ViciousTrap – Infiltrate, Control, Lure: Turning edge devices into honeypots en masse. blog.sekoia.io/vicioustr…

Initial access is obtained by the attacker through exploitation of the CVE-2023-20118 vulnerability, which affects several Cisco SOHO routers. The first exploitation attempt attributed to this actor was observed in March 2025. Since then, activity has remained sustained, with frequent attacks occurring almost daily—and occasionally multiple times per day.

Analysis of the victims pointed to more than 5,000 compromised devices, particularly across Asia. An hypothesis is that the attacker likely attempts to construct a distributed honeypot-like network by compromising a broad range of internet-facing equipment. This setup would allow the actor to observe exploitation attempts across multiple environments and potentially collect non-public or zero-day exploits, and reuse access obtained by other threat actors.