Most people understand, at least in the abstract, that a hacked router is a bad thing. What they picture is disruption — slow internet, outages, something they’d notice. The KadNap botnet works differently. Once installed on your ASUS router, it does almost nothing visible. Your internet works. Your speeds are fine. Your devices connect normally.

What changes is that strangers are now routing their traffic through your home internet connection. Credential-stuffing attacks against banking sites. Fraud operations hiding their origin. Blocklist evasion. All of it appearing, from the outside, to come from your IP address.

Lumen Technologies’ Black Lotus Lab disclosed KadNap in March 2026 after tracking the botnet since its initial growth phase in mid-2025. By the time of disclosure, it had infected at least 14,000 devices, with ASUS routers making up nearly half of the network. The campaign is still active.

What KadNap Does — And Why You Won’t Notice

KadNap is not a DDoS botnet. It doesn’t flood targets with traffic or saturate your bandwidth in ways that would trigger complaints to your ISP. It’s a residential proxy network — a service that lets paying customers route internet traffic through infected home devices to disguise where their requests are really coming from.

The criminal economy around residential proxies exists because IP addresses from home ISPs are trusted. When a fraud detection system sees a login attempt from a datacenter IP, it’s suspicious. When it sees the same attempt from a Comcast residential address in suburban Ohio, it’s much less likely to flag it. A botnet of 14,000 home routers represents 14,000 trusted-looking IP addresses that can be rented out to anyone willing to pay.

The proxy service associated with KadNap is called Doppelganger, believed to be a rebrand of the Faceless service that was previously linked to TheMoon malware — another botnet that specifically targeted ASUS routers. The rebranding is consistent with a pattern of cybercrime services cycling through names after law enforcement attention while maintaining the same underlying infrastructure.

From your perspective as the router’s owner, the infection is nearly invisible. KadNap doesn’t install ransomware, steal passwords stored on the router, or redirect your DNS to phishing sites. It quietly runs a proxy service, and the traffic it handles is small enough not to noticeably affect your internet experience. The only signal most users would ever observe is slightly elevated bandwidth usage — easily dismissed as a streaming device or automatic update.

The Technical Architecture: Why KadNap Is Hard to Kill

Most botnets rely on centralized command-and-control infrastructure — servers that send instructions to infected devices. Disrupting those servers disrupts the botnet. Law enforcement and security firms have gotten good at identifying and seizing these servers, which is why many botnet operators have moved to more resilient architectures.

KadNap uses a custom implementation of the Kademlia Distributed Hash Table protocol — the same underlying technology that powers peer-to-peer file sharing networks — to locate both other botnet nodes and its C2 infrastructure. In a Kademlia-based network, there is no single server to take down. The network’s routing information is distributed across all participating nodes. To find the C2, a new infected device queries other infected devices, which query others, until the path is assembled.

This architecture means that blocking any individual server — or even a large collection of servers — doesn’t kill the botnet. The infected devices can reconstruct routing paths around removed nodes as long as enough of the network remains intact.

Lumen Technologies took the step of blocking all network traffic to and from KadNap’s control infrastructure on their own network and released indicators of compromise for others to use. But “disruption on Lumen’s network” is not the same as disruption globally. Devices on other ISPs, using infrastructure not covered by Lumen’s blocking, remain reachable by the botnet operators.

Who Is Targeted and Where

Nearly 60% of KadNap infections are in the United States, with additional concentrations in Taiwan, Hong Kong, and Russia. The heavy US concentration reflects both the size of the US residential broadband market and the commercial value of US IP addresses to fraud operations — US-origin traffic is trusted by US financial institutions, e-commerce platforms, and account services.

The device composition reflects ASUS’s popularity in the home networking market. ASUS routers account for close to half of observed KadNap infections; the remainder consists of other edge devices running Linux-based firmware with accessible management interfaces.

The botnet has been growing since August 2025. By March 2026, the 14,000-device count represents a steady accumulation of compromised devices — not a sudden spike. KadNap operators are not running a noisy mass-exploitation campaign. They’re systematically finding vulnerable ASUS routers, infecting them quietly, and adding them to a proxy inventory that generates ongoing revenue.

