ViciousTrap - Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.
A threat actor nicknamed ViciousTrap has compromised over 5,500 edge devices, transforming them into honeypots. The actor targets more than 50 brands of SOHO routers, SSL VPNs, DVRs, and BMC controllers, possibly to collect exploited vulnerabilities. The infection chain involves exploiting CVE-2023-20118 to deploy a script called NetGhost, which redirects incoming traffic to the attacker's infrastructure. The compromised devices, mostly end-of-life, are used to create a distributed honeypot-like network across Asia. The actor, likely of Chinese-speaking origin, may be attempting to observe exploitation attempts and collect non-public or zero-day exploits. The infrastructure uses servers in Malaysia, and the campaign has been ongoing since March 2025.
AI Analysis
Technical Summary
The ViciousTrap campaign represents a sophisticated threat actor operation targeting over 5,500 edge devices, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from more than 50 different brands. The actor exploits vulnerabilities such as CVE-2023-20118 to deploy a malicious script named NetGhost. This script redirects incoming traffic from the compromised devices to attacker-controlled infrastructure, effectively transforming these devices into distributed honeypots. These honeypots serve as traps to lure other attackers or malware, allowing ViciousTrap to observe exploitation attempts, collect data on exploited vulnerabilities, and potentially gather zero-day or non-public exploits. The majority of the compromised devices are end-of-life, which likely lack vendor support and security updates, making them easier targets. The campaign infrastructure is based in Malaysia and has been active since March 2025. The threat actor is believed to be of Chinese-speaking origin. The attack chain involves multiple tactics and techniques, including reconnaissance, exploitation, command and control, and lateral movement, as indicated by the associated MITRE ATT&CK tags such as T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), and T1090 (Proxy). The use of compromised devices as honeypots is a novel approach, turning victim devices into tools for further intelligence gathering rather than direct exploitation or disruption. This method allows the actor to monitor attacker behaviors and potentially discover new vulnerabilities or attack vectors in real time.
Potential Impact
For European organizations, the ViciousTrap campaign poses indirect but significant risks. Although the primary targets are mostly in Asia, the global supply chain and interconnected nature of edge devices mean that similar devices in Europe could be targeted or affected. Compromised edge devices acting as honeypots could be used to gather intelligence on European networks if infected devices are present there or if attackers use these honeypots to stage attacks against European infrastructure. The presence of redirected traffic through malicious infrastructure could lead to data interception or manipulation, potentially compromising confidentiality and integrity. Additionally, the use of end-of-life devices highlights the risk posed by unsupported hardware common in many European small and medium enterprises (SMEs) and home offices. The campaign’s focus on SOHO routers and SSL VPNs is particularly concerning for remote work environments prevalent in Europe. The threat actor’s ability to collect zero-day exploits could lead to future targeted attacks against European critical infrastructure or enterprises, increasing the risk of espionage or disruption. The campaign’s ongoing nature since early 2025 suggests a persistent threat that could evolve and expand geographically.
Mitigation Recommendations
European organizations should prioritize the following specific mitigations: 1) Conduct comprehensive inventories of all edge devices, including SOHO routers, SSL VPNs, DVRs, and BMC controllers, to identify end-of-life or unsupported hardware and replace or isolate them from critical networks. 2) Apply all available patches and firmware updates, especially addressing CVE-2023-20118 and CVE-2021-32030, even if devices are not officially supported, seek vendor or community firmware updates. 3) Implement network segmentation to isolate edge devices from sensitive internal systems, limiting lateral movement and data exposure. 4) Monitor network traffic for unusual redirections or proxying behaviors indicative of NetGhost or similar scripts, using advanced network detection tools and anomaly detection. 5) Employ strict access controls and multi-factor authentication on remote access services to reduce exploitation risk. 6) Collaborate with ISPs and device manufacturers to identify and remediate compromised devices within their networks. 7) Increase threat intelligence sharing within European cybersecurity communities to track ViciousTrap activity and related indicators. 8) Educate users and administrators about the risks of using outdated devices and the importance of secure configurations. These measures go beyond generic advice by focusing on the specific device types and attack vectors exploited by ViciousTrap, emphasizing proactive device lifecycle management and network monitoring tailored to this campaign.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
Indicators of Compromise
- ip: 103.43.18.59
- ip: 103.43.19.61
- ip: 103.56.17.163
- ip: 111.90.148.112
- cve: CVE-2021-32030
- cve: CVE-2023-20118
- hash: c15f77d64b7bbfb37f00ece5a62095562b37dec4
- hash: 20dff1120d968330c703aa485b3ea0ece45a227563ca0ffa395e4e59474dc6bd
- hash: d92d2f102e1e417894bd2920e477638edfae7f08d78aee605b1ba799507e3e77
- ip: 101.99.90.20
- ip: 101.99.91.151
- ip: 101.99.91.239
- ip: 101.99.94.173
- ip: 111.90.148.151
- ip: 155.254.60.160
- ip: 212.232.23.143
- ip: 212.232.23.168
- ip: 212.232.23.217
ViciousTrap - Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.
Description
A threat actor nicknamed ViciousTrap has compromised over 5,500 edge devices, transforming them into honeypots. The actor targets more than 50 brands of SOHO routers, SSL VPNs, DVRs, and BMC controllers, possibly to collect exploited vulnerabilities. The infection chain involves exploiting CVE-2023-20118 to deploy a script called NetGhost, which redirects incoming traffic to the attacker's infrastructure. The compromised devices, mostly end-of-life, are used to create a distributed honeypot-like network across Asia. The actor, likely of Chinese-speaking origin, may be attempting to observe exploitation attempts and collect non-public or zero-day exploits. The infrastructure uses servers in Malaysia, and the campaign has been ongoing since March 2025.
