Cybersecurity Alert: The Rise of ViciousTrap and Its Impact on Network Security
By Ravie Lakshmanan | May 23, 2025 | Tags: Threat Intelligence / Network Security
In a significant development for cybersecurity, researchers have unveiled a coordinated campaign by a threat actor known as ViciousTrap, which has compromised approximately 5,300 unique network edge devices across 84 countries. This alarming breach has turned these devices into a honeypot-like network, raising concerns about the implications for network security worldwide.
What is ViciousTrap?
ViciousTrap is a sophisticated threat actor leveraging critical vulnerabilities to exploit Cisco Small Business routers, specifically targeting models such as the RV016, RV042, RV042G, RV082, RV320, and RV325. Identified as CVE-2023-20118, this security flaw allows ViciousTrap to commandeer these routers, redirecting incoming traffic to its own controlled infrastructure—effectively turning compromised devices into traps to catch further malicious activity.
The Scope of the Compromise
Predominantly, the infections have been traced back to Macau, where researchers found around 850 compromised devices. This geographic concentration raises specific concerns about regional security vulnerabilities, and the implications for local networks could be profound. Analyzing these incidents, cybersecurity firm Sekoia reported that the initial infection chain involved executing a shell script named NetGhost, which plays a pivotal role in redirecting traffic from targeted ports of the routers.
Exploitation Mechanism Unveiled
The exploitation process begins with executing a malicious shell script that downloads additional malicious components. Through a series of layered attacks, ViciousTrap utilizes the Cisco vulnerability to execute a second script using an external server connection. This two-step approach not only reflects the complexity of the attack but also underscores how attackers continually evolve their methodologies to evade detection.
Honeypot Infrastructure and Its Implications
The creation of a honeypot network by ViciousTrap represents a strategic maneuver. By orchestrating a system where they can monitor and intercept network flows, ViciousTrap enables adversary-in-the-middle (AitM) attacks. These capabilities allow the actor to collect non-public and potentially zero-day exploits, affording them a unique vantage point into the behavior and tactics of other threat actors.
This shadow surveillance offers insights into exploitation attempts across a multitude of environments, providing ViciousTrap with invaluable data to refine their own operations. The executed shell scripts, designed to eliminate traces of their actions, further complicate the forensic investigation of these breaches.
The Technical Landscape of ViciousTrap
Researchers have noted that all exploitation attempts have been traced to a singular IP address—101.99.91[.]151—with activity dating back to March 2025. Interestingly, the ViciousTrap actors have adapted techniques previously attributed to other botnets, particularly PolarEdge. This adaptability highlights a concerning trend where threat actors might share or revive prior exploits for new campaigns.
Further investigations indicate that exploitation attempts have also emerged from another IP address—101.99.91[.]239—targeting ASUS routers. However, unlike previous incursions, these activities have not yielded any created honeypots on the infected devices.
Inferences on Origin and Intent
Analysts suggest that ViciousTrap may have Chinese-speaking origins, as evidenced by overlaps with known infrastructures such as GobRAT. Additionally, the IP addresses involved in the campaign are linked to a hosting provider, Shinjiru, which operates in Malaysia, hinting at an organized and potentially well-funded threat group.
While the broader objectives behind ViciousTrap’s activities remain shrouded in mystery, the intent to develop a honeypot infrastructure signals a shift in how threats to network security will be approached in the future.
With this troubling development, organizations must remain vigilant about cybersecurity practices. Understanding the methodologies employed by adversaries like ViciousTrap can help bolster defenses against future breaches. As the landscape of cybersecurity evolves, proactive measures, continuous monitoring, and swift response strategies will be crucial in mitigating these sophisticated threats.
