The Black Lotus Labs team at Lumen has discovered malware, KadNap, that conscripts edge devices into a botnet that proxies malicious traffic.
Since August 2025, the team has been monitoring the growth of this network, which is now above 14 000 infected devices.
According to a Black Lotus Labs blog, KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring.
Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists.
In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt by hiding in the noise of legitimate peer-to-peer traffic.
Once added to the network, bots are then marketed by a proxy service called “Doppelganger,” which is specifically tailored for criminal activity and appears to be a rebrand of the Faceless service, which was powered by victims of TheMoon malware.
The team found that more than 60% of KadNap’s victims are based in the US. While Asus routers are the primary targets, the operators are using the malware effectively against a variety of edge networking devices.