内容来源：https://lifehacker.com/tech/check-asus-router-for-malware?utm_medium=RSS

内容总结：

近期，一种名为KadNap的新型恶意程序正针对家用路由器发起攻击，可能将用户设备纳入僵尸网络并用于非法活动。据Lumen Black Lotus实验室2025年8月的研究报告显示，全球已有超1.4万台设备受感染，其中约60%位于美国，台湾地区、香港地区及俄罗斯各占约5%。

该恶意程序主要通过华硕等品牌路由器的未修复漏洞进行传播。受感染设备会被植入隐蔽的代理网络，不仅可隐藏黑客流量，还能为"Doppelganger"匿名服务提供支持，该服务常被用于暴力破解和定向攻击。研究人员指出，KadNap能有效隐藏控制服务器地址，传统安全系统难以检测，其分布式架构也增强了抗打击能力。

安全专家建议用户采取以下防护措施：通过比对设备日志与安全机构发布的威胁指标（IOCs）排查异常；使用Greynoise公司的IP检查工具检测可疑活动；若确认感染需立即恢复出厂设置（重启无法清除病毒）。日常防护应注意：修改默认网络名称和管理密码、关闭远程访问功能、及时更新固件补丁，并养成用完即退出管理账户的习惯。

中文翻译：

如果您家中的网络使用了华硕路由器，那么它可能已成为一种复杂恶意软件的攻击目标。这种名为KadNap的恶意程序能将设备纳入僵尸网络，并利用其从事犯罪活动。Lumen公司黑莲花实验室的研究人员于2025年8月发现此威胁，估计已有超过1.4万台设备受到感染。

KadNap如何入侵家庭网络
据科技媒体Ars Technica报道，KadNap利用联网设备中未修复的漏洞进行传播，其中绝大多数为华硕路由器。受感染设备会被接入可隐藏恶意流量的代理网络。在此案例中，这些设备正为名为"Doppelganger"的服务传输数据，该服务允许用户匿名浏览网络、实施暴力破解攻击及针对性漏洞利用。

KadNap的检测难度极高，因其通信协议能隐藏黑客命令控制服务器的IP地址，从而规避传统监控手段。这种设计还使其具备高度可扩展性且难以被清除。

据估计，约60%的受感染设备位于美国。台湾地区、香港地区及俄罗斯各占约5%，其余设备分散在全球众多其他国家。

如何检测路由器异常活动
若怀疑路由器可能感染KadNap，请将设备日志中的IP地址和文件哈希值与黑莲花实验室提供的入侵指标进行比对。您需要对设备进行恢复出厂设置，因为单纯重启只会运行恶意脚本而无法清除病毒。

您也可以使用威胁监控公司Greynoise开发的IP检测工具，该工具能帮助判断路由器是否可能被用于恶意目的（包括KadNap僵尸网络或其他威胁）。若您的IP地址被标记为可疑，工具将显示近期扫描活动记录以供深入调查。

在网络安全领域，预防胜于补救。请立即修改路由器的默认网络名称和管理密码（这些默认信息极易被破解）。建议关闭远程访问控制功能，以防威胁行为者在您不知情时篡改设置，并在非使用时段退出管理员账户。最后，请保持路由器固件处于最新状态，确保安全漏洞能被及时修复。

英文来源：

If you have an Asus router on your home network, it may have been targeted by a sophisticated form of malware capable of adding devices to a botnet and using them for criminal activity. Researchers at Lumen's Black Lotus Labs identified this threat—dubbed KadNap—in August 2025 and estimate that more than 14,000 devices have been infected.
How KadNap compromises home networks
As Ars Technica reports, KadNap exploits unpatched vulnerabilities in connected devices, most of which are Asus routers. Infected devices are added to a proxy network that can hide malicious traffic. In this case, they are carrying traffic for service called Doppelganger, which allows users to browse anonymously and engage in brute-force attacks and targeted exploitation.
KadNap is particularly difficult to detect because its protocol conceals the IP addresses of hackers' command-and-control (C2) servers, allowing it to evade traditional monitoring. The design also makes it highly scalable and resistant to takedown.
An estimated 60% of affected devices are located in the U.S. Taiwan, Hong Kong, and Russia account for another 5% each, with the remainder spread across numerous other countries around the world.
Check your router for malicious activity
If you think your router may be infected with KadNap, compare the IP address and file hash in your device log with those on Black Lotus Labs' indicators of compromise (IOCs). You'll need to do a factory reset, as rebooting will run a shell script, not remove the malware.
You could also run IP Check, a tool from threat monitoring firm Greynoise that can help determine if your router is potentially being used for malicious purposes (the KadNap botnet or otherwise). If your IP is flagged as suspicious, you'll be able to see recent scanning activity to investigate further.
When it comes to network security, prevention is good protection. Update your network name and administrative password from your router's defaults (which are easy to discover). Consider disabling remote access controls, which prevents threat actors from changing settings without your knowledge, and log out of your admin account when it's not in use. Finally, keep your router's firmware up to date to ensure vulnerabilities are patched quickly.