Cyber ​​attack hits 14,000 ASUS brand routers with highly resistant KadNap malware

Information security researchers detected a large-scale infection campaign that compromised approximately 14,000 routers in several regions. Most of the affected equipment belongs to the manufacturer ASUS, indicating a specific targeting of the attacks to exploit loopholes present in that brand’s firmware.

The agent responsible for this massive invasion is the malware identified as KadNap, a malicious code that stands out for its extreme difficulty in eradicating. Once installed on the network device, the program turns the equipment into an active node of a botnet, operating hidden from the owner of the internet connection.

The discovery of this zombie network occurred during routine monitoring of anomalous internet traffic, when experts noticed suspicious communication patterns originating from home and small business connections. The equipment continues to function normally for daily navigation, which delays victims’ awareness of the problem.

Technical structure of the invasion of equipment

Analysis of KadNap’s behavior reveals that the infection occurs mainly through the exploitation of improperly opened communication ports to the internet. Attackers perform automated scans looking for routers that still use factory default access credentials or that have known, unpatched security flaws.

Upon locating a vulnerable target, the malicious script injects its payload directly into the device’s memory, establishing immediate communication with the command and control servers operated by the cybercriminals. From that moment on, the router begins to receive remote instructions to perform a variety of illicit actions in the digital environment.

The volume of 14 thousand compromised units demonstrates the effectiveness of the automated propagation method used by the threat’s developers. The concentration on ASUS models suggests that criminals have mapped out the software architecture of these devices in detail to maximize the success rate of silent intrusions.

Code persistence and hiding mechanisms

KadNap’s main technical differentiator from other threats targeting network devices is its advanced survivability on the host system. The malware was designed to deeply integrate into essential router firmware processes, creating redundancy mechanisms that make it difficult to remove using traditional methods. Quando a user performs a simple reboot of the device, the malicious code is able to reactivate itself immediately during the boot process, ensuring that the device remains under the control of the botnet without significant interruptions in communication with external servers.

In addition to resistance to reboots, researchers observed that attempts to restore factory defaults are not always enough to permanently eliminate the infection. KadNap uses obfuscation techniques to hide its files and processes from the equipment’s native diagnostic tools. Essa operational invisibility allows the zombie network to maintain its size and processing power stable over time, frustrating initial mitigation attempts made by users with basic technical knowledge and requiring deeper interventions into the system.

Using infrastructure for distributed attacks

Forming a botnet with thousands of home and corporate routers provides criminals with a robust infrastructure to carry out distributed denial-of-service attacks. Esses attacks consist of simultaneously sending a massive volume of requests to a specific server or website, with the aim of overloading it and making it inaccessible.

The use of home connections for these illicit activities makes the work of cyber defense tools difficult, as the malicious traffic originates from legitimate and geographically dispersed IP addresses. Essa feature masks the real source of the attack and complicates the implementation of location-based blocking.

Leia Tambem

Colby Minifie confirms Ashley Barrett’s powers in The Boys season five

Napoli x Milan in Serie A with confirmed lineups and where to watch live

New battery test puts Galaxy S26 Ultra ahead of iPhone 17 Pro Max in global ranking

In addition to denial of service attacks, routers infected by KadNap can be used as proxies to hide the identity of criminals during financial fraud or intrusions into corporate systems. The victim’s equipment acts as a bridge, forwarding malicious traffic as if it were ordinary browsing.

The combined processing capacity of 14 thousand devices also allows the execution of large-scale brute force campaigns. The zombie network tests thousands of password combinations per minute against email servers, databases and other online platforms, expanding the reach of criminal operations.

Technical procedures to contain the threat

Disinfecting a compromised router by KadNap requires a methodical and rigorous approach on the part of network administrators and home users. The first fundamental step consists of immediately isolating the device, physically disconnecting it from the internet modem to stop communication with the botnet’s command and control servers. Next, it is necessary to access the device’s administration panel via a secure local network and manually update the firmware, using exclusively the official files available on the ASUS website. Como the malware has high persistence, simply applying the update may not be enough; Experts recommend that the process be accompanied by a complete cleaning of the equipment’s internal memory, followed by a manual reconfiguration of all network parameters. Durante this reconfiguration, it is imperative to replace administration passwords with complex credentials, disable remote management services via the internet and close communication ports that are not strictly necessary for the functioning of the local network. Continuously checking access logs in the weeks following the procedure helps confirm that the eradication of malicious code was successful and that data traffic has returned to normal.

Vulnerabilities in the internet of things ecosystem

The incident involving ASUS equipment highlights a structural problem in the security of devices that make up the so-called internet of things. Roteadores, security cameras and connected appliances often hit the market with configurations aimed at ease of installation, neglecting stricter protection protocols. The life cycle of these products also makes the situation worse, as many manufacturers end official support early.

The lack of an automated and mandatory security update system leaves millions of devices exposed to flaws discovered months or years after their manufacture. Cybercriminals exploit this window of vulnerability in legacy equipment to expand their zombie networks with minimal effort and high operational return, maintaining control over devices forgotten by owners.

Continuous monitoring of data traffic

Early detection of silent infections like KadNap depends on implementing network monitoring tools capable of identifying anomalies in the data flow. Picos of unjustified uploads during the early hours of the morning or constant connections to IP addresses located in suspicious regions are strong indicators of local infrastructure compromise.

Telecommunications companies and internet providers play a central role in identifying these large-scale threats. Collaboration between ISPs and hardware manufacturers speeds blocking malicious servers and notifying affected customers before attacks cause greater damage.

Security guidance for administrators

Cybersecurity professionals reinforce that preventive maintenance is the only effective barrier against highly persistent malware. Adopting strict access control policies, segmenting corporate networks, implementing intrusion detection systems and periodically auditing router configurations drastically minimize the attack surface available for automated threats on the internet.