{
	"id": "168e8238-97c2-4ade-870d-e6ce69723fc0",
	"created_at": "2026-04-06T00:16:44.183572Z",
	"updated_at": "2026-04-10T03:36:22.971412Z",
	"deleted_at": null,
	"sha1_hash": "a4dc1d3aeb49ea619f5aa971eb6cb5461f5e8910",
	"title": "ViciousTrap – Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1957667,
	"plain_text": "ViciousTrap – Infiltrate, Control, Lure: Turning edge devices into\r\nhoneypots en masse.\r\nBy Felix Aimé,\u0026nbsp;Jeremy Scion\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2025-05-22 · Archived: 2026-04-05 17:55:45 UTC\r\nThis article on was originally distributed as a private report to our customers.\r\nKey Takeaways\r\nSekoia.io investigated a threat actor nicknamed ViciousTrap, who compromised over 5,500 edge devices,\r\nturning them into honeypots.\r\n \r\nMore than 50 brands — including SOHO routers, SSL VPNs, DVRs, and BMC controllers — are being\r\nmonitored by this actor, possibly to collect exploited vulnerabilities affecting these systems.\r\nThe actor is likely of Chinese-speaking origin, based on a weak overlap with the GobRAT infrastructure\r\nand the geographic distribution of compromised and key monitored devices.\r\nIntroduction\r\nIn a previous blogpost, Sekoia’s Threat Detection \u0026 Research (TDR) team documented the exploitation of the\r\nCVE-2023-20118 vulnerability, which was used to deploy two distinct threats: a webshell and the PolarEdge\r\nmalware.\r\nThrough the observation of activity on our honeypots, it was possible to identify a third actor, nicknamed\r\nViciousTrap by Sekoia.io, using the same vulnerability. The infection chain involves the execution of a shell\r\nscript, dubbed NetGhost, which redirects incoming traffic from specific ports of the compromised router to a\r\nhoneypot-like infrastructure under the attacker’s control allowing him to intercept network flows.\r\nAn examination of both the attacker’s behaviour via our honeypots and its broader infrastructure, thanks to\r\ninternet scanning services, suggested that the same actor was also targeting a variety of other devices, including\r\nthose manufactured by D-Link, Linksys, ASUS, QNAP and Araknis Networks, to compose its infrastructure.\r\nAnalysis of the victims pointed to more than 5,000 compromised devices, particularly across Asia. An hypothesis\r\nis that the attacker likely attempts to construct a distributed honeypot-like network by compromising a broad\r\nrange of internet-facing equipment. This setup would allow the actor to observe exploitation attempts across\r\nmultiple environments and potentially collect non-public or zero-day exploits, and reuse access obtained by\r\nother threat actors.\r\nIn support of this hypothesis, interactions observed on TDR’s honeypots revealed attempts by the attacker to reuse\r\na previously documented web shell to deploy their redirection script. This blogpost provides an analysis of this\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 1 of 11\n\ninfection chain and shares insights into the ViciousTrap infrastructure of April 18, 2025.\r\nInfection chain\r\nInitial access\r\nInitial access is obtained by the attacker through exploitation of the CVE-2023-20118 vulnerability, which affects\r\nseveral Cisco SOHO routers. The first exploitation attempt attributed to this actor was observed in March 2025.\r\nSince then, activity has remained sustained, with frequent attacks occurring almost daily—and occasionally\r\nmultiple times per day. All exploitation attempts originate from the single IP address 101.99.91[.]151.\r\nStep 1: The attacker exploits the CVE-2023-20118 vulnerability to download via ftpget and execute a bash script\r\nnamed a, as shown below.\r\nStep 2: a bash script executes an ftpget command to download a file named wget, which is a busybox wget\r\nbinary compiled for MIPS architecture (N32 MIPS64). The binary is saved in the /tmp directory of the\r\ncompromised system. It was most likely manually placed on the compromised system by the attacker, as it is not\r\navailable by default on this particular system. The attacker deployed this binary as it is required during the post-exploitation phase, specifically to notify the command and control (C2) server.