The ViciousTrap campaign represents a sophisticated threat actor operation targeting over 5,500 edge devices, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from more than 50 different brands. The actor exploits vulnerabilities such as CVE-2023-20118 to deploy a malicious script named NetGhost. This script redirects incoming traffic from the compromised devices to attacker-controlled infrastructure, effectively transforming these devices into distributed honeypots. These honeypots serve as traps to lure other attackers or malware, allowing ViciousTrap to observe exploitation attempts, collect data on exploited vulnerabilities, and potentially gather zero-day or non-public exploits. The majority of the compromised devices are end-of-life, which likely lack vendor support and security updates, making them easier targets. The campaign infrastructure is based in Malaysia and has been active since March 2025. The threat actor is believed to be of Chinese-speaking origin. The attack chain involves multiple tactics and techniques, including reconnaissance, exploitation, command and control, and lateral movement, as indicated by the associated MITRE ATT&CK tags such as T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), and T1090 (Proxy). The use of compromised devices as honeypots is a novel approach, turning victim devices into tools for further intelligence gathering rather than direct exploitation or disruption. This method allows the actor to monitor attacker behaviors and potentially discover new vulnerabilities or attack vectors in real time.

For European organizations, the ViciousTrap campaign poses indirect but significant risks. Although the primary targets are mostly in Asia, the global supply chain and interconnected nature of edge devices mean that similar devices in Europe could be targeted or affected. Compromised edge devices acting as honeypots could be used to gather intelligence on European networks if infected devices are present there or if attackers use these honeypots to stage attacks against European infrastructure. The presence of redirected traffic through malicious infrastructure could lead to data interception or manipulation, potentially compromising confidentiality and integrity. Additionally, the use of end-of-life devices highlights the risk posed by unsupported hardware common in many European small and medium enterprises (SMEs) and home offices. The campaign’s focus on SOHO routers and SSL VPNs is particularly concerning for remote work environments prevalent in Europe. The threat actor’s ability to collect zero-day exploits could lead to future targeted attacks against European critical infrastructure or enterprises, increasing the risk of espionage or disruption. The campaign’s ongoing nature since early 2025 suggests a persistent threat that could evolve and expand geographically.

European organizations should prioritize the following specific mitigations: 1) Conduct comprehensive inventories of all edge devices, including SOHO routers, SSL VPNs, DVRs, and BMC controllers, to identify end-of-life or unsupported hardware and replace or isolate them from critical networks. 2) Apply all available patches and firmware updates, especially addressing CVE-2023-20118 and CVE-2021-32030, even if devices are not officially supported, seek vendor or community firmware updates. 3) Implement network segmentation to isolate edge devices from sensitive internal systems, limiting lateral movement and data exposure. 4) Monitor network traffic for unusual redirections or proxying behaviors indicative of NetGhost or similar scripts, using advanced network detection tools and anomaly detection. 5) Employ strict access controls and multi-factor authentication on remote access services to reduce exploitation risk. 6) Collaborate with ISPs and device manufacturers to identify and remediate compromised devices within their networks. 7) Increase threat intelligence sharing within European cybersecurity communities to track ViciousTrap activity and related indicators. 8) Educate users and administrators about the risks of using outdated devices and the importance of secure configurations. These measures go beyond generic advice by focusing on the specific device types and attack vectors exploited by ViciousTrap, emphasizing proactive device lifecycle management and network monitoring tailored to this campaign.