KadNap Malware 2026: How to Detect, Remove & Secure Your Router from Proxy Botnets
Over 14,000 Routers Hijacked: How to Block KadNap Malware Before It Turns Yours Into a Proxy Botnet
In March 2026, cybersecurity firm Lumen’s Black Lotus Labs uncovered a stealthy campaign infecting over 14,000 edge devices—primarily ASUS routers—with KadNap malware. The attackers weren’t just stealing data; they were repurposing these devices into a proxy botnet, selling access to cybercriminals for credential stuffing, ad fraud, and DDoS attacks. If your router is one of them, your bandwidth could be fueling crimes without your knowledge.
KadNap isn’t just another malware strain. It’s a persistent, evasive threat that exploits unpatched firmware and weak credentials to turn routers into anonymous proxies. Once infected, your device becomes part of a distributed network used to mask malicious traffic, making it nearly impossible to trace attacks back to their source. Worse, many victims don’t realize they’re compromised until their ISP flags unusual activity—or their network slows to a crawl.
This guide will show you how to detect, remove, and prevent KadNap infections—before your router becomes another node in a cybercriminal’s botnet.
How KadNap Malware Infects Routers (And How to Spot It)
Photo by Christina Morillo on Unsplash
KadNap spreads through three primary attack vectors, all of which exploit common security oversights. Understanding these methods is the first step to hardening your defenses.
1. Exploiting Unpatched Firmware
Routers are low-hanging fruit for attackers because most users never update their firmware. KadNap targets known vulnerabilities in popular models, including:
- ASUS RT-AC68U (CVE-2023-39238, a command injection flaw)
- ASUS RT-AX88U (CVE-2022-26674, a buffer overflow vulnerability)
- MikroTik RouterOS (CVE-2023-30799, a privilege escalation bug)
How it works:
Attackers scan the internet for vulnerable routers using tools like Masscan or Shodan, then deploy KadNap via exploit kits or malicious scripts. Once inside, the malware persists across reboots by modifying startup scripts (e.g., /etc/init.d/rc.local on Linux-based routers).
Actionable advice:
- Check your router’s firmware version against the latest release from the manufacturer. For ASUS routers, visit ASUS’s support page and search for your model.
- Enable automatic updates if available. If not, set a monthly reminder to check for patches.
2. Weak or Default Credentials
A staggering 80% of router infections stem from default or weak passwords, according to a 2025 report by ENISA (European Union Agency for Cybersecurity). KadNap brute-forces its way into routers using common credential pairs like:
| Username | Password |
|---|---|
| admin | admin |
| admin | password |
| root | (blank) |
| admin | 1234 |
How it works: Attackers use botnets like Mirai to launch credential-stuffing attacks against routers with exposed admin panels. Once they gain access, KadNap is installed via SSH or Telnet.
Actionable advice:
- Change your router’s default credentials immediately. Use a strong, unique password (12+ characters, mixed case, numbers, and symbols).
- Disable remote administration unless absolutely necessary. If you must enable it, restrict access to specific IP addresses (e.g., your workplace’s static IP).
- Use two-factor authentication (2FA) if your router supports it (e.g., ASUS’s AiProtection or TP-Link’s Tether app).
3. Malicious Ads and Phishing Links
KadNap also spreads through drive-by downloads—malicious scripts hidden in ads or phishing emails. A single click on a compromised ad can trigger a silent infection if your router’s firmware is outdated.
Real-world example: In 2025, The Hacker News reported a campaign where attackers used malvertising to distribute KadNap via fake ASUS firmware update prompts. Victims who clicked the link unknowingly downloaded a trojanized firmware file, which installed the malware during the "update" process.
Actionable advice:
- Never download firmware from third-party sites. Always get updates directly from the manufacturer.
- Use an ad blocker (e.g., uBlock Origin) to reduce exposure to malvertising.
- Verify email links before clicking. Hover over them to check the URL—if it doesn’t match the official domain (e.g.,
asus.com), it’s likely malicious.
