More than 14,000 internet-connected devices around the world have been covertly hijacked as part of a sophisticated cybercriminal network that is proving especially difficult to disrupt, according to security researchers. The malware, known as KadNap, has primarily targeted Asus routers, turning them into part of a botnet used to channel malicious traffic and support large-scale online attacks. Researchers at cybersecurity firm Lumen’s Black Lotus Labs said the network has been under observation since August 2025 and has now grown into a sizeable and resilient operation.
++ Study suggests raccoons solve puzzles out of curiosity
A botnet is formed when hackers compromise connected devices — such as routers and other smart hardware — and quietly link them together so they can be controlled remotely. These networks are often used in distributed denial-of-service, or DDoS, attacks, in which enormous volumes of traffic are directed at websites or services in an attempt to overwhelm them and force them offline.
What makes KadNap particularly notable, researchers said, is its decentralised design. Rather than relying on a single command server that could be identified and shut down, the malware uses a customised peer-to-peer system based on the Kademlia distributed hash table protocol. According to Lumen, that structure helps conceal the botnet’s control infrastructure and allows it to blend more easily into ordinary network traffic, making detection and disruption far more difficult.
Lumen said more than 60 per cent of known infections are in the United States, though affected devices have also been identified in the UK, Brazil, Australia, Russia, Hong Kong, Taiwan and across parts of Europe. The researchers added that the infected routers are being sold through a malicious proxy service known as Doppelganger, which appears to be linked to earlier criminal infrastructure. For many household users, an infected router may show few obvious signs of compromise beyond occasional slower internet performance. That is one reason such attacks can persist unnoticed. By routing harmful traffic through residential devices, attackers can also make malicious activity appear as though it is coming from ordinary home internet users, allowing them to bypass some conventional security filters.
++ The only place on Earth where crocodiles and alligators live side by side
Lumen said it has blocked traffic to and from identified control infrastructure and plans to publish indicators of compromise to help other defenders detect the threat. Even so, the botnet’s decentralised architecture means it is likely to remain a significant challenge for law enforcement and cybersecurity teams trying to dismantle it.
