Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

ViciousTrap

Also known asvicioustrap

ViciousTrap is a threat actor tracked by Sekoia.io that has compromised roughly 5,300-5,500 internet-facing network edge devices across 84 countries and repurposed them into a honeypot-like interception network. Sekoia first observed the activity in March 2025. The actor primarily exploited CVE-2023-20118 affecting Cisco Small Business/SOHO routers, and Sekoia also observed activity targeting ASUS routers via CVE-2021-32030. GreyNoise assessed that a March 2025 ASUS router campaign it tracks as AyySSHush is very likely the same actor as ViciousTrap. The actor’s tradecraft includes a shell-scripted infection chain that downloads a BusyBox wget binary, then retrieves and executes a self-deleting second-stage script referred to as NetGhost. NetGhost checks ports 80, 8000, and 8080, clears existing NAT redirection rules, and installs iptables NAT rules to forward inbound traffic to attacker-controlled infrastructure. It also registers compromised devices by sending HTTP requests containing the redirected port and a victim UUID. Sekoia assessed this setup enables man-in-the-middle/adversary-in-the-middle style interception and functions as a distributed honeypot network. Sekoia also reported that the actor reused a previously documented PolarEdge-related webshell that had not been publicly released, suggesting the actor may obtain and repurpose tooling through traffic interception or observation. Victimology spans more than 50 brands and dozens of device types, including SOHO routers, SSL VPNs, DVRs, NAS devices, and BMC controllers. Reported targeted or affected brands include Cisco, D-Link, Linksys, Araknis Networks, ASUS, and QNAP. Sekoia reported that many compromised devices were end-of-life, with Macao notably heavily impacted, including widespread infections involving old D-LINK DIR-850L routers. Infrastructure observed by Sekoia was hosted in Malaysia in AS45839 operated by Shinjiru, and campaign components were correlated via a shared TLS certificate fingerprint. Attribution is not confirmed, but Sekoia assessed a likely Chinese-speaking origin based on weak overlap with GobRAT infrastructure and the geographic distribution of monitored and targeted assets. Known associated name: AyySSHush (GreyNoise malware/botnet name assessed as very likely linked to the same actor).

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics11 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.004
Unix Shell
TA0003
Persistence
2 techniques
T1098
Account Manipulation
T1098.004
SSH Authorized Keys
T1556
Modify Authentication Process
TA0004
Privilege Escalation
1 technique
T1098
Account Manipulation
T1098.004
SSH Authorized Keys
TA0112
Defense Impairment
1 technique
T1556
Modify Authentication Process
TA0006
Credential Access
2 techniques
T1110
Brute Force
T1556
Modify Authentication Process
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
AyySSHushGreynoise labeled it "AyySSHush." ... AyySSHush uses only the most obvious tactics for gaining initial access to Internet-exposed routers: either brute forcing the device's login page or exploiting known authentication bypass vulnerabilities.1Mar 19, 2026
NetGhost"...allow the eventual deployment of the NetGhost script, which not only curbs forensic artifacts and redirects inbound traffic but also provides alerts of successful compromise."1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2023-20118Authenticated command injection in Cisco Small Business RV Series web management interfaceIn the wildEvidence2

ViciousTrap initiates compromise by leveraging the Cisco SOHO router vulnerability, tracked as CVE-2023-20118, which enables command and bash script execution.

CVE-2023-39780OS Command Injection in ASUS RT-AX55 /start_apply.htm qos_bw_rulelistIn the wildEvidence1

In particular it targets CVE-2023-39780, a nearly two-year-old command injection vulnerability with a "high" 8.8 rating in the Common Vulnerability Scoring System (CVSS).

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Compromised thousands of network edge devices globally by exploiting Cisco Small Business router CVE-2023-20118, building a honeypot-like network.

Read more
register securityNews
May 29, 2025
8,000+ Asus routers popped in 'advanced' mystery botnet plot

A campaign tracked by Sekoia targeting SOHO routers, as well as more than 50 manufacturers' devices, SSL VPNs, DVRs, and BMC controllers, turning them into honeypots.

Read more
scworldNews
May 29, 2025
It’s A Trap! – PSW #876

Compromised thousands of edge devices (SOHO routers, SSL VPNs, DVRs, BMC controllers) and repurposed them at scale as distributed honeypots/monitoring nodes—likely to observe exploitation attempts, collect exploit tradecraft (potentially including non-public/0-day), and possibly reuse access obtained by other threat actors (also consistent with ORB-style infrastructure).

Read more
dark readingNews
May 29, 2025
New Botnet Plants Persistent Backdoors in ASUS Routers

Threat actor observed compromising thousands of edge devices from Linksys, D-Link, QNAP, Araknis Networks, and ASUS, apparently to build a vast operational relay box (ORB) network.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.