On March 10, 2026, Black Lotus Labs, part of Lumen Technologies, revealed a new botnet named KadNap. Since August 2025, it has infected ~14,000 routers every day. Researchers Chris Formosa and Steve Rudd identified the campaign targeting primarily ASUS routers — the same brand sitting behind countless medical office front desks and exam rooms. 60% of infected devices are in the United States, roughly 8,400 machines per day.
This is not a theoretical threat. These routers are actively being used as criminal infrastructure right now.
What KadNap Does
KadNap infects a router by delivering a malicious shell script called
aic.sh from an attacker-controlled server. The script drops
a binary named kad into /jffs/.asusrouter — a
section of flash storage on ASUS devices that persists across reboots.
It then creates a cron job that fires every hour at :55, keeping the
infection alive and checking in with command-and-control (C2)
infrastructure.
Peer-to-Peer C2 Architecture
The C2 design is deliberately resilient. KadNap uses a custom Kademlia DHT protocol — the same peer-to-peer architecture that powers BitTorrent — with AES-encrypted communications. There is no central server to take down. Lumen has blocked all known KadNap C2 traffic on their backbone since August 2025, but devices outside Lumen’s network remain exposed.
Why Rebooting Does Not Work
One detail worth flagging for any practice thinking “I’ll just reboot
the router”: that does not work. Because the infection lives in
/jffs/ flash storage, a factory reset is the only
reliable remediation. A simple reboot leaves the malware fully
intact.
SSH Lockout and Reduced Visibility
The infection closes port 22 (SSH) on the compromised device. This lockout keeps the router’s owner from detecting or accessing the compromise remotely. It locks you out of your own equipment. If your organization has experienced a ransomware-style intrusion before, that same principle applies here: the attacker’s first move is always to limit your visibility.
Why Your Practice Should Care
Residential Proxy Abuse via Doppelganger
KadNap-infected routers are funneled into a criminal residential proxy service called Doppelganger — believed to be a rebrand of the defunct “Faceless” service. Residential proxies are valuable to attackers precisely because traffic appears to originate from a legitimate home or business IP address, not a known data center. That clean reputation bypasses geo-fencing and IP-reputation blacklists that many healthcare portals and EHR login pages rely on as a first line of defense.
Credential Stuffing and Account Takeover Risk
The documented uses of this infrastructure include credential stuffing attacks, brute-force login attempts, account takeovers, and DDoS traffic routing. Credential stuffing is the automated replay of usernames and passwords stolen from prior breaches — testing them against your patient portal, your EHR, your billing system. HIPAA’s new MFA requirement mainly exists because of this attack pattern.
Internal Network Exposure
If your practice’s router is compromised, the immediate and confirmed risk is that your office’s IP address becomes a weapon used against other organizations. But the risk does not stop there. A compromised router is at the edge of your internal network. Any device on that network — including workstations, tablets, and the EHR server — can be accessed by an attacker with continuous access to the router. That is a risk, not a confirmed outcome of KadNap specifically, but it is the reason network perimeter security is treated as a foundational control under the HIPAA Security Rule.
HIPAA Security Rule and HHS Cybersecurity Performance Goals
Under the HIPAA Security Rule (45 CFR Part 164, Subpart C), covered entities and business associates are required to implement technical safeguards protecting electronic protected health information (ePHI). Network perimeter devices are explicitly within scope. The HHS Cybersecurity Performance Goals (CPGs) — voluntary but used by OCR as a benchmark — call out mitigating known vulnerabilities, maintaining unique credentials, asset inventory, and network segmentation. Failing to maintain current firmware on a patient-facing network device is exactly the kind of gap that surfaces in a HIPAA security risk assessment and that OCR investigators look for after a breach. A proper risk assessment documents your controls and your remediation timelines — if you do not have one current, this incident is a reason to prioritize it.
