KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet

A new malware known as KadNap has been found by cybersecurity researchers This article explores malware known kadnap. . It mainly targets Asus routers in an attempt to recruit them into a botnet that will proxy malicious traffic.

The Black Lotus Labs team at Lumen reports that since the malware was discovered in the wild in August 2025, it has spread to over 14,000 infected devices, with over 60% of victims being in the United States. Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy, and Spain have reported fewer infections. The network is resistant to detection and disruption attempts because compromised nodes use the DHT protocol to find and establish a connection with a command-and-control (C2) server.

After devices are successfully compromised, a proxy service called Doppelgĩ ("doppelganger[. ]shop") markets them. This proxy service is thought to be a rebranding of Faceless, another proxy service linked to TheMoon malware.

The clipper malware has been described as an autonomous cryptocurrency clipboard hijacker that targets Linux X11 environments. It is distributed via the ShadowHS Linux post-exploitation framework. The malware, which is fully implemented in memory, uses stealth tactics like Wayland session avoidance and process masquerading. It also monitors the clipboard every 200 milliseconds and replaces cryptocurrency addresses with wallets under the control of the attacker.

It can target wallets for Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TONNE.

Because the security architecture of the display server protocol imposes additional controls, such as requiring explicit user interaction before applications can access the clipboard content, the decision to avoid execution in Wayland sessions is intentional. The malware seeks to remove noise and prevent runtime failure by disabling itself in such situations.