PolarEdge

PolarEdge is a botnet/backdoor malware family targeting internet-facing edge and IoT devices, especially routers and NAS appliances. It was first publicly documented by Sekoia in February 2025, though reporting indicates activity since at least late 2023 and possibly as early as June 2023. The malware has been associated with exploitation of CVE-2023-20118 in Cisco Small Business routers, and reporting also links the broader cluster to exploitation of known flaws affecting ASUS, QNAP, and Synology devices. Victim device types mentioned across reporting include Cisco routers, ASUS routers, QNAP and Synology NAS devices, IP cameras, firewalls, VoIP phones, and other always-on edge equipment.

Sekoia named the malware and botnet PolarEdge because of its use of the Mbed TLS library (formerly PolarSSL), PolarSSL-branded certificates, and its focus on edge devices. The malware is described as a TLS-based ELF backdoor; reported payload names include cipher_log, sshd_sftp, QTS.install.ssl, and hdparmd. In documented Cisco exploitation chains, attackers used CVE-2023-20118 to deploy a webshell and then fetch a shell script (including a script named "q" in some reporting) that downloaded and executed the PolarEdge implant. The malware’s configuration is reported to be embedded in the final 512 bytes of the ELF and obfuscated with a one-byte XOR key 0x11.

Functionally, PolarEdge fingerprints infected hosts and communicates with command-and-control over TLS. Its default behavior is to run a built-in TLS server implemented with mbedTLS v2.8.0, send host fingerprint data to C2, and wait for commands using a custom binary protocol that includes a "HasCommand" field; when instructed, it executes commands and returns raw output. Researchers also reported a connect-back mode in which PolarEdge acts as a TLS client to download remote files, as well as a debug mode that allows on-the-fly configuration changes such as server information updates. Additional reported behavior includes moving or deleting files on infected systems, modifying firewall rules, process masquerading using names such as igmpproxy, wscd, /sbin/dhcpd, httpd, upnpd, and iapp, and multiple anti-analysis techniques.

Persistence reporting is mixed by component, but high-confidence content states the backdoor does not ensure persistence across reboots in a conventional way. Instead, it forks a child process that checks every 30 seconds whether the parent process still exists under /proc/<parent-pid>; if the parent disappears, the child relaunches the backdoor. Other reporting on the broader botnet states payloads can ensure execution on startup, and one later-linked component, RPX_Client, reportedly persists by appending "/bin/sh /mnt/mtd/rpx.sh &" to /etc/init.d/rcS.

Multiple reports assess PolarEdge as resembling or supporting an Operational Relay Box (ORB) network. Sekoia and Censys described the operation as exploiting vulnerable edge devices and combining them with VPS infrastructure to build a global relay/proxy network. Censys reported the botnet grew from roughly 150 devices in June 2023 to nearly 40,000 devices by August 2025, while other reporting cited more than 2,000 infected devices earlier in 2025 and later more than 25,000 infected devices tied to RPX_Client datasets. Reported concentrations include South Korea, the United States, Taiwan, China, Thailand, Malaysia, India, Israel, Vietnam, Indonesia, and Russia, depending on dataset and time period.

A later reverse-engineering report linked a previously undocumented PolarEdge component called RPX_Client to the cluster. RPX_Client reportedly registers to RPX_Server nodes, provides proxy services, and enables remote command execution. It stores configuration in an XOR-obfuscated file, disguises its process name as "connect_server," enforces single-instance execution via /tmp/.msc, connects to RPX_Server on port 55555 for registration/proxying, and connects to a Go-Admin service on port 55560 for remote command execution including change_pub_ip and update_vps. XLab reported identifying 140 active RPX_Server nodes, largely on Alibaba Cloud and Tencent Cloud, and tied earlier infrastructure such as 82.118.22.155 and beastdositadvtofm[.]site to PolarEdge through decrypted configuration and DNS relationships.

Reported infrastructure and indicators include PolarSSL-branded or test certificates, backdoor exposure on high non-standard TCP ports in the 40000-50000 range, and domains/IPs including 119.8.186[.]227, 195.123.212[.]54, longlog[.]cc, landim[.]cc, hitchil[.]cc, logchim[.]cc, largeroofs[.]top, siotherlentsearsitech[.]shop, asustordownload[.]com, 82.118.22.155, beastdositadvtofm[.]site, and distribution IP 111.119.223.196. Reporting also notes use of consistent PolarSSL certificates and XOR-encrypted parameters with random ports in some C2 communications.

Attribution remains unconfirmed. Several reports state PolarEdge shows ORB-like traits and patterns similar to networks linked to Chinese espionage campaigns, and some articles characterize it as China-nexus or potentially supporting cyberespionage, but the main objective is still described as unclear. High-confidence reporting supports that PolarEdge is a sophisticated, coordinated edge-device botnet/backdoor ecosystem used for encrypted remote access, host fingerprinting, command execution, file retrieval, and proxy/relay operations across compromised routers, NAS devices, and other edge systems.