14,000 ASUS Routers Infected: KadNap Botnet Creates Nearly Untouchable Malware Network

A new malware campaign has compromised more than 14,000 ASUS routers, creating a resilient botnet that security researchers say is unusually difficult to dismantle.In this episode of IT SPARC Cast – CVE of the Week, John Barger and Lou Schmidt examine the KadNap router malware, which targets unpatched ASUS routers and installs a persistent backdoor designed to survive typical remediation efforts.The malware was identified by researchers at Lumen’s Black Lotus Labs, who discovered that infected routers are being used as part of a botnet capable of proxying internet traffic and enabling other malicious activities.Unlike many botnets that rely on centralized command servers, KadNap uses peer-to-peer control mechanisms similar to BitTorrent, making it significantly harder for security teams to disrupt.⸻🔎 What the KadNap Router Malware DoesThe malware exploits vulnerabilities in ASUS routers that have not been patched or configured securely.Once installed, KadNap:•Creates a persistent backdoor on the router•Survives reboots and firmware updates•Enables remote control of the router•Connects the device to a distributed botnet network•Routes malicious traffic through compromised residential internet connectionsResearchers also discovered the infected routers are being used by a fee-based proxy service called Doppelganger, allowing customers to route their internet traffic through unsuspecting victims’ home networks.⸻⚠ Why This Is DangerousBecause the traffic originates from compromised home routers, victims could unknowingly appear responsible for malicious activity such as:•Network attacks•Surveillance operations•Illegal browsing activity•Staging points for additional cyber intrusionsThis makes detection and attribution far more difficult.⸻🏢 Enterprise IT RiskThis vulnerability is not limited to home users.ASUS also produces small-business routers, meaning organizations or small offices using these devices could be exposed.IT professionals should also remember that compromised routers can provide attackers with a network foothold for lateral movement, especially if IoT or remote-user networks are poorly segmented.⸻🛠 How to Detect and Remove KadNapSecurity experts recommend checking routers for signs of compromise:Look for:•SSH enabled unexpectedly•Remote administration enabled•Unknown certificates or scheduled tasks•Suspicious entries in device logsBecause the malware attaches to configuration files, simply rebooting or restoring a configuration backup will not remove it.The proper remediation process:1.Perform a full factory reset2.Update the router firmware immediately3.Manually reconfigure the router (do not restore backups)Experts also recommend changing default internal network ranges, such as moving away from the common 192.168.1.x subnet.⸻🔗 Source Articlehttps://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns/⸻🔗 Connect With UsIT SPARC Cast@ITSPARCCast on Xhttps://www.linkedin.com/company/sparc-sales/ on LinkedInJohn Barger@john_Video on Xhttps://www.linkedin.com/in/johnbarger/ on LinkedInLou Schmidt@loudoggeek on Xhttps://www.linkedin.com/in/louis-schmidt-b102446/ on LinkedIn Hosted on Acast. See acast.com/privacy for more information.