There’s a new type of malware going around, and it has so far infected over 14,000 devices, according to new reports from the Black Lotus Labs team at Lumen. The malware, which is being called KadNap, primarily appears to target Asus-branded routers, though other edge devices have also been affected. And so far, the team estimates that at least 60% of the victims of the attacks driven by KadNap have been located within the United States — with a smaller percentage being detected in Russia, the United Kingdom, Brazil, France, and a few other countries throughout the world.
What is especially troubling about KadNap is the fact that once a device is infected, it essentially allows the threat actors to market the devices as part of a proxy service called Doppelgänger. Once part of the service, it can then be utilized in completely anonymous DDoS attacks, which allow bad actors to hide behind thousands of devices that don’t belong to them. Hiding malware within everyday apps has become a well-known way to distribute infected files.
The security researchers who discovered the malware say that this service is essentially a rebrand of a previous proxy service called Faceless, which has previously been associated with another type of malware known as TheMoon, which has been going around since 2014. Based on information pulled from the website for the service, the researchers note that Doppelgänger has been launched since May or June of 2025. Malware like this is one reason the FBI has warned Americans to replace certain routers.
The threats are growing
As our world continues to move toward acceptance of more connected devices, the threat of malware like KadNap is only growing. That’s because, as we rely more on the Internet of Things (IoT), threat actors are finding new ways to exploit those devices. Additionally, Lumen says that edge devices like the routers targeted by KadNap are also susceptible to other malware, which makes it difficult to tell exactly which malware is driving the car, so to speak. And, as the malware creators become smarter and more advanced, they’re finding ways to even hide their network traffic within the legitimate peer-to-peer traffic.
The only reason Black Lotus Labs was able to discover the KadNap malware is that it detected over 10,000 Asus devices that were all corresponding with a very particular server set. From here, their investigation uncovered that a file had been used to download a malicious shell script from those servers. This file, the researchers note, is what “sets the stage” for KadNap to incorporate the victim into the P2P network.” Further, because it utilizes a proxy the way it does, the researchers believe the intention behind the threat is very clear. They want to avoid any type of detection and make it as difficult as possible for people to defend against the threat.
Thankfully, as of the posting of its report, Lumen notes that it has proactively begun blocking network traffic from Doppelgänger, with plans to share the compromising indicators in public feeds so that others can help disrupt the threat that KadNap poses. Google recently started taking down another huge proxy system like this, so it’s promising to see another under fire, too.
