Key Takeaways
- A newly discovered botnet called KadNap has silently infected over 14,000 ASUS and other home routers using peer-to-peer communication that makes it extremely difficult to shut down.
- The botnet was uncovered by Lumen's Black Lotus Labs and includes a companion malware called ClipXDaemon that targets Linux systems to hijack cryptocurrency transactions.
- Updating your router firmware, changing default passwords, and disabling remote management are the most effective steps you can take right now to protect yourself.
What Is the KadNap Botnet?
KadNap is a newly identified botnet reported by Lumen's Black Lotus Labs in early 2026. It targets SOHO routers, which stands for small office and home office routers, with a particular focus on ASUS models. At the time of discovery, researchers estimated that more than 14,000 routers had already been compromised.
What makes KadNap different from previous router botnets is how it communicates. Instead of relying on a central command-and-control server that security teams can identify and shut down, KadNap uses a DHT-based peer-to-peer network. DHT stands for distributed hash table, which is the same type of technology used in file sharing networks like BitTorrent. Each infected router talks directly to other infected routers, making the botnet extremely resilient and very difficult to disrupt through traditional takedown methods.
Who Is at Risk?
If you own an ASUS router or another consumer-grade SOHO router, you could be at risk, especially if your device is running outdated firmware or still using factory-default login credentials. KadNap primarily targets routers with known vulnerabilities that have not been patched.
This is not limited to tech-savvy users or businesses. The average home user who set up a router years ago and never updated it is exactly the type of target this botnet exploits. Most people never log into their router's admin panel after the initial setup, and that is what attackers count on.
What Does KadNap Actually Do?
Once KadNap infects a router, it enrolls the device into its peer-to-peer network. The compromised router can then be used for a range of malicious purposes, including proxying traffic for cybercriminals, launching distributed denial-of-service attacks, or serving as a relay point that hides the true origin of an attack.
Because communication happens over a decentralized P2P network rather than through a single server, there is no easy off switch. Taking down one node does not affect the rest of the botnet.
ClipXDaemon: The Crypto-Stealing Companion
Researchers also found that KadNap is linked to a companion malware called ClipXDaemon. This component targets Linux-based systems and works by monitoring clipboard activity. When a user copies a cryptocurrency wallet address, ClipXDaemon silently swaps it with an address controlled by the attacker. If you paste that address into a transaction without double-checking, your funds go directly to the attacker.
While ClipXDaemon is not installed on the router itself, its presence in the same campaign suggests a broader operation designed to profit from compromised networks in multiple ways.
Why This Matters for Home Users
Router-based botnets are not new, but KadNap represents a significant escalation in how they operate. The FBI issued a warning in 2025 urging consumers to replace older routers that are no longer receiving security updates. The FCC has also moved to restrict certain foreign-made networking equipment over security concerns.
KadNap reinforces the message behind both of those advisories. Your router is the gateway to every device on your network. If it is compromised, your computers, phones, smart home devices, and personal data are all exposed.
How to Protect Your Router from KadNap
You do not need to be a networking expert to take basic precautions. Here is what you should do right now.
Update Your Router Firmware
Log into your router's admin panel and check for firmware updates. ASUS users can visit the support page for their specific model or use the ASUS Router app. If your router no longer receives firmware updates from the manufacturer, it is time to consider replacing it with a currently supported model.
Change Default Login Credentials
If your router's admin username and password are still set to the factory defaults, change them immediately. Default credentials are publicly known and are one of the first things attackers try.
Disable Remote Management
Unless you specifically need to access your router from outside your home network, turn off remote management and remote access features. This closes one of the most common entry points for attacks like KadNap.
Reboot Your Router Periodically
Some router malware does not survive a reboot. While this alone will not protect you from reinfection if the underlying vulnerability is still present, regular reboots combined with updated firmware can help clear certain types of infections.
Consider Replacing End-of-Life Routers
If your router is more than five years old or the manufacturer has stopped issuing security patches, replacing it is the safest option. Modern routers with automatic firmware updates and stronger default security settings are a worthwhile investment.
The Bigger Picture
KadNap is part of a growing trend of sophisticated attacks targeting consumer networking equipment. These devices are attractive to attackers because they are always online, rarely monitored, and frequently left unpatched. The shift toward P2P-based botnets like KadNap signals that threat actors are adapting to make their operations harder to dismantle.
Staying informed and keeping your equipment current are the two most effective things any home or small office user can do to stay ahead of these threats.
Frequently Asked Questions
What is the KadNap botnet?
KadNap is a botnet discovered in 2026 that infects ASUS and other SOHO routers using peer-to-peer communication to avoid detection and resist takedown efforts. It was identified by Lumen's Black Lotus Labs.
How do I know if my ASUS router is infected with malware?
Signs of a compromised router can include unexplained slowdowns in internet speed, unfamiliar devices appearing on your network, or your router behaving erratically. However, many router infections like KadNap are designed to be invisible. Updating firmware and resetting to factory settings with new credentials is the safest approach if you suspect a problem.
Does KadNap only target ASUS routers?
ASUS routers are a primary target, but KadNap can also infect other SOHO router brands that have unpatched vulnerabilities. Any consumer router running outdated firmware is potentially at risk.
What is a P2P botnet and why is it harder to stop?
A peer-to-peer botnet connects infected devices directly to each other instead of routing commands through a single server. This means there is no central point for authorities to shut down, making the botnet much more resilient than traditional command-and-control setups.
What is ClipXDaemon malware?
ClipXDaemon is a companion malware associated with the KadNap campaign. It runs on Linux systems and monitors your clipboard for cryptocurrency wallet addresses, replacing them with attacker-controlled addresses to steal funds during transactions.
How often should I update my router firmware?
Check for firmware updates at least once a month, or enable automatic updates if your router supports that feature. Firmware patches often address the exact types of security vulnerabilities that botnets like KadNap exploit.
Should I replace my router because of KadNap?
If your router is still supported by the manufacturer and you have updated the firmware, changed the default password, and disabled remote management, you are likely in good shape. If your router is no longer receiving updates, replacing it with a current model is the safest choice.
