Full Report
Cybersecurity researchers have shed light on the inner workings of a botnet malware called PolarEdge. PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose. The TLS-based ELF implant, at its core, is designed to monitor
Analysis Summary
# Threat Actor: PolarEdge Botnet Operators
## Attribution & Identity
This summary focuses on the **PolarEdge** botnet malware and the threat actors deploying it. Initial attribution for documenting the campaign was provided by Sekoia in February 2025. The activity may date back as far as June 2023. The malware infrastructure displays characteristics consistent with an Operational Relay Box (ORB) network, as detailed by Censys.
## Activity Summary
PolarEdge is a botnet targeting consumer and enterprise routers to incorporate them into a network for an undetermined purpose. The campaign was first documented in February 2025, focusing on Cisco, ASUS, QNAP, and Synology routers. In observed attack chains from February 2025, actors exploited a known vulnerability in Cisco routers (CVE-2023-20118) to download a shell script ("q") via FTP, which then retrieved and executed the PolarEdge backdoor. The activity is noted to be expanding.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of known vulnerabilities in routers (e.g., CVE-2023-20118 on Cisco routers).
- **Execution/Staging:** Downloading a shell script ("q") over FTP to retrieve and execute the main backdoor.
- **Command and Control (C2):** Utilizes a TLS-based ELF implant which operates as a TLS server by default to send a host fingerprint to the C2. It can also operate in a "connect-back" mode as a TLS client.
- **Communication Protocol:** Relies on a custom binary protocol for parsing incoming requests, specifically looking for a parameter named "HasCommand."
- **Action on Objectives:** Executes remote commands based on the "HasCommand" parameter being set to ASCII 1, transmitting raw output back to the C2.
- **Defense Evasion:**
- Employs process masquerading during initialization, randomly selecting names from a predefined list (e.g., `igmpproxy`, `wscd`, `/sbin/dhcpd`, `httpd`, `upnpd`, `iapp`).
- Incorporates anti-analysis techniques focused on obfuscating TLS server setup and fingerprinting logic.
- **Persistence/Resilience:** Does not ensure persistence across reboots natively, but uses a child process spawned via `fork` that checks every 30 seconds for the existence of `/proc/`. If missing, it relaunches the backdoor.
- **System Modification:** Deletes specific files post-launch (e.g., "/share/CACHEDEV1\_DATA/.qpkg/CMS-WS/cgi-bin/library.cgi.bak").
**MITRE ATT&CK IDs (Inferred based on description):**
* Initial Access via Exploit Public-Facing Application (T1190)
* Remote Services (T1021 - exploitation of router management interfaces)
* Command and Control over Encrypted Channel (T1573.001 - TLS)
* Process Masquerading (T1036)
## Targeting
- **Sectors:** Router/Network Device Manufacturers product base (implied: Consumers/Businesses using these devices). Specific affected vendors mentioned are Cisco, ASUS, QNAP, and Synology.
- **Geography:** Not explicitly detailed, but the target is globally deployed network hardware.
- **Victims:** Cisco, ASUS, QNAP, and Synology routers.
## Tools & Infrastructure
- **Malware Families Used:** PolarEdge (TLS-based ELF implant).
- **Infrastructure:** Operates as an Operational Relay Box (ORB) network.
- **Configuration:** Embedded in the final 512 bytes of the ELF image, obfuscated by a one-byte XOR key (0x11).
- **Libraries:** Implements its TLS server using mbedTLS v2.8.0.
- **C2 Communication:** Encrypted via TLS, using a custom binary protocol.
## Implications
The proliferation of PolarEdge targets network edge devices (routers), suggesting an intent to build a large-scale remote access network (botnet). The use of ORB characteristics implies the actors prioritize maintaining anonymity and relaying traffic. The purpose remains "undetermined" but is characteristic of infrastructure used for DDoS, credential harvesting, or proxy services (similar to the mentioned GhostSocks). The exploitation of CVE-2023-20118 indicates reliance on known, unpatched vulnerabilities in critical network infrastructure.
## Mitigations
- Immediately patch all Cisco, ASUS, QNAP, and Synology routers against known vulnerabilities (specifically noting CVE-2023-20118).
- Monitor network traffic for outbound TLS connections utilizing non-standard or custom binary protocols running on router platforms.
- Implement strong network segmentation to isolate compromised devices from critical internal assets.
- Monitor for process masquerading on affected systems, specifically looking for unexpected processes using names like `igmpproxy`, `dhcpd`, or `upnpd`.
- Review system files for unexplained ELF binaries executing via startup scripts or self-relaunching mechanisms.