On March 10, 2026, Black Lotus Labs (the threat intelligence arm of Lumen Technologies) disclosed a new botnet called KadNap that has quietly infected ~14,000 routers every day since August 2025. Researchers Chris Formosa and Steve Rudd identified the campaign targeting primarily ASUS routers — the same brand sitting behind countless medical office front desks and exam rooms. 60% of infected devices are in the United States, roughly 8,400 machines per day.
This is not a theoretical threat. These routers are actively being used as criminal infrastructure right now.
What Healthcare Organizations Need to Know
What KadNap Does
KadNap infects a router by delivering a malicious shell script called
aic.sh from an attacker-controlled server. The script drops
a binary named kad into /jffs/.asusrouter — a
section of flash storage on ASUS devices that persists across reboots.
It then creates a cron job that fires every hour at :55, keeping the
infection alive and checking in with command-and-control (C2)
infrastructure.
The C2 design is deliberately resilient. KadNap uses a custom Kademlia DHT protocol — the same peer-to-peer architecture that powers BitTorrent — with AES-encrypted communications. There is no central server to take down. Lumen has blocked all known KadNap C2 traffic on their backbone since August 2025, but devices outside Lumen’s network remain exposed.
One detail worth flagging for any practice thinking “I’ll just reboot
the router”: that does not work. Because the infection lives in
/jffs/ flash storage, a factory reset is the only
reliable remediation. A simple reboot leaves the malware fully
intact.
The infection also closes port 22 (SSH) on the compromised device after taking hold, preventing the router’s owner from detecting or accessing the compromise remotely. It locks you out of your own equipment. If your organization has experienced a ransomware-style intrusion before, that same principle applies here: the attacker’s first move is always to limit your visibility.
Why Your Practice Should Care
KadNap-infected routers are funneled into a criminal residential proxy service called Doppelganger — believed to be a rebrand of the defunct “Faceless” service. Residential proxies are valuable to attackers precisely because traffic appears to originate from a legitimate home or business IP address, not a known data center. That clean reputation bypasses geo-fencing and IP-reputation blacklists that many healthcare portals and EHR login pages rely on as a first line of defense.
The documented uses of this infrastructure include credential stuffing attacks, brute-force login attempts, account takeovers, and DDoS traffic routing. Credential stuffing is the automated replay of usernames and passwords stolen from prior breaches — testing them against your patient portal, your EHR, your billing system. HIPAA’s new MFA requirement exists in large part because of exactly this attack pattern.
If your practice’s router is compromised, the immediate and confirmed risk is that your office’s IP address becomes a weapon used against other organizations. But the risk does not stop there. A compromised router sits at the boundary of your internal network. Any device on that network — workstations, tablets, the server running your EHR — is potentially reachable by an attacker with persistent access to the router. That is a risk, not a confirmed outcome of KadNap specifically, but it is the reason network perimeter security is treated as a foundational control under the HIPAA Security Rule.
Under the HIPAA Security Rule (45 CFR Part 164, Subpart C), covered entities and business associates are required to implement technical safeguards protecting electronic protected health information (ePHI). Network perimeter devices are explicitly within scope. The HHS Cybersecurity Performance Goals (CPGs) — voluntary but used by OCR as a benchmark — call out mitigating known vulnerabilities, maintaining unique credentials, asset inventory, and network segmentation. Failing to maintain current firmware on a patient-facing network device is exactly the kind of gap that surfaces in a HIPAA security risk assessment and that OCR investigators look for after a breach. A proper risk assessment documents your controls and your remediation timelines — if you do not have one current, this incident is a reason to prioritize it.
On the federal side, CISA Binding Operational Directive 26-02 (issued February 5, 2026) requires federal agencies to inventory edge devices, remove end-of-life hardware, and keep firmware updated. CISA strongly encourages all non-federal organizations, including healthcare practices, to follow the same controls. The directive does not create legal obligations for private practices, but it signals what regulators consider baseline hygiene in 2026.
How to Check and What to Do Now
No zero-days have been confirmed in KadNap’s infection chain. Researcher Chris Formosa told Ars Technica that the campaign exploits known vulnerabilities — meaning devices running current firmware are not the primary target. That makes the remediation steps straightforward, if not fast.
Step 1: Identify your router make and model. If your
office runs an ASUS router, treat this as urgent. Check
your router’s admin interface (typically accessible at
192.168.1.1 or 192.168.0.1) to determine the
current firmware version.
Step 2: Check for signs of compromise. If you cannot
SSH into your router (port 22 is blocked), or you see an unusual cron
job or an unfamiliar binary in /jffs/, treat the device as
compromised.
Step 3: Factory reset — not a reboot. Black Lotus
Labs is explicit: a factory reset is required to remove KadNap. A reboot
does not clear /jffs/ flash storage. Perform a full factory
reset per your router’s documentation. This will wipe all custom
configurations, so document your current settings (SSID, port forwards,
VLAN configuration) before resetting.
Step 4: Update firmware immediately after the reset. Do not reconnect the device to the internet before applying all available firmware updates. ASUS publishes firmware updates at asus.com/support. If your device is end-of-life and no longer receiving updates, the manufacturer cannot patch new vulnerabilities — replace it.
Step 5: Set a strong, unique admin password. Default router credentials are trivially known. Set a password that is not reused anywhere else in your organization. This applies to the router admin interface, not just your Wi-Fi password. HIPAA’s encryption requirements and the HIPAA security safeguards framework both point to access controls as foundational — and the router admin password is an access control.
Step 6: Disable remote management unless required. Remote management (access to the router admin interface from outside your network) widens the attack surface. Unless you have a specific operational need, disable it.
Step 7: Review your asset inventory. Do you know every network device in your office — routers, switches, access points, IoT devices? If not, a HIPAA security risk assessment is the structured process for building that inventory and evaluating each device’s risk posture. SOHO router vulnerabilities like the ones KadNap exploits are consistently flagged as high-risk findings when practices do not have an inventory process.
A note on network segmentation: If your patient devices (kiosks, iPads, waiting room Wi-Fi) are on the same network as your EHR workstations, a compromised router can reach everything. Separating clinical systems onto a dedicated VLAN with firewall rules between segments limits the blast radius of any perimeter compromise. This is a HIPAA breach prevention control that does not require enterprise-grade equipment — most business-class routers support VLANs natively.
HIPAA breach prevention is not one control — it is a stack of overlapping safeguards. Network perimeter security, HIPAA encryption requirements, MFA on every login portal, and a documented risk assessment are the layers that collectively keep a botnet infection from becoming a reportable breach.
One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. One Guy Consulting HIPAA services