Asus-router infections form resilient KadNap proxy network
Context and discovery
Security researchers at Black Lotus Labs identified a large, persistent network of compromised home and small-office routers being repurposed as anonymous transit nodes for criminal traffic. The tally averaged 14,000 infected devices daily, a figure that surged from roughly ten thousand when the cluster was first observed last August. The affected population concentrates in the US with smaller presences in TW, HK, and RU, complicating response options across jurisdictions. Black Lotus researchers including Chris Formosa reported the findings and emphasized the operation’s intent to frustrate defenders.
Architecture and evasive design
Operators built the infrastructure around a distributed hash table control plane inspired by Kademlia, which replaces static command servers with a resilient lookup fabric, reducing central points of failure. This peer-to-peer arrangement allows nodes to discover peers and routing information via hashed identifiers, which masks true endpoints and raises the bar for traditional takedowns. The campaign favors devices from Asus, consistent with weaponization of long-standing, unpatched flaws rather than covert zero-day exploits, according to the investigators. That combination—consumer routers plus DHT control—gives the network operational stealth and high availability under targeted disruption.
Operational impact and remediation
For defenders, this topology means seizure of a single host or IP block will no longer neutralize the proxy fabric, so remediation shifts toward mass patch campaigns, vendor-led firmware updates, and ISP-level interception. The immediate consequence is broader abuse of residential infrastructure for anonymizing criminal services, raising noise for threat intelligence and increasing costs for mitigation tools. Remediation efficacy will hinge on coordinated disclosure, vendor patch rollouts, and ISPs applying network-based controls rather than isolated device cleanups. Expect elevated demand for managed router monitoring, faster firmware signing, and regulatory scrutiny over consumer gateway security standards.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
SystemBC resurfaces as resilient proxy botnet, infecting over 10,000 hosts
A persistent variant of the SystemBC loader has rebuilt its footprint after a law-enforcement disruption and now routes traffic through more than 10,000 compromised IPs worldwide. Security researchers warn the infrastructure acts as a traffic-proxying backbone and often precedes ransomware and other secondary intrusions.
Google GTIG Disrupts IPIDEA Residential Proxy Network in the United States
Google's Threat Intelligence Group, allied with infrastructure partners, dismantled the IPIDEA residential proxy operation that hijacked Android phones and Windows PCs to relay adversary traffic. The takedown targeted command-and-control points, shut down domains and updated detection signals to hinder future reuse of the same toolset.
AirSnitch: wireless client‑isolation exploit threatens routers
New research named AirSnitch demonstrates a cross‑layer Wi‑Fi exploit that defeats client isolation across consumer and enterprise gear. The flaw enables bidirectional man‑in‑the‑middle attacks, RADIUS spoofing, and credential theft, forcing firmware, silicon, and architecture changes.
Investigations Find Ubiquiti Networking Equipment Accessible to Russian Forces and Used in Drone Operations
Independent reports allege Ubiquiti networking devices are being acquired through third-party channels and repurposed to support Russian military communications, including for unmanned aircraft. The revelations expose supply-chain and compliance gaps that could trigger regulatory scrutiny and force operational and product changes at the vendor level.
MuddyWater Breaches US Networks; Broadcom Flags Dindoor and Fakeset
The Iran-linked threat actor MuddyWater gained footholds across multiple North American and Israeli-facing networks, deploying two novel backdoors tracked as Dindoor and Fakeset . Parallel telemetry from other vendors (notably Check Point) documents a late-Feb/early-Mar 2026 wave of camera- and edge-focused intrusions that reuse commodity VPNs and automated credential-validation pipelines — reinforcing the need for identity-first hunts, management-plane isolation and rapid patching/credential rotation.
Operation Bizarre Bazaar: Criminal Network Hijacks Exposed LLM Endpoints for Profit and Access
A coordinated criminal campaign scans for unauthenticated LLM and model-control endpoints, then validates and monetizes access—running costly inference workloads, selling API access, and probing internal networks. Some exposed targets are agentic connectors and admin interfaces that can leak tokens, credentials, or execute commands, dramatically raising the stakes beyond billable inference.
FBI surveillance-management network under active cyber investigation
The FBI is investigating unauthorized activity on a network that supports court-authorized electronic surveillance and wiretap case management. The probe has triggered immediate containment, forensic work, and heightened oversight pressure across national-security and civil-liberties channels.
CrashFix: Chrome extension that forces browser crashes to deliver ModeloRAT targets corporate networks
A malicious Chrome add-on masquerading as an ad blocker deliberately destabilizes the browser to trick users into running clipboard-pasted commands that install a Python-based remote access trojan. The campaign, attributed to an actor tracked as KongTuke and active since early 2025, focuses on domain-joined machines in corporate environments and uses a timed denial-of-service loop to sustain the social-engineering lure.