What Criminal Customers Do With KadNap Proxies

Residential proxy services are not inherently illegal. Legitimate providers exist that contract with users to route traffic through their connections in exchange for payment. The distinction is consent — legitimate services involve the device owner knowingly participating.

KadNap proxies are rented without the owner’s knowledge or consent. The traffic being routed through infected routers includes:

Credential stuffing. Attackers who have obtained lists of leaked username-password combinations test them against banking, email, streaming, and e-commerce sites to find accounts where the same credentials were reused. Routing these attempts through residential IPs reduces the likelihood of triggering rate limits or IP-based fraud detection.

Account takeover fraud. Once valid credentials are confirmed through stuffing, the accounts can be accessed, drained, or sold. Residential proxy routing makes the initial access look like a legitimate login from the account holder’s geographic area.

Ad fraud and click manipulation. Automated traffic that mimics legitimate human browsing is more convincing when it originates from residential IPs. Proxy networks built from home routers are used to generate fraudulent ad impressions and clicks.

Blocklist evasion. Operators of spam campaigns, fraud infrastructure, and other malicious services use residential proxies to route traffic around IP blocklists, since individual home IPs are rarely pre-blocked.

The criminal customers renting KadNap proxies through Doppelganger are not targeting you specifically. Your router is just a useful node in an infrastructure that exists to serve other operations. The harm you suffer is indirect — your IP address potentially appearing in fraud logs, abuse reports, or law enforcement databases associated with activities you didn’t perform.

How to Check and Clean Your Router

Check for unexpected outbound connections. ASUS routers running stock firmware have a traffic monitoring feature in the management interface (Traffic Manager > Traffic Monitor). Unusual sustained outbound connections, particularly to unfamiliar IP ranges, can indicate proxy activity.

Check your firmware version and update. Log into your ASUS router at router.asus.com or 192.168.1.1 and check your firmware version under Administration > Firmware Upgrade. Apply the latest available firmware for your model.

Factory reset before firmware update. Because KadNap achieves persistence through methods that may survive a simple firmware update, a factory reset followed by a fresh firmware installation is the more reliable remediation path. After resetting, do not restore settings from a backup without first verifying the backup file is clean — restoring an infected configuration file can reintroduce the malware.

Disable remote management. ASUS routers should not have their management interface exposed directly to the internet unless you specifically need remote access. Check Administration > System > Enable Web Access from WAN and disable it if enabled.

Check for end-of-life status. ASUS publishes a list of products that are no longer receiving firmware security updates. If your router model appears on that list, no firmware update will protect it — it will remain vulnerable to known exploits indefinitely. Replacement is the appropriate response.

Monitor your IP address reputation. Services like MXToolbox’s blacklist check or AbuseIPDB allow you to query whether your public IP address has been flagged for suspicious activity. If your IP is appearing in abuse databases for activity you didn’t generate, proxy traffic from an infected device on your network is one possible explanation.

The Larger Pattern

KadNap is the second major botnet campaign specifically targeting ASUS routers to emerge in 2026, following the RondoDox campaign that began exploiting CVE-2018-5999 in May. The pattern is not coincidence — ASUS routers are extremely common in US homes, they have a long product lifespan that results in large populations of aging, under-patched devices in service, and they run Linux-based firmware that is well-understood by botnet developers.

The residential proxy economy that makes KadNap commercially viable is a direct product of the trust asymmetry between datacenter and residential IP addresses. That asymmetry will persist as long as fraud detection systems treat residential IPs as inherently more legitimate — which they will, because in most cases they are. Botnets like KadNap exploit the exception.

The solution at the device level is the same as it always is: current firmware, disabled remote management, end-of-life hardware replaced. The solution at the ecosystem level requires manufacturers to ship hardware with meaningful security lifespans and update mechanisms that work without user intervention. Neither of those things is fully in place. In the gap between where the industry is and where it needs to be, 14,000 routers and counting are renting out their owners’ internet connections to strangers.