\r\nStep 3: The CVE-2023-20118 vulnerability is exploited a second time. This time, the previously dropped wget\r\nbinary is used to retrieve and execute a second script, which includes a unique UUID in its filename for each\r\nattempt. This UUID acts as an identifier, and the Command and Control (C2) infrastructure appears to filter\r\ndownload requests, delivering payloads only to confirmed compromised systems by using an allow-list.\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 2 of 11\n\nPost Exploitation\r\nOnce the secondary script – main.sh (presented in the scheme on the next page) – is executed, it performs\r\nseveral key actions, such as:\r\nSelf-removal: One of the script’s initial instructions is a rm command that deletes the script itself, likely to\r\nminimise forensic artefacts and reduce detection.\r\nTargeted redirection of inbound network traffic via iptables: The script checks whether any of the\r\nfollowing ports —80, 8000, or 8080— are available (i.e., not already in use or filtered). The first available\r\nport is stored in a variable named Dport . It then clears any existing NAT redirection rules pointing to the\r\nattacker’s infrastructure before establishing a new redirection. All inbound traffic on Dport is forwarded\r\nto a destination defined within the script’s variables corresponding to the attacker’s listening server.\r\nC2 Notification: The script sends five HTTP requests using the previously downloaded wget binary to a\r\nremote server, each containing the redirected port and the victim machine’s unique identifier. This likely\r\nserves as a registration or tracking mechanism on the attacker’s side.\r\nThis malicious script, internally named as NetGhost, is designed to redirect network traffic from the compromised\r\nsystem to third-party infrastructure controlled by the attacker, effectively enabling Man-in-the-Middle (MitM)\r\ncapabilities.\r\nMultiple variants of the secondary script have been retrieved through wget, all of which share the same structure.\r\nEach includes a unique UUID corresponding to the specific infection attempt. The primary variation between\r\nthem lies in the destination IP used for traffic redirection. Two distinct IP addresses have been identified to date\r\n( 111.90.148[.]151 and 111.90.148[.]112 ) .\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 3 of 11\n\nWebshell reuse\r\nAs previously detailed, all observed exploitation attempts have originated from a single IP address:\r\n101.99.91[.]151 . Logs from TDR’s honeypot infrastructure show the earliest trace of this IP at the beginning of\r\nMarch 2025. From that date onward, exploitation attempts have occurred on an almost daily basis, occasionally\r\neven multiple times per day.\r\nOne particularly notable event occurred in April 2025, when the attacker attempted to compromise one of TDR’s\r\nCisco RV042 honeypots using the webshell previously documented in the blogpost on PolarEdge. This specific\r\nwebshell had not been publicly released, and TDR deliberately withheld the authentication password required to\r\noperate it. As such, its appearance in an attempted compromise was both unexpected and concerning.\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 4 of 11\n\nTDR does not attribute authorship of the webshell to ViciousTrap. If this threat actor was the original developer, it\r\nis expected that the webshell would have been used prior to April 2025.\r\nInstead, the first observed webshell reuse occurred after our blogpost, and since then, the webshell has been used\r\nregularly in subsequent attacks. Furthermore, the infection chain and post-exploitation techniques associated with\r\nthese attempts differ significantly from those documented in the blogpost on PolarEdge. The leading hypothesis\r\nis that the threat actor reused the webshell — potentially through passive observation or data interception\r\n—and is now repurposing it for this own operations.\r\nThis assumption aligns with the attacker’s use of NetGhost, the redirection script described earlier. The\r\nredirection mechanism effectively positions the attacker as a silent observer, capable of collecting exploitation\r\nattempts and, potentially, webshell accesses in transit.