Security researchers have published a technical analysis of the PolarEdge botnet, a campaign actively observed since February 2025 and aimed at networking and NAS gear from Cisco, ASUS, QNAP, and Synology. Infrastructure signals reviewed by Censys in August 2025 suggest the activity may date back to June 2023 and exhibits traits of an Operational Relay Box (ORB)—a distributed proxy layer used by threat actors to obscure command-and-control (C2) traffic and complicate attribution.
PolarEdge overview: timeline, targets, and suspected ORB footprint
PolarEdge aggregates compromised small office/home office (SOHO) and NAS devices into a covert network whose precise end-goals remain unclear. The infrastructure’s distributed nature and relay behavior align with ORB patterns, where infected hosts act as intermediate nodes to forward traffic, improving resilience against takedowns and IP-based blocking.
Initial access: CVE-2023-20118 exploitation in Cisco routers
Observed intrusions leveraged the publicly disclosed CVE-2023-20118 in Cisco routers to gain foothold. Operators uploaded a minimal shell script named q over FTP. This loader then fetched and executed the PolarEdge backdoor on the device—a common two-stage approach in IoT campaigns that reduces noise during initial compromise and streamlines payload delivery.
Backdoor design: TLS server, custom protocol, and embedded configuration
The core backdoor first fingerprints the host and reports to its controller, then listens for instructions over a built-in TLS service. Implemented with mbedTLS v2.8.0, it speaks a custom binary protocol. A key field, HasCommand, gates tasking: when its value equals ASCII “1,” the malware reads a Command field, executes it on the device, and returns the output.
PolarEdge supports two operating modes. In backconnect mode, it acts as a TLS client to pull files from a remote server, while a debug mode allows interactive reconfiguration, including updating C2 endpoints. By default, the malware runs as a TLS server, awaiting inbound operator connections.
Configuration data is embedded in the final 512 bytes of the ELF binary and obfuscated using a simple XOR with the 0x11 key. While rudimentary, this approach complicates static analysis and forces analysts toward dynamic inspection to extract C2 parameters.
Evasion and resilience: process masquerading and watchdog behavior
To reduce detection risk during incident triage, PolarEdge masquerades as common system processes—examples include igmpproxy, wscd, /sbin/dhcpd, httpd, upnpd, iapp. The malware also performs post-infection file operations, moving binaries such as /usr/bin/wget and /sbin/curl and deleting /share/CACHEDEV1_DATA/.qpkg/CMS-WS/cgi-bin/library.cgi.bak. The intent is unclear but may hinder routine admin activity or conceal earlier tooling.
While it does not establish autostart persistence, PolarEdge implements a watchdog: the parent process forks, and the child checks /proc/<parent-pid> every 30 seconds. If the parent exits, the child relaunches the backdoor via shell. This increases process durability and complicates simple kill-and-go remediation.
Operational risks: proxy abuse and long dwell time
ORB-like architectures enable threat actors to proxy command, payload delivery, and exfiltration through victim devices, undermining IP reputation controls and hindering takedowns. If PolarEdge’s activity began in mid-2023, some devices may have endured long-term compromise, raising risks of covert lateral movement, bandwidth abuse, and reputational damage for organizations unwittingly relaying malicious traffic.
Detection and mitigation: steps for Cisco, ASUS, QNAP and Synology administrators
Prioritize patching for CVE-2023-20118 and other firmware vulnerabilities, and disable or restrict FTP/TFTP where not required. Cisco customers should follow official PSIRT advisories and validate that exposed management services are restricted to allowlisted IPs via ACLs or VPN.
Hunt for observable behaviors
Conduct targeted threat hunting on perimeter and NAS segments:
• Unexpected TLS services listening on nonstandard ports or devices that typically do not host TLS servers.
• Processes using suspicious “system-like” names (for example, igmpproxy, wscd, httpd) without the expected binaries or service metadata.
• Anomalies involving wget/curl paths or missing expected backup files on NAS units.
• Outbound connections to unusual destinations or patterns indicative of custom protocols over TLS.
Implement network segmentation to isolate IoT/NAS devices, centralize log collection, and leverage NetFlow/PCAP to flag nonstandard TLS handshakes. Where feasible, apply egress filtering and DNS policies that restrict devices to known-good destinations to curb proxy abuse.
PolarEdge underscores how modern IoT and NAS threats blend low-noise loaders, covert TLS channels, and distributed proxy layers to evade detection and persist. Organizations that combine prompt firmware updates with network controls, continuous monitoring, and disciplined incident response will be better positioned to prevent their edge devices from becoming nodes in an attacker’s ORB-style proxy network.
