ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Secure ASUS Routers Against KadNap Botnet Attacks

How to Secure ASUS Routers Against KadNap Botnet Attacks

Harden your ASUS router against KadNap malware with firmware updates, service hardening, secure admin access, network segmentation, and traffic monitoring to prevent proxy hijacking.

Evan MaelEvan Mael
March 27, 2026 15 min
mediumrouter-security 8 steps 15 min

Why is KadNap Botnet Targeting ASUS Routers?

The KadNap botnet, discovered in August 2025, has infected over 14,000 routers worldwide, with nearly half being ASUS devices. This sophisticated malware transforms compromised routers into proxy nodes for a cybercrime network called Doppelgänger, enabling attackers to route malicious traffic, conduct DDoS attacks, and perform credential stuffing operations while hiding behind residential IP addresses.

What makes KadNap particularly dangerous is its persistence and stealth capabilities. The malware uses a custom Kademlia DHT protocol for decentralized peer-to-peer command and control communication, making it blend seamlessly with legitimate BitTorrent and other P2P traffic. Unlike traditional botnets, KadNap survives router reboots and even firmware updates by attaching itself to configuration files and establishing persistent cron jobs.

How Does KadNap Exploit ASUS Router Vulnerabilities?

KadNap primarily exploits known vulnerabilities in ASUS router services like AiCloud, SSH, and Telnet access. The malware gains initial access through weak default credentials, unpatched firmware, or exposed management interfaces. Once inside, it installs itself in the router's temporary filesystem and creates scheduled tasks that run every 55 minutes to maintain persistence and communicate with the botnet network.

The financial impact extends beyond individual users. Infected routers become part of a proxy-for-hire service, with cybercriminals paying to route their malicious traffic through residential IP addresses. This makes detection and blocking extremely difficult for security systems, as the traffic appears to originate from legitimate home networks. The botnet's decentralized nature means that even if some command and control servers are taken down, the network continues operating through its peer-to-peer architecture.

Implementation Guide

Full Procedure

01

Update Router Firmware to Latest Version

Start by updating your router firmware, as this is your primary defense against KadNap and other malware. The botnet exploits known vulnerabilities that firmware updates often patch.

Log into your router's web interface by navigating to http://192.168.1.1 or http://router.asus.com in your browser. Use your admin credentials (default is often admin/admin, but change this immediately if still using defaults).

Navigate to Administration > Firmware Upgrade. Click Check to see if updates are available. If no automatic update is found, manually download the latest firmware:

# Visit https://www.asus.com/support/
# Search for your exact router model (e.g., RT-AX88U)
# Download the latest firmware file (.trx or .bin)

Upload the firmware file through the web interface and click Upload. The router will automatically reboot after installation.

Warning: Never interrupt the firmware update process. A power loss during update can brick your router.

Verification: After reboot, check Administration > System to confirm the new firmware version is installed. The version should be from 2025 or later to include recent security patches.

02

Disable Vulnerable Remote Access Services

KadNap often exploits remote access services like SSH, Telnet, and AiCloud. Disable these unless absolutely necessary for your network operations.

In the router web interface, navigate to Administration > System > Local Access Config:

SSH: Disabled
Telnet: Disabled
Enable Web Access from WAN: No

Next, go to WAN > Virtual Server / Port Forwarding and remove or disable any rules for:

  • Port 22 (SSH)
  • Port 23 (Telnet)
  • Port 80/443 (HTTP/HTTPS) unless needed for specific services

Disable AiCloud services under Cloud Disk > AiCloud 2.0:

Enable Cloud Disk: Off
Smart Access: Off
Pro tip: If you need remote access, use a VPN connection instead of exposing router services directly to the internet.

Verification: Use an online port scanner like nmap from an external network to confirm ports 22, 23, and 80 are closed: nmap -p 22,23,80,443 [your-public-ip]

03

Secure Administrative Access and Credentials

Change default credentials and implement secure access controls to prevent unauthorized router access.

Navigate to Administration > System and update the following:

Router Login Name: [unique-username]
New Password: [complex-20+-character-password]
Re-type Password: [same-password]

Enable HTTPS-only access under Administration > System > Local Access Config:

Enable Web Access from WAN: No
HTTPS LAN Only: Yes
HTTP LAN Port: 80 (change to non-standard like 8080)
HTTPS LAN Port: 443 (change to non-standard like 8443)

Set up access restrictions by going to Administration > System > Login Config:

Login Timeout: 300 seconds
Max Login Attempts: 3
Lockout Duration: 600 seconds
Warning: Write down your new credentials and port numbers. If you forget them, you'll need to factory reset the router.

