{ "id": "1d248cf5-ae8a-40a8-a343-7e5353fdcfe3", "created_at": "2026-04-06T00:16:07.064544Z", "updated_at": "2026-04-10T13:12:05.679705Z", "deleted_at": null, "sha1_hash": "2d1005b7047f695671ffeeed7d33b5921a707265", "title": "Silence of the hops:The KadNap botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 76372, "plain_text": "Silence of the hops:The KadNap botnet\r\nBy By Black Lotus Labs\r\nArchived: 2026-04-05 14:46:02 UTC\r\nPublished on Mar 10, 2026 | 16 minute read\r\nThe Black Lotus Labs team at Lumen has discovered a sophisticated new malware named “KadNap.” This threat\r\nprimarily targets Asus routers, conscripting them into a botnet that proxies malicious traffic. Since August 2025,\r\nwe have been monitoring the growth of this network, which is now above 14,000 infected devices.\r\nKadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to\r\nconceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring.\r\nInfected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while\r\ndefenders cannot easily find and add those C2s to threat lists. In short, the innovative use of the DHT protocol\r\nallows the malware to establish robust communication channels that are difficult to disrupt by hiding in the noise\r\nof legitimate peer-to-peer traffic.\r\nOnce added to the network, bots are then marketed by a proxy service called “Doppelganger,” which is\r\nspecifically tailored for criminal activity and appears to be a rebrand of the Faceless service, which was powered\r\nby victims of TheMoon malware.\r\nUsing the expansive Lumen global backbone to observe KadNap’s infrastructure, we found that more than 60% of\r\nKadNap’s victims are based in the United States. While Asus routers are the primary targets, the operators are\r\nusing the malware effectively against a variety of edge networking devices and set aside a number of C2s used to\r\nsilo their infrastructure by victim type.\r\nAs of this publication, Lumen has proactively blocked all network traffic to or from the control infrastructure.\r\nGiven the obfuscation of C2 servers inherent to this protocol, Black Lotus Labs will share the indicators of\r\ncompromise (IoCs) and will begin distributing the indicators of compromise (IoCs) into public feeds to enable\r\nothers to help disrupt this threat.\r\nLumen Technologies would like to thank our partners at Spur for their contributions to our efforts to track and\r\nmitigate this threat.\r\nIntroduction and understanding Kademlia\r\nAs modern society increasingly relies on internet-exposed Internet of Things (IoT) devices, the opportunities for\r\nmalicious actors to exploit vulnerabilities continue to abound. Threat actors are building large-scale botnets\r\nspecifically designed to hijack devices in this growing pool of targets, using them to route traffic and evade\r\ndetection by network security systems.\r\nhttps://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/\r\nPage 1 of 5\n\nLarge residential proxy services offer millions of infected devices used by both legitimate users and malicious\r\nactors. In contrast, smaller botnets such as REMPROXY or Quad7 are exclusively operated by and marketed to\r\ncriminal actors for more focused attacks, posing a significant threat whenever their IPs are active. To monitor the\r\nproliferation of both small and large botnets across the landscape, Lumen has created multiple algorithms to\r\nsearch for new and emerging networks as they appear.\r\nIn early August of 2025, our algorithm detected over 10,000 Asus devices that were all communicating with a\r\nparticular set of servers. Our investigation into these C2s uncovered a malicious file which was used to download\r\na shell script from a server at 212.104.141[.]140, in a file called aic.sh. This file sets the stage for the KadNap\r\nmalware and initiates the process of incorporating the victim into the P2P network.\r\nThe file sets up a cron job to pull the malicious shell script from the server at the 55-minute mark of every hour,\r\nrename it to .asusrouter and then run it from /jffs/.asusrouter location. After the persistence was initialized, it\r\nwould then pull down a malicious ELF file for the Asus routers, rename it to kad, and then execute it:\r\nKademlia\r\nKademlia is an implementation of a distributed hash table (DHT) that allows for efficient decentralized lookups of\r\ninformation across peers and has been proven through multiple real-world protocols such as BitTorrent DHT,\r\neMule, I2P and Etherum.\r\nTo better understand this system, think of Kademlia like using a chain of friends to find someone’s phone number:\r\neach friend does not know the whole number but knows someone who can get you closer to the answer. Passing\r\nyour request along this chain, you quickly put together the whole phone number. Likewise, Kademlia nodes\r\nforward queries to others that are “closer” to the target, enabling fast and efficient searches without knowing the\r\nwhole network.