ViciousTrap – Infiltrate, Control, Lure: Turning edge devices into honeypots en masse. 

Sekoia.io TDR discovered and analysed an active campaign by a threat actor named ViciousTrap that exploited CVE-2023-20118 and other flaws to compromise over 5,000 edge devices (routers, DVRs, BMCs, etc.), deploy a MIPS wget and a redirection script called NetGhost to forward inbound traffic to attacker-controlled interception servers, enabling large-scale passive monitoring/Man-in-the-Middle of traffic and reuse of captured webshells; the report provides the infection chain, monitored device types, infrastructure IPs and certificates, detection methods, and IoCs.