Verification: Log out and attempt to access the router using the new credentials and HTTPS URL (e.g., https://192.168.1.1:8443). Confirm HTTP access is blocked.

04

Configure Network Segmentation and Isolation

Implement network segmentation to limit the impact if any device becomes compromised. This prevents lateral movement within your network.

Create a separate guest network under Wireless > Guest Network:

Enable Guest Network (2.4GHz): Yes
Network Name (SSID): Guest-Network
Security Level: WPA2-Personal
Password: [strong-guest-password]
Access Intranet: No
Bandwidth Limiter: Enable (limit to 50% of total bandwidth)

For IoT device isolation, navigate to Adaptive QoS > Adaptive QoS > Game Mode and enable device prioritization:

Adaptive QoS: Enable
Game Mode: Enable
Bandwidth Monitor: Enable

Configure VLAN settings under LAN > VLAN if your router supports it:

VLAN ID 10: IoT Devices (192.168.10.0/24)
VLAN ID 20: Guest Network (192.168.20.0/24)
VLAN ID 30: Work Devices (192.168.30.0/24)
Pro tip: Place all IoT devices (smart TVs, cameras, thermostats) on the guest network or separate VLAN to isolate them from your main computers.

Verification: Connect a device to the guest network and confirm it cannot access devices on the main network by attempting to ping your main computer's IP address.

05

Enable Advanced Firewall Protection

Configure the router's firewall to block malicious traffic and prevent botnet communication. KadNap uses specific IP ranges and protocols that we can block.

Navigate to Firewall > General and enable all protection features:

Enable Firewall: Yes
Enable DoS Protection: Yes
Respond PING Request from WAN: No
Enable IPv6 Firewall: Yes

Block known KadNap command and control servers under Firewall > Network Services Filter:

Filter Mode: Black List
Blocked IP: 212.104.141.140
Blocked IP: 185.220.101.0/24
Blocked IP: 198.98.51.0/24

Configure URL filtering under Firewall > URL Filter:

Enable URL Filter: Yes
URL Filter Mode: Black List
Blocked Keywords: .onion, proxy, socks, kad, doppelganger

Set up intrusion detection under AiProtection > Network Protection:

Malicious Sites Blocking: Enable
Vulnerability Protection: Enable
Infected Device Prevention and Blocking: Enable
Two-Way IPS: Enable
Warning: Overly aggressive filtering can block legitimate traffic. Monitor your network for false positives after enabling these features.

Verification: Check the firewall logs under System Log > Firewall Log to confirm blocked connections are being logged.

06

Monitor for KadNap Infection Indicators

Set up monitoring to detect KadNap infection signs, including suspicious cron jobs, proxy traffic, and malicious files.

Enable detailed logging under Administration > System > Log:

Log Level: Notice
Enable Syslog: Yes
Syslog Server: [your-log-server-ip] (optional)
Log Locally: Yes

If SSH is temporarily needed for investigation, enable it securely under Administration > System, then connect and check for infection indicators:

# Check for suspicious processes
ps aux | grep -E 'kad|aic|proxy'

# Look for malicious cron jobs (KadNap runs every 55 minutes)
crontab -l

# Check for suspicious files
ls -la /tmp | grep -E 'kad|aic|asusrouter'
ls -la /var | grep -E 'kad|aic|asusrouter'

# Check network connections
netstat -tulpn | grep -E ':1080|:8080|:3128'

# Look for suspicious scripts
find / -name "*.sh" -exec grep -l "kad\|aic\|proxy" {} \;

Monitor traffic patterns under Adaptive QoS > Traffic Analyzer:

  • Look for unusual outbound UDP traffic
  • Check for connections to suspicious IP ranges
  • Monitor for proxy-like traffic patterns (high connection counts)
Pro tip: Set up automated alerts by configuring email notifications under Administration > System > Email to receive alerts when suspicious activity is detected.

Verification: Run the commands above and confirm no KadNap-related processes, files, or cron jobs are present. Clean systems should return no results for these searches.

07

Implement Regular Security Maintenance

Establish a routine maintenance schedule to keep your router secure against evolving threats like KadNap.

