A new malware campaign has compromised more than 14,000 ASUS routers, creating a resilient botnet that security researchers say is unusually difficult to dismantle.
In this episode of IT SPARC Cast – CVE of the Week, John Barger and Lou Schmidt examine the KadNap router malware, which targets unpatched ASUS routers and installs a persistent backdoor designed to survive typical remediation efforts.
The malware was identified by researchers at Lumen’s Black Lotus Labs, who discovered that infected routers are being used as part of a botnet capable of proxying internet traffic and enabling other malicious activities.
Unlike many botnets that rely on centralized command servers, KadNap uses peer-to-peer control mechanisms similar to BitTorrent, making it significantly harder for security teams to disrupt.
⸻
🔎 What the KadNap Router Malware Does
The malware exploits vulnerabilities in ASUS routers that have not been patched or configured securely.
Once installed, KadNap:
\t•\tCreates a persistent backdoor on the router
\t•\tSurvives reboots and firmware updates
\t•\tEnables remote control of the router
\t•\tConnects the device to a distributed botnet network
\t•\tRoutes malicious traffic through compromised residential internet connections
Researchers also discovered the infected routers are being used by a fee-based proxy service called Doppelganger, allowing customers to route their internet traffic through unsuspecting victims’ home networks.
⸻
⚠ Why This Is Dangerous
Because the traffic originates from compromised home routers, victims could unknowingly appear responsible for malicious activity such as:
\t•\tNetwork attacks
\t•\tSurveillance operations
\t•\tIllegal browsing activity
\t•\tStaging points for additional cyber intrusions
This makes detection and attribution far more difficult.
⸻
🏢 Enterprise IT Risk
This vulnerability is not limited to home users.
ASUS also produces small-business routers, meaning organizations or small offices using these devices could be exposed.
IT professionals should also remember that compromised routers can provide attackers with a network foothold for lateral movement, especially if IoT or remote-user networks are poorly segmented.
⸻
🛠 How to Detect and Remove KadNap
Security experts recommend checking routers for signs of compromise:
Look for:
\t•\tSSH enabled unexpectedly
\t•\tRemote administration enabled
\t•\tUnknown certificates or scheduled tasks
\t•\tSuspicious entries in device logs
Because the malware attaches to configuration files, simply rebooting or restoring a configuration backup will not remove it.
The proper remediation process:
\t1.\tPerform a full factory reset
\t2.\tUpdate the router firmware immediately
\t3.\tManually reconfigure the router (do not restore backups)
Experts also recommend changing default internal network ranges, such as moving away from the common 192.168.1.x subnet.
⸻
🔗 Source Article
https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns/
⸻
🔗 Connect With Us
IT SPARC Cast
@ITSPARCCast on X
https://www.linkedin.com/company/sparc-sales/ on LinkedIn
John Barger
@john_Video on X
https://www.linkedin.com/in/johnbarger/ on LinkedIn
Lou Schmidt
@loudoggeek on X
https://www.linkedin.com/in/louis-schmidt-b102446/ on LinkedIn
","author_name":"John Barger"}