A significant cybersecurity incident has emerged involving a sophisticated threat actor known as ViciousTrap, as identified by the Threat Detection & Research (TDR) team at Sekoia.io. This actor has infiltrated over 5,500 edge devices from more than 50 different manufacturers, creating an expansive network reminiscent of a honeypot.
The operation targets various internet-facing devices, notably Small Office/Home Office (SOHO) routers, SSL VPNs, DVRs, and Baseboard Management Controllers (BMCs) from well-known brands like Cisco, D-Link, Linksys, ASUS, QNAP, and Araknis Networks. This alarming campaign highlights vulnerabilities in a wide range of equipment that many businesses rely upon for network connectivity and security.
Indications suggest that the attacker may originate from a Chinese-speaking region, based on infrastructure overlap with the previously identified GobRAT malware and specific geographic patterns in their targeting. This actor’s activities appear to revolve around creating a distributed framework capable of intercepting network traffic, potentially to collect zero-day exploits or leverage access obtained from other malicious entities.
The infection strategy employed by ViciousTrap initiates with the exploitation of known vulnerabilities, including CVE-2023-20118, which specifically affects Cisco SOHO routers. Initial attacks can be traced back to March 2025, originating from the IP address 101.99.91[.]151. Following this initial breach, ViciousTrap deploys a shell script, dubbed NetGhost, which redirects inbound traffic through iptables to interception servers controlled by the attacker. This script facilitates Man-in-the-Middle (MitM) operations, allowing the adversary to capture sensitive data.
The NetGhost script is delivered via a MIPS-compiled wget binary and notifies the command-and-control (C2) infrastructure with unique identifiers for each compromised device. This enables the attacker to register each victim system for further exploitation. Sekoia.io has noted the reuse of an undocumented webshell as of April 2025, indicating that ViciousTrap may be passively collecting data from its extensive network of compromised devices to reengineer its attack strategies.
A recent campaign focusing on ASUS routers has reportedly compromised over 9,500 devices through CVE-2021-32030, establishing SSH access on port 53282. However, it appears that these systems were not used to create honeypots as in previous incidents. The attackers operate from a robust infrastructure primarily hosted in Malaysia under the Shinjiru network (AS45839), utilizing various servers to monitor and manipulate a wide array of device types.
Detection of this campaign is facilitated by consistent TCP window sizes and unique JARM hashes that signal redirected traffic. Over 5,300 compromised devices have been identified across 84 countries, particularly in Macao, which has been severely affected due to outdated D-Link DIR-850L routers. While the ultimate objectives of ViciousTrap are not entirely clear, Sekoia.io posits that the campaign is likely geared towards building a honeypot network for espionage, specifically targeting assets in Taiwan and the United States while notably omitting China from its focus.
This operation underscores the significant risks posed by leveraging end-of-life (EOL) hardware and highlights the urgency of patching known vulnerabilities. As ViciousTrap’s tactics illustrate, edge devices can be weaponized to serve malicious purposes, emphasizing the critical need for continued vigilance in cybersecurity practices.
As this incident unfolds, business owners should be mindful of the underlying tactics likely employed in this attack, including initial access via exploiting known vulnerabilities, persistence via established webshells, and privilege escalation facilitated by compromised device access. By aligning defenses with the MITRE ATT&CK framework, organizations can enhance their resilience against such sophisticated threats.
