Hijacked Routers: The Global KadNap Malware Campaign Turning Home Devices Into Cybercrime Infrastructure

Security researchers have uncovered a disturbing development in the global cyber threat landscape. More than 14,000 internet-connected devices worldwide have been secretly hijacked by criminals, transforming everyday home and office routers into infrastructure for large-scale cyberattacks.

The malware behind this operation, known as KadNap, targets networking equipment, particularly ASUS routers, and turns them into covert traffic relays for cybercriminal operations. Most users remain completely unaware that their devices have been compromised.

This campaign highlights a growing reality in cybersecurity. Modern cyberattacks increasingly rely on compromised infrastructure rather than infected computers. A router sitting quietly in a home or small business can now become part of a global criminal network.

For policymakers, law enforcement agencies, and cybersecurity professionals, KadNap signals a shift in how cybercrime operates and how it must be countered.

Why Cybercriminals Are Targeting Routers

Routers have become an attractive target for attackers because they operate at the gateway of the Internet.

Unlike personal computers, routers often:

• Run continuously without being rebooted

• Receive a few security updates

• Are rarely monitored for suspicious activity

These characteristics make them ideal for cybercriminal infrastructure.

Once compromised, routers can be used to:

• Hide the real origin of cyberattacks

• Route malicious traffic through multiple countries

• Launch distributed denial-of-service attacks

• Conduct credential-stuffing and brute force attacks

In simple terms, criminals are turning everyday routers into digital smuggling routes for cybercrime traffic.

How the KadNap Malware Works

KadNap represents a new generation of sophisticated botnet malware.

Instead of relying on a single command server that investigators can shut down, the malware uses a peer-to-peer communication system similar to file-sharing networks.

This design makes the network far harder to dismantle.

The infection process typically follows four stages.

1. Initial exploitation: Attackers identify routers with outdated firmware or weak administrative passwords.

2. Malware installation: A malicious program designed for router hardware is installed on the device.

3. Botnet enrollment: The infected router joins a decentralized network of other compromised devices.

4. Proxy operations: The device begins routing cybercriminal traffic without the owner's knowledge.

This approach allows attackers to build a distributed criminal infrastructure that spans thousands of residential and commercial networks.

Why This Threat Is Difficult to Stop

KadNap poses a significant challenge for cybersecurity defenders because it exploits a blind spot in internet security.

Several factors make this threat particularly difficult to mitigate.

Decentralized control

• The botnet does not rely on a central command server that can be seized by authorities.

Limited device visibility

• Home routers and small-business network devices rarely include security monitoring.

Global distribution

• Infected routers are spread across many countries, complicating legal and investigative responses.

Persistent infrastructure

• Even if part of the network is removed, thousands of other devices remain active.

For intelligence agencies and law enforcement professionals, this means cybercrime infrastructure is increasingly embedded in ordinary civilian networks.

What Organizations and Governments Should Do

The KadNap campaign underscores the urgent need for stronger security practices around edge devices.

Key steps include:

For individuals and organizations

• Update router firmware regularly

• Change default administrative passwords

• Disable remote management when not required

• Replace outdated networking equipment

For policymakers

• Encourage minimum security standards for consumer networking devices

• Promote secure-by-design requirements for manufacturers

• Support public awareness initiatives on IoT security

For cybersecurity teams

• Monitor network traffic patterns from edge devices

• incorporate router security into threat-hunting strategies

• Deploy network detection systems capable of identifying anomalous traffic flows

These measures can significantly reduce the attack surface exploited by botnet operators.

Conclusion

The KadNap malware campaign reveals a fundamental shift in the cyber threat landscape. Criminal networks are increasingly building attack infrastructure by quietly hijacking the devices that power the internet itself.

Routers, smart devices, and other edge systems now represent a critical security frontier.

Organizations that ignore this reality risk allowing their own networks to become part of the next global cyberattack.

OGUN Security Research and Strategic Consulting LLC (OSRS) supports organizations, governments, and institutions in addressing emerging cyber threats through:

• cybersecurity risk assessments

• IoT and infrastructure security audits

• threat intelligence analysis

• cybersecurity education and workforce training

Protecting the modern internet requires visibility across every layer of digital infrastructure.

About the Author

Dr. Oludare Ogunlana is a cybersecurity expert, professor, and founder of OGUN Security Research and Strategic Consulting LLC. He specializes in cybercrime investigation, AI governance, intelligence analysis, and cybersecurity strategy for government, law enforcement, and private sector organizations.