Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network.
The threat actor has been observed exploiting a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers (CVE-2023-20118) to corral them into a set of honeypots en masse. A majority of the infections are located in Macau, with 850 compromised devices.
“The infection chain involves the execution of a shell script, dubbed NetGhost, which redirects incoming traffic from specific ports of the compromised router to a honeypot-like infrastructure under the attacker’s control allowing them to intercept network flows,” Sekoia said in an analysis published Thursday.
It’s worth noting that the exploitation of CVE-2023-20118 was previously attributed by the French cybersecurity company to another botnet dubbed PolarEdge.
While there is no evidence that these two sets of activities are connected, it’s believed that the threat actor behind ViciousTrap is likely setting up honeypot infrastructure by breaching a wide range of internet-facing equipment, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from more than 50 brands like Araknis Networks, ASUS, D-Link, Linksys, and QNAP.
“This setup would allow the actor to observe exploitation attempts across multiple environments and potentially collect non-public or zero-day exploits, and reuse access obtained by other threat actors,” it added.
The attack chain entails the weaponization of CVE-2023-20118 to download and execute a bash script via ftpget, which then contacts an external server to fetch the wget binary. In the next step, the Cisco flaw is exploited a second time, using it to execute a second script retrieved using the previously dropped wget.
The second-stage shell script, internally referenced as NetGhost, is configured to redirect network traffic from the compromised system to third-party infrastructure controlled by the attacker, thereby facilitating adversary-in-the-middle (AitM) attacks. It also comes with capabilities to remove itself from the compromised host to minimize forensic trail.
Sekoia said all exploitation attempts have originated from a single IP address (“101.99.91[.]151”), with the earliest activity dating back to March 2025. In a noteworthy event observed a month later, the ViciousTrap actors are said to have repurposed an undocumented web shell previously employed in PolarEdge botnet attacks for their own operations.
“This assumption aligns with the attacker’s use of NetGhost,” security researchers Felix Aimé and Jeremy Scion said. “The redirection mechanism effectively positions the attacker as a silent observer, capable of collecting exploitation attempts and, potentially, web shell accesses in transit.”
As recently as this month, exploitation efforts have also targeted ASUS routers but from a different IP address (“101.99.91[.]239”), although the threat actors have not been found to create any honeypot on the infected devices. All the IP addresses actively used in the campaign are located in Malaysia and are part of an Autonomous System (AS45839) operated by hosting provider Shinjiru.
The actor is believed to be of Chinese-speaking origin on the basis of a weak overlap with the GobRAT infrastructure and the fact that traffic is redirected to numerous assets in Taiwan and the United States.
“The final objective of ViciousTrap remains unclear even [though] we assess with high confidence that it’s a honeypot-style network,” Sekoia concluded.