\r\nThe KadNap malware is a custom implementation of a Kademlia DHT. Naming the ELF file kad was likely in\r\nrelation to using this protocol to hide the IP address of the C2 server.\r\nMalware analysis\r\nOnce the ELF file from the malware server is loaded, it begins the process of installing KadNap. In addition to\r\ncreating a “phone tree” for finding the hidden C2 addresses, the malware was designed with some versatility—\r\nBlack Lotus Labs identified samples of KadNap for both ARM and MIPS processors. Each sample begins\r\ninitialization by forking, setting STDIN, STDOUT and STDERR to /dev/null, determining the external IP address,\r\nand storing into an initialized struct.\r\nNext it will cycle through a list of NTP servers until it makes a connection, retrieves the current time and stores it\r\nalong with the host uptime. These values are used later in the network communications to create a hash used to\r\n“phone friends” and find other peers in the network.\r\nFrom here, the malware has enough information to move into the Kademlia DHT implementation.\r\nFind peers thread\r\nhttps://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/\r\nPage 2 of 5\n\nAfter the time synchronization it will fork, creating a child process that connects to the BitTorrent network using\r\nknown bootstrap nodes and generates a custom DHT packet to search for other infected nodes from which to\r\nreceive commands. The child process then creates a custom infohash by filing the “name” field of the bencoded\r\nstring with an XOR key computed from contacting a NTP server and the computers uptime. It then SHA-1 hashes\r\nthe 0x40 bytes hardcoded string\r\n6YL5aNSQv9hLJ42aDKqmnArjES4jxRbfPTnZDdBdpRhJkHJdxqMQmeyCrkg2CBQg with the XOR key, and\r\nstores that value in the “pieces” field of the bencoded string.\r\nIt then SHA-1 hashes the full bencoded string and uses that as the info hash to find other peers, then sends this\r\nthrough a pipe to be read by another thread.\r\nAnother thread is created immediately to read six bytes from the pipe that are the IP and port of a peer on the\r\nnetwork. It will connect to the peer and receive a buffer 0x1000 bytes in size and uses a hardcoded key to decrypt\r\nit. It then SHA-1 hashes the decrypted payload and uses the hash as the key to encrypt/decrypt follow on traffic.\r\nIt then parses the payload, which is SHA-1 hashed again. This hash is used as the key to AES encrypt/decrypt\r\nfollow on traffic.\r\nUpon reaching the final peer, if the initial handshake succeeds, the malware will receive an additional payload that\r\nis decrypted and saved as a file. The path and filename are sent to a second pipe, to be read from another thread.\r\nTwo files were received after contact with the final peer the malware was searching for. One was named fwr.sh\r\n(likely a firewall rule) which also closed port 22 on the infected device.\r\nThe other was named .sose and placed in the /tmp directory.\r\nMalicious thread\r\nThe parent thread continues after starting the previous two threads and goes into a loop that calls two main\r\nfunctions. The first function readCommandFromPipe2AndExecute reads a filename sent on the pipe and executes\r\nit.\r\nThe above function, labeled tmpSose, will check for the presence of the file /tmp/.sose and if it exists, it will read\r\nten bytes from the file. /tmp/.sose contains a list of C2 IP:port as well as some other config information. The\r\nsample will then fork and attempt to reach out to the C2s.\r\nKademlia Weak Custom Implementation\r\nIn a true Kademlia peer-to-peer network, the final peer changes over time, reflecting its decentralized nature.\r\nHowever, in analyzing our KadNap samples dating back to August 2025, we consistently found the same two final\r\nhop nodes before reaching the C2 servers. This indicates the attackers maintain persistent nodes to retain control\r\nover the network. Those two longstanding nodes were 45.135.180[.]38 and 45.135.180[.]177\r\nGlobal telemetry analysis\r\nBlack Lotus Labs has monitored this network since August of 2025, as it had grown to maintain a daily average of\r\n14,000 distinct victims, while using three to four active C2s on average. The botnet struggled to maintain a\r\nhttps://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/\r\nPage 3 of 5\n\nconsistent victim pool in the initial stages; however, as shown in the chart below, its operators have maintained a\r\nconsistent size in the last few months.\r\nThe victims are distributed across several countries, with 60% located in the United States and 5% each in Taiwan,\r\nHong Kong and Russia.