Set up automatic firmware updates under Administration > Firmware Upgrade:

Auto Upgrade: Enable
Upgrade Time: 03:00 (during low-usage hours)
Upgrade Frequency: Weekly Check

Configure automatic reboots under Administration > System > Reboot Schedule:

Enable Reboot Schedule: Yes
Reboot Time: 02:00
Reboot Frequency: Weekly (Sunday)

Create a security checklist to perform monthly:

# Monthly security audit commands
# 1. Check firmware version
cat /proc/version

# 2. Review active connections
netstat -tulpn | head -20

# 3. Check system logs for anomalies
tail -100 /var/log/messages | grep -i error

# 4. Verify firewall rules
iptables -L -n

# 5. Check for unauthorized users
who
last | head -10

Document your router configuration by backing up settings under Administration > Restore/Save/Upload Setting:

Save Setting: Download current settings
Filename: router-config-backup-[date].cfg
Warning: If your router was infected with KadNap, never restore old configuration backups as they may contain the malware. Always start with factory defaults after cleaning an infection.

Verification: Confirm automatic updates are working by checking the system log for update attempts. Verify reboot schedule by noting the router's uptime before and after scheduled reboots.

08

Perform Factory Reset if Infection is Detected

If you discover KadNap infection indicators, perform a complete factory reset and rebuild your configuration from scratch. This is the only reliable way to eliminate the malware.

Before resetting, document your current network settings:

# Document current configuration
# Note down: SSID names, port forwards, DHCP reservations, etc.
# Take screenshots of important configuration pages

Perform the factory reset through the web interface under Administration > Restore/Save/Upload Setting:

Initialize all the settings: Factory Default
Confirm: Yes

Alternatively, use the physical reset button:

1. Power on the router
2. Hold the reset button for 10-15 seconds while powered on
3. Release and wait for router to fully reboot (2-3 minutes)

After factory reset, immediately secure the router:

  1. Change default admin credentials
  2. Update firmware to latest version
  3. Disable unnecessary services
  4. Reconfigure network settings from scratch (don't restore backups)
Warning: KadNap can persist in configuration backups. Never restore settings from before the infection was discovered. Rebuild your configuration manually.

Verification: After reset and reconfiguration, run the infection detection commands from Step 6 to confirm the system is clean. All previous indicators should be absent.

Frequently Asked Questions

How do I know if my ASUS router is infected with KadNap malware?+
Check for suspicious cron jobs running every 55 minutes, look for files named 'aic.sh', '.asusrouter', or 'kad' in /tmp directory, monitor for unusual outbound proxy traffic on ports 1080, 8080, or 3128, and watch for unexpected SSH or remote admin access attempts. You can verify by SSH'ing into your router and running 'ps aux | grep kad' and 'crontab -l' to check for malicious processes and scheduled tasks.
Can KadNap survive firmware updates and router reboots on ASUS devices?+
Yes, KadNap is designed to persist through reboots and firmware updates by attaching itself to router configuration files and creating persistent cron jobs. The malware reinstalls itself automatically after system restarts. This is why a complete factory reset followed by manual reconfiguration is necessary to fully remove the infection, rather than simply updating firmware or rebooting the device.
Which ASUS router models are most vulnerable to KadNap attacks?+
While ASUS hasn't released a specific list of vulnerable models, KadNap primarily targets SOHO (Small Office/Home Office) ASUS routers, particularly those with exposed AiCloud services, SSH/Telnet access, or running older firmware. Models that were previously vulnerable to TheMoon malware are at higher risk. Any ASUS router with default credentials, outdated firmware, or exposed management interfaces can be compromised.
What should I do if I discover my ASUS router is part of the KadNap botnet?+
Immediately perform a factory reset through the web interface or physical reset button, then manually reconfigure all settings from scratch without restoring any previous backups. Update to the latest firmware, change all default credentials, disable unnecessary services like SSH/Telnet/AiCloud, and implement the security hardening steps outlined in this guide. Never restore configuration backups from before the infection as they may contain the malware.
How can I prevent future KadNap infections on my ASUS router?+
Keep firmware updated to the latest version, change default admin credentials to strong unique passwords, disable unnecessary services like SSH/Telnet/AiCloud, enable HTTPS-only access, implement network segmentation with guest networks for IoT devices, configure firewall rules to block known malicious IP ranges, and establish regular security monitoring with automated reboots. Set up email alerts for suspicious activity and perform monthly security audits to check for infection indicators.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#router-security#botnet-protection#asus-hardening

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Fix Intune Policies Causing Unexpected Reboots During Windows Autopilot OOBE
tutorial
Cloud Computing

How to Fix Intune Policies Causing Unexpected Reboots During Windows Autopilot OOBE

Deep Dive
How to Enable and Configure BitLocker Using Microsoft Intune
tutorial
Cybersecurity

How to Enable and Configure BitLocker Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account