ViciousTrap - Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.

Description

A threat actor nicknamed ViciousTrap has compromised over 5,500 edge devices, transforming them into honeypots. The actor targets more than 50 brands of SOHO routers, SSL VPNs, DVRs, and BMC controllers, possibly to collect exploited vulnerabilities. The infection chain involves exploiting CVE-2023-20118 to deploy a script called NetGhost, which redirects incoming traffic to the attacker's infrastructure. The compromised devices, mostly end-of-life, are used to create a distributed honeypot-like network across Asia. The actor, likely of Chinese-speaking origin, may be attempting to observe exploitation attempts and collect non-public or zero-day exploits. The infrastructure uses servers in Malaysia, and the campaign has been ongoing since March 2025.