PolarEdge

PolarEdge is an Operational Relay Box (ORB) / botnet-style threat cluster active since at least late 2023 that compromises vulnerable routers, NAS, and other IoT/edge devices to build relay and proxy infrastructure. It has been described as exploiting CVE-2023-20118 for initial access and deploying a TLS backdoor referred to as "cipher_log." Reported victim device types and brands include Cisco and ASUS routers, QNAP and Synology NAS devices, and additional device families identified in later reporting such as KT CCTV, TVT DVR, Cyberoam UTM, DrayTek, D-Link, Cisco RV340, and Uniview devices. Reporting from Sekoia, Censys, and XLab describes PolarEdge as using compromised IoT/edge devices together with purchased VPS infrastructure to form an ORB network that provides proxying, relay capability, and remote command execution. XLab attributes a previously undocumented component, RPX_Client, to PolarEdge and describes it as onboarding compromised devices into a proxy pool, registering to RPX_Server infrastructure on port 55555, and connecting to a Go-Admin service on port 55560 for remote command execution, including C2 migration and self-update. RPX_Client reportedly persists by modifying init scripts, stores configuration in an XOR-obfuscated file, and disguises its process name as "connect_server." RPX_Server nodes were reported to be concentrated on Alibaba Cloud and Tencent Cloud VPS infrastructure. The cluster has been associated with consistent PolarSSL-branded or PolarSSL test TLS certificates and ORB-like infrastructure patterns. XLab reported identifying 140 active RPX_Server nodes and datasets indicating more than 25,000 cumulatively infected device IPs since July 2024 across 40 countries/regions, while other reporting states infections grew from roughly 2,000 devices to more than 40,000 devices. Infections were reported as concentrated in Southeast Asia and North America, with notable shares in South Korea, China, Thailand, Malaysia, India, Israel, the United States, Vietnam, Indonesia, and Russia. PolarEdge has been discussed alongside other router-targeting ORB networks such as LapDogs, but the content states they are separate entities despite some similarities. Multiple sources note that PolarEdge shows ORB-like traits and patterns similar to networks linked to Chinese espionage campaigns, and some content explicitly describes PolarEdge as China-linked; however, attribution confidence varies across reporting. Known aliases directly provided in the content are limited to PolarEdge / polaredge. Related components and infrastructure mentioned in the content include cipher_log, RPX_Client, RPX_Server, downloader "w," and script "q."