KadNap Botnet Targets Thousands of ASUS Routers
Security researchers have identified an active botnet campaign called KadNap that is systematically compromising ASUS routers and other edge networking devices, turning infected hardware into proxy nodes used to route cybercriminal traffic. The campaign was first detected in early March 2026 after analysts noticed unusual traffic patterns originating from home and small business routers across multiple continents.
According to security researchers, more than 14,000 devices have already been confirmed as compromised. The infections are concentrated in North America, Europe, and Asia, with exposed routers accessible via default credentials or unpatched firmware being the primary targets.
How KadNap Exploits ASUS Router Vulnerabilities
The attack chain used by KadNap combines authentication bypass techniques, brute-force credential attacks, and known command injection vulnerabilities to gain privileged access. Researchers note that the campaign exploits weaknesses similar to CVE-2023-39780, a command injection flaw affecting multiple ASUS router product lines, alongside authentication bypass methods that had not been publicly assigned CVE identifiers at the time of initial disclosure.
ASUS router owners should also be aware of CVE-2025-2492, a critical authentication control vulnerability with a CVSS score of 9.2 that affects AiCloud-enabled routers and can allow unauthorized remote code execution. Security advisories from ASUS have urged users to apply the latest firmware updates and disable AiCloud if the feature is not required.
Backdoor Survives Reboots and Firmware Updates
One of the most concerning aspects of the KadNap campaign is its persistence. Once a router is compromised, the malware stores attacker-controlled configuration changes in non-volatile memory (NVRAM), meaning the backdoor remains active even after a full reboot or a firmware update is applied.
Researchers also observed that KadNap enables SSH access on non-standard ports — including TCP port 53282 — and injects attacker-controlled public keys for persistent remote access. Logging functions and certain built-in security protections are then disabled, making forensic detection significantly harder for end users and IT teams managing small office environments.
Proxy Network Powers Cybercrime Infrastructure
Once enrolled in the botnet, compromised ASUS routers are converted into proxy servers that mask the true origin of malicious traffic. This infrastructure is used to facilitate a range of cybercriminal activities including large-scale fraud, credential stuffing attacks, data theft, and anonymization services for illicit marketplaces.
Because the routers communicate with command-and-control servers using encrypted channels and mimic legitimate traffic patterns, detection at the network level is difficult without dedicated monitoring tools. Most home users and small business operators are unlikely to notice any significant performance degradation, making the botnet particularly effective as long-term covert infrastructure.
Why ASUS Routers Are a Prime Target
Edge devices like home and office routers are attractive targets for botnet operators because they remain online continuously, sit outside the security perimeter of most endpoint detection tools, and are rarely updated or monitored by their owners. ASUS holds a significant share of the consumer and SMB router market, making its devices a high-value target for campaigns that require scale.
Security experts emphasize that even routers running the latest firmware may remain backdoored if they were compromised before the update was applied, since KadNap's NVRAM persistence mechanism is not removed by a standard firmware flash without a full factory reset.
What ASUS Router Users Should Do Immediately
Security researchers recommend the following steps for all ASUS router owners:
- Apply the latest available firmware update from the official ASUS support portal immediately.
- Perform a full factory reset if compromise is suspected, as a standard reboot will not remove the backdoor.
- Disable AiCloud and remote administration features if they are not actively required.
- Replace default credentials with strong, unique passwords for both the admin panel and Wi-Fi networks.
- Check SSH settings and disable SSH access if it is not needed.
- Enable router logging and review traffic for anomalous outbound connections.
ASUS has not yet issued a specific advisory addressing the KadNap campaign directly, but existing guidance around CVE-2025-2492 and general router hardening best practices apply. Users who suspect their device has been compromised should perform a factory reset before applying updated firmware.
