216.73.216.169

ViciousTrap - Infiltrate, Control, Lure: Turning edge devices into honeypots en masse.

· Published 23/05/2025 18:38 · Modified 23/05/2025 19:09

Export JSON

Essential information

Published
23/05/2025 18:38
Modified
23/05/2025 19:09
Tags
2025-05-23 CVE-2021-32030 CVE-2023-20118 edge devices gobrat honeypot netghost soho routers
Related entities
2 vulnerabilities (cve), 15 observables, 1 intrusion sets (apt), 7 techniques (mitre)

Description

A threat actor nicknamed ViciousTrap has compromised over 5,500 , transforming them into honeypots. The actor targets more than 50 brands of , SSL VPNs, DVRs, and BMC controllers, possibly to collect exploited vulnerabilities. The infection chain involves exploiting to deploy a script called , which redirects incoming traffic to the attacker's infrastructure. The compromised devices, mostly end-of-life, are used to create a distributed -like network across Asia. The actor, likely of Chinese-speaking origin, may be attempting to observe exploitation attempts and collect non-public or zero-day exploits. The infrastructure uses servers in Malaysia, and the campaign has been ongoing since March 2025.

External references