\r\nDevices compromised by Netghost\r\nFrom our analysis and our honeypots’ telemetry, most of the compromised devices used to execute NetGhost are\r\nend-of-life (EOL) devices such as Cisco SOHO routers affected by the CVE-2023-20118 and D-LINK DIR-850L routers via an unidentified buffer overflow, also confirmed thanks to multiple exploitations seen through our\r\nhoneypots, as shown below.\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 5 of 11\n\nBased on Censys results, it seems that the threat actor behind ViciousTrap is also targeting other EOL devices such\r\nas Linksys LRT224 SOHO router and Araknis Networks AN-300-RT-4L2W VPN routers to execute\r\nNetGhost.\r\nRecent campaign against ASUS routers\r\nOn the 12th May, while redacting this blog post, several of our honeypots detected a the use of a new exploit\r\nserver, 101.99.91[.]239 . Fortunately, we observed attacks targeting ASUS routers with the objective of\r\nextracting the router’s firmware version and establishing an SSH access on port 53282 thanks to the CVE-2021-\r\n32030.\r\nUpon analysing ASUS routers with an SSH daemon running on port 53282 when writing this article, it was\r\nidentified that over 9500 routers had potentially been compromised by the ViciousTrap threat actor. We haven’t\r\nobserved any honeypot created on the compromised routers.\r\nInfrastructure used in the campaign\r\nThe infrastructure used in the campaign is relatively simple and can be divided in three parts, the exploitation, the\r\nnotification and the interception servers. Even if each part is dedicated to a specific type of task, the\r\ninfrastructure can be correlated by using a single certificate which is present on many attacker servers (SHA1\r\nfingerprint: c15f77d64b7bbfb37f00ece5a62095562b37dec4 ).\r\nAll IP addresses actively observed in this campaign—including the one used for exploitation, as well as those\r\nassociated with staging and traffic redirection—are located in Malaysia. These addresses are part of the same\r\nAutonomous System (AS45839), which is operated by Shinjiru, a Malaysian hosting provider offering services\r\nsuch as VPS hosting, dedicated servers, and cloud infrastructure.\r\nThe interception servers\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 6 of 11\n\nThe interception servers ( 111.90.148[.]151 and 111.90.148[.]112 ) are both hosted under Shinjiru\r\n(AS45839), along with other servers used for this campaign. These servers have hundreds of HTTP and HTTPS\r\nservices listening on high ports, all pointing to devices that the attackers aim to intercept, as shown below from\r\nCensys.\r\nTo deduce which devices and brands were monitored by the attackers, we simply executed a port scan against the\r\ninterception servers and retrieved the SSL certificates (most of which were copied from existing ones) and the\r\nHTTP body content of the services’ responses.\r\nWe identified a total of 1,690 open ports on these servers, leading to approximately 60 distinct monitored\r\ndevices, ranging from simple DVR devices and SOHO routers to enterprise-grade network appliances, NAS,\r\nand BMC controllers. Below is a non-exhaustive list of devices monitored by the ViciousTrap operators, with\r\nversion details when identified.\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 7 of 11\n\nDetection of devices compromised by Netghost\r\nSince the redirection is handled at the IP level by iptables, and Netghost does not implement real port\r\nrandomisation, it is relatively easy to deduce which devices have been compromised to redirect certain ports to the\r\nattacker’s infrastructure. Several methods can be used to achieve this.\r\nFor redirections leading to HTTPS services, as the attacker strips SSL on their interception server by creating\r\nmostly self-signed certificates, it is possible to identify compromised hosts by looking for those that share the\r\nsame SSL certificate fingerprint on the internet – the full list of certificates is present in the report appendix. \r\nMoreover, the operators use a rather unique JARM hash\r\n( 29d3fd00029d29d00029d3fd29d29dfff2e71077958c8b453cd71f499e9b99 ), which revealed nearly 5300 unique\r\ncompromised hosts with this specific JARM across 84 countries when searched via Censys and adjusted for the\r\ndefault ports used by Netghost.