Vicioustrap – Infiltrate, Control, Lure: Turning Edge Devices Into Honeypots en Masse.
Summary:
Sekoia’s Threat Detection & Research team uncovered a sophisticated cyber campaign exploiting CVE-2023-20118, initially known for deploying a webshell and PolarEdge malware. Subsequent analysis revealed a third threat actor, dubbed ViciousTrap, leveraging the same vulnerability. Through honeypot monitoring, Sekoia observed this actor executing a shell script named NetGhost, designed to redirect traffic from compromised routers to attacker-controlled infrastructure, enabling network interception. Further investigations revealed that ViciousTrap targeted a wide array of devices including those from D-Link, Linksys, ASUS, QNAP, and Araknis Networks to assemble a distributed, honeypot-like surveillance network capable of monitoring and potentially collecting zero-day exploits or reusing unauthorized access gained by other attackers.
The infection chain begins with the exploitation of CVE-2023-20118 on Cisco SOHO routers, where a bash script downloads a custom wget binary, which is later used to fetch a second script containing a unique UUID. This script, NetGhost, removes itself to avoid detection, modifies iptables to redirect traffic on ports 80, 8000, or 8080 to attacker infrastructure, and notifies the command and control server via HTTP requests. Analysis of traffic confirmed multiple variants of NetGhost using two IPs for redirection both hosted in Malaysia.
A notable event in April 2025 involved the reuse of a previously documented webshell from the PolarEdge campaign. This webshell had not been publicly released and was protected by an undisclosed password, suggesting ViciousTrap may have obtained it through passive interception or reuse of compromised assets. Devices compromised by NetGhost were primarily end-of-life routers, including Cisco SOHO and D-Link DIR-850L models, with new campaigns in May 2025 targeting ASUS routers using CVE-2021-32030 to extract firmware and establish SSH access.
Security Officer Comments:
The ViciousTrap infrastructure is split into three segments exploitation, notification, and interception servers and hosted by Malaysian provider Shinjiru. Interception servers, which act as silent observers, were found to monitor at least 60 types of devices across open ports using cloned SSL certificates and unique HTTP body content. Detection of compromised hosts was achieved via SSL fingerprinting, JARM hashes, and TCP packet analysis, revealing over 5,300 infected devices globally, particularly in Asia, with Macao showing the highest infection density due to widespread use of outdated routers.
While no attribution has been made, the absence of Chinese infrastructure targets, despite extensive surveillance of assets in Taiwan and the U.S., suggests the potential involvement of a Chinese-speaking actor. Sekoia continues to investigate the campaign’s objectives, which appear to center around building a distributed honeypot-style infrastructure, and monitors ViciousTrap’s evolving tactics to better understand its strategic intent.
Suggested Corrections:
IOCs:
https://blog.sekoia.io/vicioustrap-...turning-edge-devices-into-honeypots-en-masse/
https://blog.sekoia.io/vicioustrap-...turning-edge-devices-into-honeypots-en-masse/
Sekoia’s Threat Detection & Research team uncovered a sophisticated cyber campaign exploiting CVE-2023-20118, initially known for deploying a webshell and PolarEdge malware. Subsequent analysis revealed a third threat actor, dubbed ViciousTrap, leveraging the same vulnerability. Through honeypot monitoring, Sekoia observed this actor executing a shell script named NetGhost, designed to redirect traffic from compromised routers to attacker-controlled infrastructure, enabling network interception. Further investigations revealed that ViciousTrap targeted a wide array of devices including those from D-Link, Linksys, ASUS, QNAP, and Araknis Networks to assemble a distributed, honeypot-like surveillance network capable of monitoring and potentially collecting zero-day exploits or reusing unauthorized access gained by other attackers.
The infection chain begins with the exploitation of CVE-2023-20118 on Cisco SOHO routers, where a bash script downloads a custom wget binary, which is later used to fetch a second script containing a unique UUID. This script, NetGhost, removes itself to avoid detection, modifies iptables to redirect traffic on ports 80, 8000, or 8080 to attacker infrastructure, and notifies the command and control server via HTTP requests. Analysis of traffic confirmed multiple variants of NetGhost using two IPs for redirection both hosted in Malaysia.
A notable event in April 2025 involved the reuse of a previously documented webshell from the PolarEdge campaign. This webshell had not been publicly released and was protected by an undisclosed password, suggesting ViciousTrap may have obtained it through passive interception or reuse of compromised assets. Devices compromised by NetGhost were primarily end-of-life routers, including Cisco SOHO and D-Link DIR-850L models, with new campaigns in May 2025 targeting ASUS routers using CVE-2021-32030 to extract firmware and establish SSH access.
Security Officer Comments:
The ViciousTrap infrastructure is split into three segments exploitation, notification, and interception servers and hosted by Malaysian provider Shinjiru. Interception servers, which act as silent observers, were found to monitor at least 60 types of devices across open ports using cloned SSL certificates and unique HTTP body content. Detection of compromised hosts was achieved via SSL fingerprinting, JARM hashes, and TCP packet analysis, revealing over 5,300 infected devices globally, particularly in Asia, with Macao showing the highest infection density due to widespread use of outdated routers.
While no attribution has been made, the absence of Chinese infrastructure targets, despite extensive surveillance of assets in Taiwan and the U.S., suggests the potential involvement of a Chinese-speaking actor. Sekoia continues to investigate the campaign’s objectives, which appear to center around building a distributed honeypot-style infrastructure, and monitors ViciousTrap’s evolving tactics to better understand its strategic intent.
Suggested Corrections:
IOCs:
https://blog.sekoia.io/vicioustrap-...turning-edge-devices-into-honeypots-en-masse/
- Patch or replace vulnerable devices such as Cisco SOHO, D-Link DIR-850L, and ASUS routers to address known security flaws.
- Disable remote administration on routers and IoT devices, limiting management access to internal networks only.
- Audit iptables and port forwarding rules regularly for unauthorized redirections, especially on ports 80, 8000, and 8080.
- Monitor for unusual outbound connections and inspect SSL certificates and JARM hashes associated with malicious infrastructure.
- Decommission end-of-life hardware
- to reduce exposure from unsupported and unpatched devices.
https://blog.sekoia.io/vicioustrap-...turning-edge-devices-into-honeypots-en-masse/