Security researchers at Lumen’s Black Lotus Labs revealed KadNap, a takedown-resistant botnet that co-opts routers and other network devices into a distributed proxy network used to route traffic for cybercrime.
KadNap infects devices by exploiting publicly disclosed vulnerabilities that owners have not patched, with experts noting there is no evidence of zero-day exploits in this operation.
The botnet has grown to roughly 14,000 infections per day, up from about 10,000 last August, with compromised devices concentrated in the United States and smaller clusters in Taiwan, Hong Kong, and Russia.
A core feature is its peer-to-peer design based on the Kademlia distributed hash table, which lets any node help locate others while concealing the IP addresses of command-and-control servers. This decentralization makes takedowns and centralized disruption difficult for defenders.
KadNap’s operators appear to seek resilience and anonymity, a pattern seen in hardened peer-to-peer networks used by BitTorrent and IPFS. Researchers are sharing indicators of compromise publicly and urge device owners to apply firmware updates, disable unnecessary remote access, and consider factory resets if infections are suspected.
