illegal browsing activity
•Staging points for additional cyber intrusions
This makes detection and attribution far more difficult.
⸻
🏢 Enterprise IT Risk
This vulnerability is not limited to home users.
ASUS also produces small-business routers, meaning organizations or small offices using these devices could be exposed.
IT professionals should also remember that compromised routers can provide attackers with a network foothold for lateral movement, especially if IoT or remote-user networks are poorly segmented.
⸻
🛠 How to Detect and Remove KadNap
Security experts recommend checking routers for signs of compromise:
Look for:
•SSH enabled unexpectedly
•Remote administration enabled
•Unknown certificates or scheduled tasks
•Suspicious entries in device logs
Because the malware attaches to configuration files, simply rebooting or restoring a configuration backup will not remove it.
The proper remediation process:
1.Perform a full factory reset
2.Update the router firmware immediately
3.Manually reconfigure the router (do not restore backups)
Experts also recommend changing default internal network ranges, such as moving away from the common 192.168.1.x subnet.
⸻
🔗 Source Article
https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns/
⸻
🔗 Connect With Us
IT SPARC Cast
@ITSPARCCast on X
https://www.linkedin.com/company/sparc-sales/ on LinkedIn
John Barger
@john_Video on X
https://www.linkedin.com/in/johnbarger/ on LinkedIn
Lou Schmidt
@loudoggeek on X
https://www.linkedin.com/in/louis-schmidt-b102446/ on LinkedIn
Hosted on Acast. See acast.com/privacy for more information.