\r\nOur analysis and telemetry indicate that not all infected devices communicate with every C2 server. This suggests\r\nthe threat actor is segmenting their infrastructure based on device types and models. More than half of the botnet\r\n(all the Asus victims) connects to two Asus C2 servers, while the rest communicate with one of two other active\r\nC2s.\r\nKadNap’s purpose was unclear when first discovered. However, through our partnership with Spur, they were able\r\nto tie the C2 servers we discovered as entry points for a known malicious proxy service. Based on the botnet’s\r\nstructure, Black Lotus Labs confidently agrees with Spur that this is likely a new botnet linked to the now defunct\r\nFaceless proxy service, which previously used TheMoon malware.\r\nConclusion\r\nThe KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network\r\nfor decentralized control. Their intention is clear: avoid detection and make it difficult for defenders to protect\r\nagainst. KadNap’s bots are sold through Doppelganger, a service whose users leverage these hijacked devices for\r\na range of malicious purposes, including brute-force attacks and highly targeted exploitation campaigns. As a\r\nresult, every IP address associated with this botnet represents a significant, persistent risk to organizations and\r\nindividuals alike.\r\nBlack Lotus Labs will continue to find, monitor and track malicious botnets to help secure the internet. With\r\nKadNap, Lumen DefenderSM customers have been protected from this network since August 2025. We will share\r\nindicators of compromise (IoCs) in public feeds to support global defenders and disrupt this threat.\r\nWe encourage the community to monitor and alert on these and any similar IoCs. We also advise the following\r\nactions.\r\nCorporate network defenders\r\nContinue to look for attacks on weak credentials and suspicious login attempts, even when they originate\r\nfrom residential IP addresses which bypass geofencing and ASN-based blocking\r\nProtect cloud assets from communicating with bots that attempt to perform password spraying attacks and\r\nbegin blocking IoCs with Web Application Firewalls\r\nCheck for devices reaching out to public BitTorrent trackers and exhibiting connectivity to any known\r\npeers within the KadNap network\r\nConsumers with SOHO routers\r\nUsers should follow best practices for regularly rebooting routers and installing security updates and\r\npatches. For guidance on how to perform these actions, please see the best practices document prepared by\r\nhttps://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/\r\nPage 4 of 5\n\nCanadian Centre for Cybersecurity.\r\nOrganizations that manage SOHO routers: make sure devices do not rely upon common default passwords.\r\nThey should also ensure that the management interfaces are properly secured and not accessible via the\r\ninternet. For more information on securing management interfaces, please see DHS’ CISA BoD 23-02 on\r\nsecuring networking equipment.\r\nCheck for devices reaching out to public BitTorrent trackers or exhibiting connectivity to any known peers\r\nwithin the KadNap network.\r\nWe also recommend replacing devices once they reach their manufacturer end of life and are no longer\r\nsupported.\r\nAnalysis of KadNap was performed by Chris Formosa and Steve Rudd with technical editing by Ryan English.\r\nCurrent IOCs will be found on our GitHub page and continuously updated there. We encourage the community to\r\nmonitor and alert on these and any similar IoCs.\r\nIf you would like to collaborate on similar research, please contact us on LinkedIn or X @BlackLotusLabs.\r\nThis information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is\r\nat the end user’s own risk. This content is provided for informational purposes only and may require additional research and\r\nsubstantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either\r\nexpress or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end\r\nuser’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement\r\nor affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue. Services not available\r\neverywhere. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without\r\nnotice. © 2026 Lumen Technologies. All Rights Reserved.\r\nAuthor\r\nBlack Lotus Labs\r\nThe mission of Black Lotus Labs is to leverage our network visibility to help protect customers and keep the\r\ninternet clean.\r\nSource: https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/\r\nhttps://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/" ], "report_names": [ "silence-of-the-hops-the-kadnap-botnet" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434567, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d1005b7047f695671ffeeed7d33b5921a707265.pdf", "text": "https://archive.orkl.eu/2d1005b7047f695671ffeeed7d33b5921a707265.txt", "img": "https://archive.orkl.eu/2d1005b7047f695671ffeeed7d33b5921a707265.jpg" } }