The ViciousTrap threat actor has compromised over 5,500 edge devices, deploying a redirection script called NetGhost that reroutes incoming traffic to attacker-controlled infrastructure, effectively creating a large-scale honeypot network. This campaign primarily targets end-of-life SOHO routers and network devices using vulnerabilities such as CVE-2023-20118, with infrastructure observed mainly in Malaysia and possible Chinese-speaking actor origins. #ViciousTrap #NetGhost #CVE2023-20118
Keypoints
- The attacker exploits the CVE-2023-20118 vulnerability to gain initial access to Cisco SOHO routers and other network devices, starting in March 2025, with attacks originating from IP 101.99.91[.]151.
- Post-exploitation involves deploying NetGhost, a bash script that redirects inbound traffic from ports 80, 8000, or 8080 to attacker-controlled interception servers, enabling Man-in-the-Middle capabilities.
- ViciousTrap’s infrastructure includes exploitation, notification, and interception servers located mainly in Malaysia under AS45839, using a single certificate shared across servers.
- The attacker targets a wide variety of end-of-life devices, including Cisco, D-Link, Linksys, ASUS, QNAP, and Araknis routers, compromising over 5,500 devices globally, particularly in Asia.
- Observed reuse of a previously undocumented webshell (related to PolarEdge) by ViciousTrap suggests passive interception and repurposing of other threat actors’ tools for their operations.
- The campaign recently expanded to target ASUS routers via CVE-2021-32030, compromising over 9,500 such devices by establishing SSH access on unusual ports.
- Compromised devices are identifiable by unique SSL certificate fingerprints and a distinctive JARM hash linked to the NetGhost redirection, enabling detection of thousands of infected hosts in 84 countries.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker exploits CVE-2023-20118 to deploy NetGhost on vulnerable Cisco SOHO routers (“exploitation of the CVE-2023-20118 vulnerability to download via ftpget and execute a bash script”).
- [T1059.004] Command and Scripting Interpreter: Unix Shell – NetGhost is implemented as a bash shell script that configures iptables to redirect network traffic (“The bash script executes an ftpget command…to retrieve and execute a second script…”).
- [T1071.001] Application Layer Protocol: Web Protocols – The script uses HTTP requests to report back to the C2 server (“The script sends five HTTP requests … containing the redirected port and the victim machine’s unique identifier”).
- [T1562.001] Impair Defenses: Disable or Modify Tools – Self-removal of the infection script is used to reduce forensic traces (“One of the script’s initial instructions is a rm command that deletes the script itself”).
- [T1041] Exfiltration Over C2 Channel – Redirecting network traffic to attacker-controlled infrastructure enables intercepting exploitation attempts and data (“redirect incoming traffic … to a honeypot-like infrastructure under the attacker’s control”).
Indicators of Compromise
- [IP Addresses] Exploitation servers – 101.99.91[.]151, 101.99.91[.]239 actively used for delivering exploits and initial intrusion.
- [IP Addresses] Redirection/interception servers – 111.90.148[.]151, 111.90.148[.]112 used to receive redirected traffic and deploy honeypot infrastructure.
- [File Hashes] Wget downloader binaries compiled for MIPS architecture – d92d2f102e1e417894bd2920e477638edfae7f08d78aee605b1ba799507e3e77, 20dff1120d968330c703aa485b3ea0ece45a227563ca0ffa395e4e59474dc6bd used during post-exploitation downloads.
- [IP Addresses] Other associated infrastructure – 212.232.23[.]217, 155.254.60[.]160, 101.99.94[.]173, among others linked to the attacker’s hosting environment.