Indicators of Compromise (IOCs): How to Tell If Your Router Is Infected
Photo by cottonbro studio on Unsplash
KadNap is designed to operate stealthily, but there are telltale signs of infection. Here’s what to look for:
1. Unusual Network Traffic
KadNap turns your router into a proxy node, routing traffic for cybercriminals. This activity often manifests as:
- Unexplained data usage spikes (check your ISP’s usage dashboard).
- Slow internet speeds, even when no devices are actively in use.
- Connections to suspicious IPs (e.g.,
185.178.45.22,45.142.212.78, or103.86.98.98).
How to check:
- Use Wireshark (advanced) or GlassWire (beginner-friendly) to monitor outbound traffic.
- Look for repeated connections to unknown servers, especially on ports 80, 443, or 8080.
- If you’re comfortable with the command line, run:
This will show active connections. If you see IPs you don’t recognize, your router may be compromised.netstat -tulnp | grep ESTABLISHED
2. Modified DNS Settings
KadNap often hijacks DNS settings to redirect traffic to malicious servers. Common signs include:
- Websites loading slowly or failing to load (DNS resolution delays).
- Unexpected redirects (e.g., typing
google.comtakes you to a fake login page). - DNS settings pointing to rogue servers (e.g.,
8.8.8.8→103.86.98.98).
How to check:
- Log in to your router’s admin panel (usually
192.168.1.1or192.168.0.1). - Navigate to DNS settings and verify the servers. Legitimate options include:
- Google DNS:
8.8.8.8,8.8.4.4 - Cloudflare DNS:
1.1.1.1,1.0.0.1 - OpenDNS:
208.67.222.222,208.67.220.220
- Google DNS:
- If the DNS servers are set to unknown IPs, reset them immediately.
3. Unknown Devices on Your Network
KadNap may add rogue devices to your network to maintain persistence. To check:
- Log in to your router’s admin panel.
- Navigate to connected devices or DHCP clients.
- Look for unrecognized devices (e.g., "Unknown-Device" or "Linux-User").
Actionable advice:
- Kick unknown devices off your network immediately.
- Change your Wi-Fi password and enable MAC address filtering (if supported).
Step-by-Step: How to Remove KadNap Malware from Your Router
If you’ve confirmed an infection, act fast—KadNap is designed to persist. Here’s how to remove it completely:
Option 1: Factory Reset (Recommended for Most Users)
A factory reset is the nuclear option, but it’s the most reliable way to wipe KadNap from your router.
Steps:
- Backup your settings (if possible). Note down Wi-Fi passwords, port forwarding rules, and static IPs—you’ll need to reconfigure them later.
- Locate the reset button (usually a small pinhole on the back of the router).
- Press and hold the reset button for 10-15 seconds (use a paperclip or pen). The router will reboot.
- Reconfigure your router from scratch:
- Change the admin password (use a strong, unique password).
- Update the firmware to the latest version.
- Disable UPnP, WPS, and remote administration.
- Set DNS servers to Cloudflare (1.1.1.1) or Google (8.8.8.8).
- Change all connected device passwords (especially IoT devices, which are common reinfection vectors).
Warning:
- Do not restore from a backup file—it may reintroduce the infection.
- If your router supports dual firmware (e.g., ASUS’s Firmware Restoration Tool), use it to reflash the firmware before resetting.
Option 2: Manual Removal (Advanced Users Only)
If you’re comfortable with SSH and command-line tools, you can attempt manual removal. This method is risky—if you delete the wrong files, you could brick your router.
Steps:
-
Access your router via SSH (enable SSH in the admin panel if disabled).
ssh admin@192.168.1.1(Replace
adminwith your username and192.168.1.1with your router’s IP.) -
Kill malicious processes:
ps | grep -i kadnap kill -9 [PID](Replace
[PID]with the process ID of any suspicious entries.) -
Delete malicious files: KadNap often hides in these locations:
rm -rf /tmp/kadnap.sh rm -rf /var/run/proxybot rm -rf /etc/init.d/rc.local.bak(Be extremely careful—deleting system files can break your router.)
-
Restore default DNS settings:
echo "nameserver 1.1.1.1" > /etc/resolv.conf echo "nameserver 8.8.8.8" >> /etc/resolv.conf -
Reboot the router:
reboot -
Verify the infection is gone:
- Check DNS settings in the admin panel.
