Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

NetGhost

NetGhost is a shell script used in the ViciousTrap campaign to repurpose compromised internet-facing edge devices into honeypot-like interception nodes. It has been observed primarily following exploitation of CVE-2023-20118 on Cisco SOHO/small business routers, where the infection chain uses ftpget to download a custom BusyBox wget binary and then retrieves a second-stage script identified as NetGhost. Sekoia also reported related ViciousTrap activity targeting ASUS routers via CVE-2021-32030, though the content specifically describes NetGhost deployment in the Cisco-focused chain.

NetGhost is designed to reduce forensic artifacts, including self-deletion, and to manipulate network traffic on the compromised device. It checks ports 80, 8000, and 8080, selects an available port, clears existing NAT redirection rules, and installs iptables NAT rules that redirect inbound traffic from the device to attacker-controlled infrastructure. This enables adversary-in-the-middle/man-in-the-middle style interception of network flows and allows the operators to observe exploitation attempts and potentially collect or reuse access and tooling from other threat actors. The script also sends multiple HTTP requests to a remote server containing the redirected port and a victim UUID to register or track successful compromise and provide operator alerts.

The malware was associated with the threat actor ViciousTrap, first observed in March 2025. Campaign infrastructure was linked to Malaysian hosting provider Shinjiru (AS45839), with exploitation activity observed from 101.99.91[.]151 and later 101.99.91[.]239. Traffic redirection destinations identified for NetGhost included 111.90.148[.]151 and 111.90.148[.]112. Sekoia correlated infrastructure using TLS certificate SHA1 fingerprint c15f77d64b7bbfb37f00ece5a62095562b37dec4 and reported a JARM hash of 29d3fd00029d29d00029d3fd29d29dfff2e71077958c8b453cd71f499e9b99 associated with thousands of compromised hosts.

Victimology described in the content includes more than 5,000 compromised edge devices across dozens of countries and over 50 brands, with notable impact in Macao. Targeted or monitored device categories included routers, VPNs, DVRs, NAS devices, and BMC controllers; referenced brands included Cisco, D-Link, Linksys, Araknis Networks, ASUS, and QNAP. Many affected devices were assessed to be end-of-life, including Cisco SOHO routers and D-Link DIR-850L routers.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2023-20118Authenticated command injection in Cisco Small Business RV Series web management interfaceExploited in the wild

ViciousTrap initiates compromise by leveraging the Cisco SOHO router vulnerability, tracked as CVE-2023-20118, which enables command and bash script execution.

via scworldscworld.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
ViciousTrap

"...allow the eventual deployment of the NetGhost script, which not only curbs forensic artifacts and redirects inbound traffic but also provides alerts of successful compromise."

via scworldscworld.com
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
scworldNews
May 27, 2025
Over 5.5K edge devices breached to become honeypots

A post-exploitation script deployed on compromised edge devices to reduce/curb forensic artifacts, redirect inbound traffic (supporting honeypot/traffic manipulation use cases), and alert the operator when a compromise succeeds.

Read more
the hacker newsNews
May 23, 2025
ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300 Compromised Devices

NetGhost is a shell script deployed on compromised routers that redirects network traffic to attacker-controlled infrastructure, enabling adversary-in-the-middle attacks and observation of exploitation attempts. It also has self-removal capabilities to evade forensic analysis.

Read more
sekoia blogNews
May 22, 2025
ViciousTrap - Infiltrate, Control, Lure: Turning edge devices into honeypots en masse. - Sekoia.io Blog

A post-exploitation shell script that uses iptables NAT rules to redirect inbound traffic (notably ports 80/8000/8080) from compromised edge devices to attacker-controlled interception servers, enabling man-in-the-middle traffic interception and collection of exploitation/webshell activity. It also beacons/registrations to attacker infrastructure using a dropped wget binary and self-deletes to reduce artifacts.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.