Full Report
Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. The threat actor has been observed exploiting a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers (CVE-2023-20118) to corral them into
Analysis Summary
# Threat Actor: ViciousTrap
## Attribution & Identity
The threat actor is codenamed **ViciousTrap**. No definitive attribution to a specific nation-state or established cybercriminal organization is provided, although analysis notes the use of an undocumented web shell previously seen in PolarEdge botnet attacks (though non-connection is explicitly stated).
## Activity Summary
ViciousTrap has compromised nearly **5,300 unique network edge devices** across **84 countries**, turning them into a global **honeypot-like network**.
The earliest observed activity dates back to **March 2025**.
The primary activity involves exploiting CVE-2023-20118 to seize control of devices and redirect network traffic to attacker-controlled infrastructure.
A recent operation (as of May 2025) involved targeting ASUS routers from a new IP address.
The majority of discovered infections (850 devices) are located in **Macau**.
## Tactics, Techniques & Procedures
- **Exploitation of Known Vulnerability:** Weaponization of **CVE-2023-20118** (a critical flaw in specific Cisco Small Business RV series routers).
- **Multi-Stage Execution:** The attack chain involves:
1. Initial exploitation to download and execute a shell script via `ftpget`.
2. Contacting an external server to fetch the `wget` binary.
3. A second exploitation of the Cisco flaw to execute a second, persistent script.
- **Infection Script:** Execution of a bash script dubbed **NetGhost** (second-stage payload).
- **Network Traffic Redirection:** NetGhost is configured to redirect incoming traffic from specific ports of the compromised router to attacker-controlled infrastructure (facilitating Adversary-in-the-Middle (AitM) attacks).
- **Artifact Removal:** NetGhost includes capabilities to remove itself from the compromised host to minimize forensic trails.
- **Tool Reuse:** Repurposing an undocumented web shell previously employed in PolarEdge botnet attacks.
## Targeting
- **Sectors:** Broadly targets network edge equipment, suggesting opportunistic compromise of internet-facing infrastructure.
- **Geography:** Global reach, active in **84 countries**. High concentration observed in **Macau** (850 compromised devices).
- **Victims:** The actor targets specific hardware, including:
- Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers.
- Devices from over 50 brands, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from brands like **Araknis Networks, ASUS, D-Link, Linksys, and QNAP**.
## Tools & Infrastructure
- **Malware Families used:** NetGhost (second-stage bash shell script).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Initial exploitation C2 IP: `101.99.91[.]151`
- Recent targeting IP: `101.99.91[.]239`
## Implications
ViciousTrap is focused on establishing large-scale, persistent infrastructure for passive observation. By creating a massive honeypot network out of compromised enterprise/SOHO edge devices, the actor likely aims to:
1. Observe real-world exploitation attempts targeting diverse environments.
2. Collect potentially valuable non-public or zero-day exploits in transit.
3. Potentially reuse access obtained by other threat actors (via AitM positioning).
## Mitigations
- Immediately patch vulnerable Cisco Small Business Routers against **CVE-2023-20118**.
- Inventory and monitor all internet-facing devices, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from various manufacturers (Cisco, ASUS, D-Link, QNAP, etc.).
- Implement enhanced network flow monitoring to detect unexpected traffic redirection from edge devices to external, unknown infrastructure.
- Review device configurations for signs of unauthorized scripts (like NetGhost) that utilize `ftpget` or attempts to download binaries like `wget`.