If you have an Asus router on your home network, it may have been targeted by a sophisticated form of malware capable of adding devices to a botnet and using them for criminal activity. Researchers at Lumen’s Black Lotus Labs identified this threat—dubbed KadNap—in August 2025 and estimate that more than 14,000 devices have been infected.
How KadNap compromises home networks
As Ars Technica reports, KadNap exploits unpatched vulnerabilities in connected devices, most of which are Asus routers. Infected devices are added to a proxy network that can hide malicious traffic. In this case, they are carrying traffic for service called Doppelganger, which allows users to browse anonymously and engage in brute-force attacks and targeted exploitation.
KadNap is particularly difficult to detect because its protocol conceals the IP addresses of hackers’ command-and-control (C2) servers, allowing it to evade traditional monitoring. The design also makes it highly scalable and resistant to takedown.
An estimated 60% of affected devices are located in the U.S. Taiwan, Hong Kong, and Russia account for another 5% each, with the remainder spread across numerous other countries around the world.
Check your router for malicious activity
If you think your router may be infected with KadNap, compare the IP address and file hash in your device log with those on Black Lotus Labs’ indicators of compromise (IOCs). You’ll need to do a factory reset, as rebooting will run a shell script, not remove the malware.
What do you think so far?
You could also run IP Check, a tool from threat monitoring firm Greynoise that can help determine if your router is potentially being used for malicious purposes (the KadNap botnet or otherwise). If your IP is flagged as suspicious, you’ll be able to see recent scanning activity to investigate further.
When it comes to network security, prevention is good protection. Update your network name and administrative password from your router’s defaults (which are easy to discover). Consider disabling remote access controls, which prevents threat actors from changing settings without your knowledge, and log out of your admin account when it’s not in use. Finally, keep your router’s firmware up to date to ensure vulnerabilities are patched quickly.