- Monitor network traffic for unusual activity.
If you’re unsure, stick with the factory reset.
How to Harden Your Router Against Future KadNap Attacks
Photo by Jakub Zerdzicki on Unsplash
Removing KadNap is only half the battle. To prevent reinfection, you need to harden your router’s security. Here’s how:
1. Update Firmware Immediately (And Automate It)
- Check for updates monthly (or enable auto-updates if available).
- Avoid third-party firmware unless you’re an advanced user (e.g., OpenWRT or DD-WRT).
- For ASUS routers, use the Firmware Restoration Tool to recover from failed updates.
2. Secure Router Settings
| Setting | Recommended Action |
|---|---|
| Admin Password | Use a 12+ character password with mixed case, numbers, and symbols. |
| Wi-Fi Password | Use WPA3 encryption (or WPA2-AES if WPA3 isn’t available). |
| Remote Admin | Disable unless absolutely necessary. If enabled, restrict to specific IPs. |
| UPnP | Disable (common attack vector for malware). |
| WPS | Disable (easily brute-forced). |
| Firewall Rules | Block inbound traffic on ports 22 (SSH), 80 (HTTP), and 443 (HTTPS). |
| DNS | Set to Cloudflare (1.1.1.1) or Google (8.8.8.8). |
3. Segment Your Network
- Create a guest network for IoT devices (e.g., smart TVs, cameras).
- Isolate critical devices (e.g., work laptops) on a separate VLAN.
- Use a VPN (like GhostShield VPN) to encrypt all traffic between devices and the internet, adding an extra layer of protection against eavesdropping.
4. Monitor Continuously
- Set up SNMP alerts (if your router supports it) to notify you of unusual activity.
- Use Pi-hole to block malicious domains at the DNS level.
- Enable logging and review logs weekly for suspicious connections.
Long-Term Prevention: Best Practices for Edge Device Security
KadNap won’t be the last malware to target routers. To future-proof your network, adopt these long-term security habits:
For Home Users
- Replace routers older than 5 years (they often lack modern security features).
- Use a VPN (e.g., GhostShield VPN) to encrypt all traffic, making it harder for attackers to intercept data.
- Disable unused services (e.g., FTP, Telnet, or SMB if you don’t need them).
For Small Businesses
- Deploy a UTM firewall (e.g., pfSense, FortiGate, or Ubiquiti UniFi) for enterprise-grade protection.
- Conduct quarterly security audits (e.g., penetration testing or vulnerability scans).
- Train employees on phishing awareness and secure password practices.
For Tech-Savvy Users
- Flash OpenWRT or DD-WRT for custom security controls (e.g., fail2ban to block brute-force attacks).
- Set up a honeypot (e.g., Cowrie) to detect and analyze attacks.
- Use a Raspberry Pi as a network monitor (e.g., Security Onion for intrusion detection).
Key Takeaways (TL;DR)
- KadNap malware turns routers into proxy botnets, enabling cybercrime like DDoS attacks, ad fraud, and credential stuffing.
- Detect infections by checking for unusual traffic, modified DNS settings, or slow speeds.
- Remove KadNap by factory resetting your router (recommended) or manually deleting malicious files (advanced users only).
- Prevent reinfection by updating firmware, disabling UPnP/WPS, and segmenting your network.
- Stay vigilant with continuous monitoring (e.g., Pi-hole, SNMP alerts) and regular security audits.
- Use a VPN (like GhostShield VPN) to encrypt traffic and reduce exposure to attacks.
Final Thoughts: Your Router Is a Target—Act Now
KadNap is just one of dozens of malware strains targeting routers in 2026. The good news? You’re not powerless. By following the steps in this guide, you can detect, remove, and prevent infections—before your router becomes another node in a cybercriminal’s botnet.
Start today:
- Check your router’s firmware and update if needed.
- Change default passwords and enable WPA3 encryption.
- Monitor your network for unusual activity.
Your router is the gateway to your digital life—don’t let attackers turn it against you.
Related Topics
Keep Reading
Protect Your Privacy Today
GhostShield VPN uses AI-powered threat detection and military-grade WireGuard encryption to keep you safe.
Download Free