June 27, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
May 23, 2025
Chinese APT UAT-6382 Targets Local Governments via Cityworks Zero-Day – Active IOCs
May 24, 2025
SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
May 23, 2025
Chinese APT UAT-6382 Targets Local Governments via Cityworks Zero-Day – Active IOCs
May 24, 2025
Severity
High
Analysis Summary
Cybersecurity researchers have reported that a threat actor, codenamed ViciousTrap, has compromised over 5,300 network edge devices across 84 countries, transforming them into a large-scale honeypot-like surveillance network. The attackers primarily exploited a critical vulnerability (CVE-2023-20118) in Cisco Small Business routers—including RV016, RV042, RV042G, RV082, RV320, and RV325 models. The majority of the infections are found in Macau, with around 850 affected devices.
The attackers deployed a malicious shell script named NetGhost, which redirects traffic from specific ports on compromised routers to attacker-controlled infrastructure. This setup allows the threat actor to monitor and intercept network flows, effectively enabling adversary-in-the-middle (AitM) attacks. Researchers noted that the malware also includes a self-removal mechanism to reduce forensic evidence.
Interestingly, the same CVE-2023-20118 vulnerability had previously been linked to another botnet, PolarEdge. Although there is no confirmed connection between the two operations, ViciousTrap actors have repurposed a web shell previously used in PolarEdge, suggesting some level of shared tooling or knowledge reuse.
Researchers believe ViciousTrap is building this honeypot-style network by compromising a broad range of internet-facing devices beyond Cisco routers, including SOHO routers, SSL VPNs, DVRs, and BMC controllers from over 50 different vendors such as ASUS, D-Link, Linksys, and QNAP. This strategy may allow them to collect sensitive threat intelligence, including exploitation attempts and potentially zero-day vulnerabilities.
The initial exploitation traces back to March 2025 from a single IP address (101.99.91[.]151), with later activity in April involving another IP targeting ASUS routers. Both IPs are linked to Malaysian hosting provider Shinjiru. Based on traffic redirection patterns and infrastructure overlaps, researchers suspect the group may be of Chinese-speaking origin. The final intent of ViciousTrap remains uncertain, though the honeypot infrastructure is central to their operations.
Impact
- Command Execution
- Unauthorized Access
- Malware Deployment
Indicators of Compromise
IP
- 101.99.91.151
- 101.99.91.239
- 111.90.148.151
- 111.90.148.112
- 212.232.23.217
- 155.254.60.160
- 101.99.94.173
- 103.43.19.61
- 103.56.17.163
- 103.43.18.59
- 212.232.23.168
- 212.232.23.143
- 101.99.90.20
Remediation
- Apply the latest security patches to all vulnerable Cisco router models.
- Block known malicious IP addresses associated with the campaign.
- Disable any unused or unnecessary ports on internet-facing devices.
- Continuously monitor network traffic for signs of redirection or anomalies.
- Isolate compromised or suspicious devices from critical infrastructure.
- Update firmware on all internet-exposed and SOHO devices.
- Audit system and network logs for evidence of NetGhost or unauthorized access.
- Restrict administrative access to only trusted networks and personnel.
- Enforce strong authentication, including multi-factor authentication where possible.
- Remove detected malware and restore affected devices from clean backups.