.png)
1 week ago
3
Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network.
The threat actor has been observed exploiting a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers (CVE-2023-20118) to corral them into a set of honeypots en masse. A majority of the infections are located in Macau, with 850 compromised devices.
"The infection chain involves the execution of a shell script, dubbed NetGhost, which redirects incoming traffic from specific ports of the compromised router to a honeypot-like infrastructure under the attacker's control allowing them to intercept network flows," Sekoia said in an analysis published Thursday.
It's worth noting that the exploitation of CVE-2023-20118 was previously attributed by the French cybersecurity company to another botnet dubbed PolarEdge.
While there is no evidence that these two sets of activities are connected, it's believed that the threat actor behind ViciousTrap is likely setting up honeypot infrastructure by breaching a wide range of internet-facing equipment, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from more than 50 brands like Araknis Networks, ASUS, D-Link, Linksys, and QNAP.
"This setup would allow the actor to observe exploitation attempts across multiple environments and potentially collect non-public or zero-day exploits, and reuse access obtained by other threat actors," it added.
The attack chain entails the weaponization of CVE-2023-20118 to download and execute a bash script via ftpget, which then contacts an external server to fetch the wget binary. In the next step, the Cisco flaw is exploited a second time, using it to execute a second script retrieved using the previously dropped wget.
The second-stage shell script, internally referenced as NetGhost, is configured to redirect network traffic from the compromised system to third-party infrastructure controlled by the attacker, thereby facilitating adversary-in-the-middle (AitM) attacks. It also comes with capabilities to remove itself from the compromised host to minimize forensic trail.
Sekoia said all exploitation attempts have originated from a single IP address ("101.99.91[.]151"), with the earliest activity dating back to March 2025. In a noteworthy event observed a month later, the ViciousTrap actors are said to have repurposed an undocumented web shell previously employed in PolarEdge botnet attacks for their own operations.
"This assumption aligns with the attacker's use of NetGhost," security researchers Felix Aimé and Jeremy Scion said. "The redirection mechanism effectively positions the attacker as a silent observer, capable of collecting exploitation attempts and, potentially, web shell accesses in transit."
As recently as this month, exploitation efforts have also targeted ASUS routers but from a different IP address ("101.99.91[.]239"), although the threat actors have not been found to create any honeypot on the infected devices. All the IP addresses actively used in the campaign are located in Malaysia and are part of an Autonomous System (AS45839) operated by hosting provider Shinjiru.
The actor is believed to be of Chinese-speaking origin on the basis of a weak overlap with the GobRAT infrastructure and the fact that traffic is redirected to numerous assets in Taiwan and the United States.
"The final objective of ViciousTrap remains unclear even [though] we assess with high confidence that it's a honeypot-style network," Sekoia concluded.
Update
In a follow-up analysis published on May 28, GreyNoise revealed that it has been tracking an ongoing exploitation campaign in which attackers have gained unauthorized, persistent access to roughly 9,000 ASUS routers exposed to the internet. The threat intelligence firm said it first discovered the activity on March 18, 2025.
"This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet," it added.
"The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks."
The attackers have been observed gaining access via brute-force login attempts and authentication bypasses, while also exploiting CVE-2023-39780, an authenticated command injection flaw, to execute arbitrary system commands.
Next, the threat actors are said to have employed legitimate ASUS features to enable SSH access on a custom port (TCP/53282) and insert an attacker-controlled public key for remote access. The final payload deployed as a result of the attack is a backdoor stored in non-volatile memory (NVRAM) that grants control over infected devices.
"The attacker's access survives both reboots and firmware updates, giving them durable control over affected devices," GreyNoise said. "The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features."
The activity, codenamed AyySSHush, shares an IP address that overlaps with ViciousTrap ("101.99.91[.]151"), indicating that they are likely the work of the same threat actor.
The operation is designed to assemble a botnet comprising various ASUS router models, including RT-AC3100, RT-AC3200, and RT-AX55, that enables the attackers to maintain long-term access without dropping any custom malware while also evading detection by disabling router logging.
"The level of tradecraft suggests a well-resourced and highly capable adversary," GreyNoise said. "The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks."
To mitigate the risk posed by the attacks, users are advised to follow the below guidance -
- Ensure the routers are up-to-date and patched against CVE-2023-39780
- Check ASUS routers for SSH access on TCP/53282
- Review the authorized_keys file for suspicious entries
- Block the IP addresses: 101.99.91[.]151, 101.99.94[.]173, 79.141.163[.]179, and 111.90.146[.]237
- If compromise is detected, perform a full factory reset and reconfigure the router manually
"The attacker's SSH configuration changes are not removed by firmware upgrades," the company cautioned. "If a router was compromised before updating, the backdoor will still be present unless SSH access is explicitly reviewed and removed."
(The story was updated after publication on May 29, 2025, to include additional insights from GreyNoise.)
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
