On 18 May 2025, threat intelligence firm Sekoia.io revealed an ongoing cyber campaign dubbed ViciousTrap, which has compromised over 15,000 edge devices worldwide primarily aging SOHO routers and IoT appliances. Using advanced traffic redirection scripts and reused webshells, the campaign covertly converts vulnerable devices into distributed honeypots, enabling widespread reconnaissance and exploitation tracking across the internet.
Sekoia.io’s Threat Detection & Research (TDR) team began observing suspicious activity in early March 2025, tied to the exploitation of CVE-2023-20118, a critical flaw in multiple Cisco SOHO routers. The actor, now designated ViciousTrap, used a shell script (NetGhost) to hijack inbound traffic and silently forward it to attacker-controlled servers.
Further inspection revealed over 5,500 confirmed infections as of April 18, 2025, later growing to include over 9,500 ASUS routers via CVE-2021-32030, totaling at least 15,000 compromised devices globally.
“ViciousTrap is repurposing EOL (End-of-Life) devices as passive intelligence collectors, which poses severe risks to visibility and attribution efforts,” said Sekoia.io, 18 May 2025.
Tactics, Techniques, and Procedures (TTPs)
MITRE ATT&CK Mapping
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1190 – Exploit Public-Facing Application | Exploits CVEs in SOHO routers and VPN appliances. |
| Execution | T1059.004 – Unix Shell | Executes NetGhost via bash and wget. |
| Command & Control | T1071.001 – Web Protocols | C2 over HTTP using unique UUIDs for identification. |
| Defense Evasion | T1070.004 – File Deletion | Scripts self-delete post-execution. |
| Collection | T1020 – Automated Collection | Intercepts incoming traffic via iptables redirection. |
Key Indicators of Compromise (IOCs)
- Malicious IPs:
101.99.91.151,101.99.91.239,111.90.148.151,111.90.148.112
- Malware Hashes:
NetGhostbash scripts (variant hashes available upon request)
- Exploited CVEs:
- CVE-2023-20118 (Cisco SOHO)
- CVE-2021-32030 (ASUS routers)
- Unidentified buffer overflow (D-Link DIR-850L)
Middle East & Africa Perspective: Why It Hits Harder
The MEA region remains heavily reliant on legacy networking equipment and imported router models, including those actively exploited in this campaign. Many of these devices lack firmware updates or vendor support. Regional cybersecurity regulations, such as Saudi Arabia’s ECC and South Africa’s POPIA, emphasize privacy and critical infrastructure protection—yet enforcement remains uneven.
“This kind of campaign puts entire ISP backbones and government endpoints at risk. MEA countries need mandatory edge device audits,” warned Dr. Youssef El-Kadi, CISO at CairoSec, on 20 May 2025.
Sekoia.io’s telemetry shows high infection densities in parts of Malaysia, China, Egypt, UAE, and Kenya areas with extensive broadband expansion but inconsistent endpoint security postures.
Global Context: An Echo of Advanced Persistent Threats
While the actor’s exact identity remains unconfirmed, linguistic clues, infrastructure reuse, and targeted devices suggest a Chinese-speaking origin. Analysts note a weak overlap with the GobRAT infrastructure, a known Chinese malware campaign.
Unlike traditional botnets, ViciousTrap appears uninterested in DDoS or ransomware monetization. Instead, it resembles a surveillance framework, passively collecting exploit attempts, possibly to harvest zero-day vulnerabilities in real time.
This model echoes methods used by APT groups such as APT41 and Winnti, which previously leveraged public honeypots to trace and intercept adversarial activities.
Webshell Reuse: A Window into Threat Actor Strategy
One of the campaign’s most concerning developments was the reuse of a proprietary webshell from a previous Sekoia case involving PolarEdge malware. The webshell had not been publicly disclosed, raising serious questions about ViciousTrap’s visibility into private research or data interception techniques.
“They may be leveraging their hijacked infrastructure to eavesdrop on other threat actors. It’s cyber-espionage meets cyber-forensics,” said Marc-Alexis Remond, Senior Analyst at Sekoia.io, on 18 May 2025.
Actionable Takeaways for CISOs, SOCs & Regulators
- Audit all SOHO and VPN edge devices immediately for models affected by CVE-2023-20118 and CVE-2021-32030.
- Decommission end-of-life devices lacking vendor support or patch mechanisms.
- Implement network segmentation to isolate vulnerable or unknown devices.
- Log all outbound HTTP connections, especially those involving wget or unknown scripts.
- Use intrusion detection tools (e.g., Zeek, Suricata) to flag iptables alterations or shell script executions.
- Join cybersecurity awareness and training campaigns for SMEs and regional ISPs.
- Employ pentesting and red-teaming to simulate honeypot redirection scenarios.
- Partner with security services providers to monitor edge infrastructure.
- Report suspected traffic anomalies to national CERTs immediately.
- Monitor cybersecurity alerts and updates for further IOCs and remediation tools.
Conclusion: A Honeypot Network That Watches the Watchers
ViciousTrap redefines the edge device threat model. By transforming everyday routers into surveillance beacons, this campaign achieves intelligence visibility without the noise of traditional attacks. The MEA region rich in infrastructure but poor in firmware hygiene must prioritize regulatory enforcement, awareness, and swift remediation. As new CVEs emerge and attackers pivot to passive collection, defenders must assume every compromised device might now be a trap within a trap.
Sources
- Sekoia.io — Blog: “ViciousTrap Campaign Analysis” (18 May 2025)
- NVD Entry: CVE-2023-20118
- NVD Entry: CVE-2021-32030
- Censys.io — Device Telemetry
- MITRE ATT&CK Framework
- CERT-EG: Cybersecurity Advisory
- CairoSec Twitter Advisory (20 May 2025)
- CyberCory — Cybersecurity News & Updates
- SaintyNet — Cybersecurity Services