CISA Binding Operational Directive 26-02
On the federal side, CISA Binding Operational Directive 26-02 (issued February 5, 2026) requires federal agencies to inventory edge devices, remove end-of-life hardware, and keep firmware updated. CISA strongly encourages all non-federal organizations, including healthcare practices, to follow these controls. While the directive does not impose legal obligations, it indicates what regulators see as essential hygiene in 2026.
How to Check and What to Do Now
No zero-days have been confirmed in KadNap’s infection chain. Researcher Chris Formosa told Ars Technica that the campaign exploits known vulnerabilities — meaning devices running current firmware are not the primary target. That makes the remediation steps straightforward, if not fast.
Seven-Step Remediation Checklist
Step 1: Identify your router make and model. If your
office runs an ASUS router, treat this as urgent. Check
your router’s admin interface (typically accessible at
192.168.1.1 or 192.168.0.1) to determine the
current firmware version.
Step 2: Check for signs of compromise. If you cannot
SSH into your router (port 22 is blocked), or you see an unusual cron
job or an unfamiliar binary in /jffs/, treat the device as
compromised.
Step 3: Perform a factory reset, not just a reboot. Black Lotus Labs states that a factory reset is necessary to remove KadNap. A reboot does not erase /jffs/ flash storage. Perform a full factory
reset per your router’s documentation. This will wipe all custom
configurations, so document your current settings (SSID, port forwards,
VLAN configuration) before resetting.
Step 4: Update firmware immediately after the reset. Do not reconnect the device to the internet before applying all available firmware updates. ASUS publishes firmware updates at asus.com/support. If your device is end-of-life and no longer receiving updates, the manufacturer cannot patch new vulnerabilities — replace it.
Step 5: Set a strong, unique admin password. Default router credentials are trivially known. Set a password that is not reused anywhere else in your organization. This applies to the router admin interface, not just your Wi-Fi password. HIPAA’s encryption requirements and the HIPAA security safeguards framework both point to access controls as foundational — and the router admin password is an access control.
Step 6: Disable remote management unless required. Remote management (access to the router admin interface from outside your network) widens the attack surface. Unless you have a specific operational need, disable it.
Step 7: Review your asset inventory. Do you know every network device in your office — routers, switches, access points, IoT devices? If not, a HIPAA security risk assessment is the structured process for building that inventory and evaluating each device’s risk posture. SOHO router vulnerabilities like the ones KadNap exploits are consistently flagged as high-risk findings when practices do not have an inventory process.
Network Segmentation as a Containment Control
If your patient devices (kiosks, iPads, waiting room Wi-Fi) are on the same network as your EHR workstations, a compromised router can reach everything. Separating clinical systems onto a dedicated VLAN with firewall rules between segments limits the blast radius of any perimeter compromise. This is a HIPAA breach prevention control that does not require enterprise-grade equipment — most business-class routers support VLANs natively.
Defense in Depth: Why No Single Control Is Enough
HIPAA breach prevention is not one control — it is a stack of overlapping safeguards. Network perimeter security, HIPAA encryption requirements, MFA on every login portal, and a documented risk assessment are the layers that collectively keep a botnet infection from becoming a reportable breach.
One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. One Guy Consulting HIPAA services
Key stat: Botnets like Kadnap target healthcare organizations because medical records sell for 10 to 40 times more than credit card numbers on dark web markets. A single compromised healthcare endpoint can provide access to thousands of patient records, making healthcare the most targeted industry for cyberattacks.
Sources
Cybersecurity Threats and Lessons
- Cloudflare Outage 2026: Business Lessons
- UMMC Ransomware Attack Lessons
- Supply Chain Attack: Telnyx Breach Lessons
- Vercel Security Incident Analysis
Key stat: Botnets like Kadnap target healthcare organizations because medical records sell for 10 to 40 times more than credit card numbers on dark web markets. A single compromised healthcare endpoint can provide access to thousands of patient records, making healthcare the most targeted industry for cyberattacks.
Sources
Cybersecurity Threats and Lessons
- Cloudflare Outage 2026: Business Lessons
- UMMC Ransomware Attack Lessons
- Supply Chain Attack: Telnyx Breach Lessons
- Vercel Security Incident Analysis