\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 8 of 11\n\nIt’s worth noting that Macao is the most infected country. It is likely due because many internet subscribers in that\r\ncountry are using old D-LINK DIR-850L SOHO routers.\r\nThe correlation of compromised hosts with redirections to HTTP services is more complex but feasible, as\r\nNetghost uses default ports. It is possible to search for the hash of the HTTP body content issued by the\r\ninterception server in combination with the default ports. However, since this technique may produce many false\r\npositives, we can determine whether a port is being redirected to another host by analysing the Time To Live\r\n(TTL) and Window size of TCP packets.\r\nAs their interception server has a TCP window size of 64240, if we observe one of the tested IP addresses\r\nresponding to SYN+ACK packets on ports 80, 8000, and 8080 – the most common ports used by this threat, with\r\na window size of 64240 and a TTL significantly lower than other ports, the IP address becomes a strong candidate\r\nfor further inspection, as shown below.\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 9 of 11\n\nWe can also say with high confidence that they are tunneling the communications to real devices and not decoy\r\nones. It is worth mentioning that the operators were using Nginx to set up their reverse proxies, allowing them to\r\neasily manage and strip SSL connections. \r\nConclusion\r\nThis is the first time Sekoia.io has observed such activity, involving the transformation of compromised edge\r\ndevices into potential relay nodes for a honeypot system. While we have not been able to attribute this activity to a\r\nspecific threat actor, the redirection of traffic to numerous assets in Taiwan and the United States without any\r\ncompromised asset in China may suggest the involvement of a Chinese-speaking actor. Moreover, a targeted\r\nsearch on Censys identified 48 hosts, including 20 associated with GobRAT and 10 linked to the unique\r\nViciousTrap infrastructure, without a strong overlap.\r\nThe final objective of ViciousTrap remains unclear even we access with high confidence that’s an honeypot-style\r\nnetwork. We continue to analyse the payloads and monitor this threat closely, as we work to better understand its\r\ntactics, techniques, and overall goals.\r\nThank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications\r\nby clicking here. You can also contact us at tdr[at]sekoia.io for further discussions or future IOCs.\r\nIoCs\r\nExploitation servers\r\n101.99.91[.]151\r\n101.99.91[.]239\r\nRedirection servers\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 10 of 11\n\n111.90.148[.]151\r\n111.90.148[.]112\r\nOther infrastructure\r\n212.232.23[.]217\r\n155.254.60[.]160\r\n101.99.94[.]173\r\n103.43.19[.]61\r\n103.56.17[.]163\r\n103.43.18[.]59\r\n212.232.23[.]168\r\n212.232.23[.]143\r\n101.99.90[.]20\r\n101.99.91[.]239\r\nWget downloader \u0026 wget binary compiled by the operators\r\nd92d2f102e1e417894bd2920e477638edfae7f08d78aee605b1ba799507e3e77\r\n20dff1120d968330c703aa485b3ea0ece45a227563ca0ffa395e4e59474dc6bd\r\nFeel free to read other Sekoia.io TDR (Threat Detection \u0026 Research) analysis here:\r\nCTI edge devices honeypot Infrastructure vicioustrap\r\nShare this post:\r\nSource: https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nhttps://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/"
	],
	"report_names": [
		"vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse"
	],
	"threat_actors": [
		{
			"id": "5f2a17c6-6168-4d2a-9e57-f93890151d02",
			"created_at": "2026-02-04T02:00:03.702522Z",
			"updated_at": "2026-04-10T02:00:03.948138Z",
			"deleted_at": null,
			"main_name": "ViciousTrap",
			"aliases": [],
			"source_name": "MISPGALAXY:ViciousTrap",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434604,
	"ts_updated_at": 1775792182,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a4dc1d3aeb49ea619f5aa971eb6cb5461f5e8910.pdf",
		"text": "https://archive.orkl.eu/a4dc1d3aeb49ea619f5aa971eb6cb5461f5e8910.txt",
		"img": "https://archive.orkl.eu/a4dc1d3aeb49ea619f5aa971eb6cb5461f5e8910.jpg"
	}
}