Analysis

A significant cybersecurity campaign, dubbed ViciousTrap, has resulted in the compromise of nearly 5,300 unique network edge devices across 84 countries, with Macau being a notable hotspot with 850 affected devices. The primary vector for this campaign is the exploitation of a critical security flaw, CVE-2023-20118, impacting several Cisco Small Business RV series routers (RV016, RV042, RV042G, RV082, RV320, and RV325). The threat actor utilizes a shell script named NetGhost to redirect incoming traffic from compromised devices to a honeypot-like infrastructure, allowing for the interception of network flows and potential adversary-in-the-middle attacks. While the ultimate objective of ViciousTrap is not definitively known, cybersecurity firm Sekoia assesses with high confidence that the actors are establishing this network to observe exploitation attempts, collect non-public or zero-day exploits, and possibly reuse accesses obtained by other threat actors. The attack involves a multi-stage process, including the download and execution of scripts and capabilities for self-removal to evade detection. Initial exploitation attempts originated from a single IP address ("101.99.91[.]151") with activity dating back to March 2025, and the actors later repurposed an undocumented web shell previously seen in PolarEdge botnet attacks. More recent activity targeting ASUS routers has been observed from a different IP address ("101.99.91[.]239"), though without creating honeypots on these devices. All involved IP addresses are located in Malaysia and linked to hosting provider Shinjiru. The threat actor is suspected to be of Chinese-speaking origin due to a weak overlap with GobRAT infrastructure and traffic redirection to assets in Taiwan and the United States. This situation presents a moderately negative sentiment (-0.5 general, -0.7 for Cisco) and a cautious tone, reflecting the security risks and the direct involvement of Cisco hardware.