AI-Powered Analysis
Technical Analysis
The ViciousTrap campaign represents a sophisticated threat actor operation targeting over 5,500 edge devices, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from more than 50 different brands. The actor exploits vulnerabilities such as CVE-2023-20118 to deploy a malicious script named NetGhost. This script redirects incoming traffic from the compromised devices to attacker-controlled infrastructure, effectively transforming these devices into distributed honeypots. These honeypots serve as traps to lure other attackers or malware, allowing ViciousTrap to observe exploitation attempts, collect data on exploited vulnerabilities, and potentially gather zero-day or non-public exploits. The majority of the compromised devices are end-of-life, which likely lack vendor support and security updates, making them easier targets. The campaign infrastructure is based in Malaysia and has been active since March 2025. The threat actor is believed to be of Chinese-speaking origin. The attack chain involves multiple tactics and techniques, including reconnaissance, exploitation, command and control, and lateral movement, as indicated by the associated MITRE ATT&CK tags such as T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), and T1090 (Proxy). The use of compromised devices as honeypots is a novel approach, turning victim devices into tools for further intelligence gathering rather than direct exploitation or disruption. This method allows the actor to monitor attacker behaviors and potentially discover new vulnerabilities or attack vectors in real time.
Potential Impact
For European organizations, the ViciousTrap campaign poses indirect but significant risks. Although the primary targets are mostly in Asia, the global supply chain and interconnected nature of edge devices mean that similar devices in Europe could be targeted or affected. Compromised edge devices acting as honeypots could be used to gather intelligence on European networks if infected devices are present there or if attackers use these honeypots to stage attacks against European infrastructure. The presence of redirected traffic through malicious infrastructure could lead to data interception or manipulation, potentially compromising confidentiality and integrity. Additionally, the use of end-of-life devices highlights the risk posed by unsupported hardware common in many European small and medium enterprises (SMEs) and home offices. The campaign’s focus on SOHO routers and SSL VPNs is particularly concerning for remote work environments prevalent in Europe. The threat actor’s ability to collect zero-day exploits could lead to future targeted attacks against European critical infrastructure or enterprises, increasing the risk of espionage or disruption. The campaign’s ongoing nature since early 2025 suggests a persistent threat that could evolve and expand geographically.
Mitigation Recommendations
European organizations should prioritize the following specific mitigations: 1) Conduct comprehensive inventories of all edge devices, including SOHO routers, SSL VPNs, DVRs, and BMC controllers, to identify end-of-life or unsupported hardware and replace or isolate them from critical networks. 2) Apply all available patches and firmware updates, especially addressing CVE-2023-20118 and CVE-2021-32030, even if devices are not officially supported, seek vendor or community firmware updates. 3) Implement network segmentation to isolate edge devices from sensitive internal systems, limiting lateral movement and data exposure. 4) Monitor network traffic for unusual redirections or proxying behaviors indicative of NetGhost or similar scripts, using advanced network detection tools and anomaly detection. 5) Employ strict access controls and multi-factor authentication on remote access services to reduce exploitation risk. 6) Collaborate with ISPs and device manufacturers to identify and remediate compromised devices within their networks. 7) Increase threat intelligence sharing within European cybersecurity communities to track ViciousTrap activity and related indicators. 8) Educate users and administrators about the risks of using outdated devices and the importance of secure configurations. These measures go beyond generic advice by focusing on the specific device types and attack vectors exploited by ViciousTrap, emphasizing proactive device lifecycle management and network monitoring tailored to this campaign.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse"]
- Adversary
- ViciousTrap
- Pulse Id
- 6830c0b98077133a71396f00
Indicators of Compromise
Ip
Value | Description | Copy |
---|---|---|
ip103.43.18.59 | — | |
ip103.43.19.61 | — | |
ip103.56.17.163 | — | |
ip111.90.148.112 | — | |
ip101.99.90.20 | — | |
ip101.99.91.151 | — | |
ip101.99.91.239 | — | |
ip101.99.94.173 | — | |
ip111.90.148.151 | — | |
ip155.254.60.160 | — | |
ip212.232.23.143 | — | |
ip212.232.23.168 | — | |
ip212.232.23.217 | — |
Cve
Value | Description | Copy |
---|---|---|
cveCVE-2021-32030 | — | |
cveCVE-2023-20118 | — |
Hash
Value | Description | Copy |
---|---|---|
hashc15f77d64b7bbfb37f00ece5a62095562b37dec4 | — | |
hash20dff1120d968330c703aa485b3ea0ece45a227563ca0ffa395e4e59474dc6bd | — | |
hashd92d2f102e1e417894bd2920e477638edfae7f08d78aee605b1ba799507e3e77 | — |
Threat ID: 6830c74b0acd01a249275258
Added to database: 5/23/2025, 7:06:51 PM
Last enriched: 7/7/2025, 7:25:24 PM
Last updated: 8/14/2025, 2:40:37 PM
Views: 17
Related Threats
Threat Actor Profile: Interlock Ransomware
MediumThe Hidden Infrastructure Behind VexTrio's TDS
MediumKawabunga, Dude, You've Been Ransomed!
MediumERMAC V3.0 Banking Trojan: Full Source Code Leak and Infrastructure Analysis
MediumThreat Bulletin: Fire in the Woods – A New Variant of FireWood
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.