Cyber security researchers have revealed that a danger actor has coded Vitriptrap, with about 5,300 unique network edge devices in 84 countries compromised on the device and has been converted into a network-like network.
The danger actor has been exploited a significant safety defects by impressing Cisco’s small business RV016, RV042, RV042G, RV082, RV320, and RV325 router (CVE-2023-20118), which is to include them in a set of Honeypots N Mesh. Most infections are located in Macau, with 850 compromised equipment.
“The transition chain involves the execution of a shell script, which is dubbed, dubbed to the netgust, which redresses the traffic from specific ports of the router compromised for a honeypot-like infrastructure under the control of the attacker, making them to stop the network flow.”
It is worth noting that the exploitation of CVE -2023-20118 was first blamed by another botet dubbed Poles by the French Cybercity Company.
Although there is no evidence that these two sets of activities are connected, it is believed that the actor behind the vioicetrap is probably setting up a honeypot infrastructure by dissolving a wide range of internet-dictating devices, including the Soho Router, SSL VPNS, DVR, and BMC Controller such as more than 50 brands such as Arcian Neturns, such as the soho router, SSL VPNS, DVR, and BMC Controller. D-launds, de-lords, de-londs.
“This setup would allow the actor to inspect the efforts to exploit in many environment and reuse potentially non-public or zero-day exploits and reuse access by other danger actors,” it said.
The attack chain emphasizes the weapons of CVE-2023-20118 to download and execute a bash script through FTPGET, which then contacts an outsider to bring WGET binary. In the next stage, Cisco Dosha is exploited for the second time, using it using a pre -dropped WGET to execute a second script recovered.
The second-stage shell script, which is internally referred to as Netghost, has been configured to redirect network traffic from the agreement system for third-party infrastructure controlled by the attacker, facilitating the opposing-in-in-media attacks. It also comes with the abilities to remove themselves from the compromised hosts to reduce the forensic trail.
Sekoia said that all exploitation efforts have originated from a single IP address (“101.99.91[.]151 “), with the initial activity that returned to March 2025. In a notable incident a month later, Viocetrap actors said that an unspecified web shell was already employed in the polar boteta attacks for their own operations.
“This notion aligns with the use of the attacker’s netgust,” said security researchers Felix Abe and Jeremy Scone. “The redirect mechanism effectively replaces the attacker as a silent observer, capable of collecting exploitation efforts and, potentially, access to web shell transit.”
As recently this month, exploitation efforts have also targeted the Asas router but from a separate IP address (“101.99.91)[.]239 “), although danger actors have not been found to create a honeypot on infected equipment. All the IP addresses actively used in the campaign are located in Malaysia and the provider is part of Shinjiru’s hosted an autonomous system (AS45839).
The actor is believed to have been considered to be of Chinese speaking origin based on a weak overlap with Gobrate Infrastructure and the fact that traffic is redirected into several assets in Taiwan and the United States.
“The final objective of vioicetrap is also unclear [though] We assess with high confidence that this is a honeypot-style network, “Sekoya concluded.
