Skip to main content

ViciousTrap - Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.

Medium
Published: Fri May 23 2025 (05/23/2025, 18:38:49 UTC)
Source: AlienVault OTX General

Description

A threat actor nicknamed ViciousTrap has compromised over 5,500 edge devices, transforming them into honeypots. The actor targets more than 50 brands of SOHO routers, SSL VPNs, DVRs, and BMC controllers, possibly to collect exploited vulnerabilities. The infection chain involves exploiting CVE-2023-20118 to deploy a script called NetGhost, which redirects incoming traffic to the attacker's infrastructure. The compromised devices, mostly end-of-life, are used to create a distributed honeypot-like network across Asia. The actor, likely of Chinese-speaking origin, may be attempting to observe exploitation attempts and collect non-public or zero-day exploits. The infrastructure uses servers in Malaysia, and the campaign has been ongoing since March 2025.

AI-Powered Analysis

AILast updated: 07/07/2025, 19:25:24 UTC

Technical Analysis

The ViciousTrap campaign represents a sophisticated threat actor operation targeting over 5,500 edge devices, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from more than 50 different brands. The actor exploits vulnerabilities such as CVE-2023-20118 to deploy a malicious script named NetGhost. This script redirects incoming traffic from the compromised devices to attacker-controlled infrastructure, effectively transforming these devices into distributed honeypots. These honeypots serve as traps to lure other attackers or malware, allowing ViciousTrap to observe exploitation attempts, collect data on exploited vulnerabilities, and potentially gather zero-day or non-public exploits. The majority of the compromised devices are end-of-life, which likely lack vendor support and security updates, making them easier targets. The campaign infrastructure is based in Malaysia and has been active since March 2025. The threat actor is believed to be of Chinese-speaking origin. The attack chain involves multiple tactics and techniques, including reconnaissance, exploitation, command and control, and lateral movement, as indicated by the associated MITRE ATT&CK tags such as T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), and T1090 (Proxy). The use of compromised devices as honeypots is a novel approach, turning victim devices into tools for further intelligence gathering rather than direct exploitation or disruption. This method allows the actor to monitor attacker behaviors and potentially discover new vulnerabilities or attack vectors in real time.

Potential Impact

For European organizations, the ViciousTrap campaign poses indirect but significant risks. Although the primary targets are mostly in Asia, the global supply chain and interconnected nature of edge devices mean that similar devices in Europe could be targeted or affected. Compromised edge devices acting as honeypots could be used to gather intelligence on European networks if infected devices are present there or if attackers use these honeypots to stage attacks against European infrastructure. The presence of redirected traffic through malicious infrastructure could lead to data interception or manipulation, potentially compromising confidentiality and integrity. Additionally, the use of end-of-life devices highlights the risk posed by unsupported hardware common in many European small and medium enterprises (SMEs) and home offices. The campaign’s focus on SOHO routers and SSL VPNs is particularly concerning for remote work environments prevalent in Europe. The threat actor’s ability to collect zero-day exploits could lead to future targeted attacks against European critical infrastructure or enterprises, increasing the risk of espionage or disruption. The campaign’s ongoing nature since early 2025 suggests a persistent threat that could evolve and expand geographically.

Mitigation Recommendations

European organizations should prioritize the following specific mitigations: 1) Conduct comprehensive inventories of all edge devices, including SOHO routers, SSL VPNs, DVRs, and BMC controllers, to identify end-of-life or unsupported hardware and replace or isolate them from critical networks. 2) Apply all available patches and firmware updates, especially addressing CVE-2023-20118 and CVE-2021-32030, even if devices are not officially supported, seek vendor or community firmware updates. 3) Implement network segmentation to isolate edge devices from sensitive internal systems, limiting lateral movement and data exposure. 4) Monitor network traffic for unusual redirections or proxying behaviors indicative of NetGhost or similar scripts, using advanced network detection tools and anomaly detection. 5) Employ strict access controls and multi-factor authentication on remote access services to reduce exploitation risk. 6) Collaborate with ISPs and device manufacturers to identify and remediate compromised devices within their networks. 7) Increase threat intelligence sharing within European cybersecurity communities to track ViciousTrap activity and related indicators. 8) Educate users and administrators about the risks of using outdated devices and the importance of secure configurations. These measures go beyond generic advice by focusing on the specific device types and attack vectors exploited by ViciousTrap, emphasizing proactive device lifecycle management and network monitoring tailored to this campaign.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse"]
Adversary
ViciousTrap
Pulse Id
6830c0b98077133a71396f00

Indicators of Compromise

Ip

ValueDescriptionCopy
ip103.43.18.59
ip103.43.19.61
ip103.56.17.163
ip111.90.148.112
ip101.99.90.20
ip101.99.91.151
ip101.99.91.239
ip101.99.94.173
ip111.90.148.151
ip155.254.60.160
ip212.232.23.143
ip212.232.23.168
ip212.232.23.217

Cve

ValueDescriptionCopy
cveCVE-2021-32030
cveCVE-2023-20118

Hash

ValueDescriptionCopy
hashc15f77d64b7bbfb37f00ece5a62095562b37dec4
hash20dff1120d968330c703aa485b3ea0ece45a227563ca0ffa395e4e59474dc6bd
hashd92d2f102e1e417894bd2920e477638edfae7f08d78aee605b1ba799507e3e77

Threat ID: 6830c74b0acd01a249275258

Added to database: 5/23/2025, 7:06:51 PM

Last enriched: 7/7/2025, 7:25:24 PM

Last updated: 8/16/2025, 7:44:31 AM

Views: 18

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats