Kadnap Botnet

Practical guidance for healthcare teams and business associates

On March 10, 2026, Black Lotus Labs, part of Lumen Technologies, revealed a new botnet named KadNap. Since August 2025, it has infected ~14,000 routers every day. Researchers Chris Formosa and Steve Rudd identified the campaign targeting primarily ASUS routers — the same brand sitting behind countless medical office front desks and exam rooms. 60% of infected devices are in the United States, roughly 8,400 machines per day.

This is not a theoretical threat. These routers are actively being used as criminal infrastructure right now.

What KadNap Does

KadNap infects a router by delivering a malicious shell script called aic.sh from an attacker-controlled server. The script drops a binary named kad into /jffs/.asusrouter — a section of flash storage on ASUS devices that persists across reboots. It then creates a cron job that fires every hour at :55, keeping the infection alive and checking in with command-and-control (C2) infrastructure.

Peer-to-Peer C2 Architecture

The C2 design is deliberately resilient. KadNap uses a custom Kademlia DHT protocol — the same peer-to-peer architecture that powers BitTorrent — with AES-encrypted communications. There is no central server to take down. Lumen has blocked all known KadNap C2 traffic on their backbone since August 2025, but devices outside Lumen’s network remain exposed.

Why Rebooting Does Not Work

One detail worth flagging for any practice thinking “I’ll just reboot the router”: that does not work. Because the infection lives in /jffs/ flash storage, a factory reset is the only reliable remediation. A simple reboot leaves the malware fully intact.

SSH Lockout and Reduced Visibility

The infection closes port 22 (SSH) on the compromised device. This lockout keeps the router’s owner from detecting or accessing the compromise remotely. It locks you out of your own equipment. If your organization has experienced a ransomware-style intrusion before, that same principle applies here: the attacker’s first move is always to limit your visibility.

Why Your Practice Should Care

Residential Proxy Abuse via Doppelganger

KadNap-infected routers are funneled into a criminal residential proxy service called Doppelganger — believed to be a rebrand of the defunct “Faceless” service. Residential proxies are valuable to attackers precisely because traffic appears to originate from a legitimate home or business IP address, not a known data center. That clean reputation bypasses geo-fencing and IP-reputation blacklists that many healthcare portals and EHR login pages rely on as a first line of defense.

Credential Stuffing and Account Takeover Risk

The documented uses of this infrastructure include credential stuffing attacks, brute-force login attempts, account takeovers, and DDoS traffic routing. Credential stuffing is the automated replay of usernames and passwords stolen from prior breaches — testing them against your patient portal, your EHR, your billing system. HIPAA’s new MFA requirement mainly exists because of this attack pattern.

Internal Network Exposure

If your practice’s router is compromised, the immediate and confirmed risk is that your office’s IP address becomes a weapon used against other organizations. But the risk does not stop there. A compromised router is at the edge of your internal network. Any device on that network — including workstations, tablets, and the EHR server — can be accessed by an attacker with continuous access to the router. That is a risk, not a confirmed outcome of KadNap specifically, but it is the reason network perimeter security is treated as a foundational control under the HIPAA Security Rule.

HIPAA Security Rule and HHS Cybersecurity Performance Goals

Under the HIPAA Security Rule (45 CFR Part 164, Subpart C), covered entities and business associates are required to implement technical safeguards protecting electronic protected health information (ePHI). Network perimeter devices are explicitly within scope. The HHS Cybersecurity Performance Goals (CPGs) — voluntary but used by OCR as a benchmark — call out mitigating known vulnerabilities, maintaining unique credentials, asset inventory, and network segmentation. Failing to maintain current firmware on a patient-facing network device is exactly the kind of gap that surfaces in a HIPAA security risk assessment and that OCR investigators look for after a breach. A proper risk assessment documents your controls and your remediation timelines — if you do not have one current, this incident is a reason to prioritize it.

CISA Binding Operational Directive 26-02

On the federal side, CISA Binding Operational Directive 26-02 (issued February 5, 2026) requires federal agencies to inventory edge devices, remove end-of-life hardware, and keep firmware updated. CISA strongly encourages all non-federal organizations, including healthcare practices, to follow these controls. While the directive does not impose legal obligations, it indicates what regulators see as essential hygiene in 2026.

How to Check and What to Do Now

No zero-days have been confirmed in KadNap’s infection chain. Researcher Chris Formosa told Ars Technica that the campaign exploits known vulnerabilities — meaning devices running current firmware are not the primary target. That makes the remediation steps straightforward, if not fast.

Seven-Step Remediation Checklist

Step 1: Identify your router make and model. If your office runs an ASUS router, treat this as urgent. Check your router’s admin interface (typically accessible at 192.168.1.1 or 192.168.0.1) to determine the current firmware version.

Step 2: Check for signs of compromise. If you cannot SSH into your router (port 22 is blocked), or you see an unusual cron job or an unfamiliar binary in /jffs/, treat the device as compromised.

Step 3: Perform a factory reset, not just a reboot. Black Lotus Labs states that a factory reset is necessary to remove KadNap. A reboot does not erase /jffs/ flash storage. Perform a full factory reset per your router’s documentation. This will wipe all custom configurations, so document your current settings (SSID, port forwards, VLAN configuration) before resetting.

Step 4: Update firmware immediately after the reset. Do not reconnect the device to the internet before applying all available firmware updates. ASUS publishes firmware updates at asus.com/support. If your device is end-of-life and no longer receiving updates, the manufacturer cannot patch new vulnerabilities — replace it.

Step 5: Set a strong, unique admin password. Default router credentials are trivially known. Set a password that is not reused anywhere else in your organization. This applies to the router admin interface, not just your Wi-Fi password. HIPAA’s encryption requirements and the HIPAA security safeguards framework both point to access controls as foundational — and the router admin password is an access control.

Step 6: Disable remote management unless required. Remote management (access to the router admin interface from outside your network) widens the attack surface. Unless you have a specific operational need, disable it.

Step 7: Review your asset inventory. Do you know every network device in your office — routers, switches, access points, IoT devices? If not, a HIPAA security risk assessment is the structured process for building that inventory and evaluating each device’s risk posture. SOHO router vulnerabilities like the ones KadNap exploits are consistently flagged as high-risk findings when practices do not have an inventory process.

Network Segmentation as a Containment Control

If your patient devices (kiosks, iPads, waiting room Wi-Fi) are on the same network as your EHR workstations, a compromised router can reach everything. Separating clinical systems onto a dedicated VLAN with firewall rules between segments limits the blast radius of any perimeter compromise. This is a HIPAA breach prevention control that does not require enterprise-grade equipment — most business-class routers support VLANs natively.

Defense in Depth: Why No Single Control Is Enough

HIPAA breach prevention is not one control — it is a stack of overlapping safeguards. Network perimeter security, HIPAA encryption requirements, MFA on every login portal, and a documented risk assessment are the layers that collectively keep a botnet infection from becoming a reportable breach.

One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. One Guy Consulting HIPAA services

Key stat: Botnets like Kadnap target healthcare organizations because medical records sell for 10 to 40 times more than credit card numbers on dark web markets. A single compromised healthcare endpoint can provide access to thousands of patient records, making healthcare the most targeted industry for cyberattacks.

Sources

Cybersecurity Threats and Lessons

Key stat: Botnets like Kadnap target healthcare organizations because medical records sell for 10 to 40 times more than credit card numbers on dark web markets. A single compromised healthcare endpoint can provide access to thousands of patient records, making healthcare the most targeted industry for cyberattacks.

Sources

Cybersecurity Threats and Lessons