A sophisticated botnet campaign known as PolarEdge has compromised more than 25,000 Internet of Things (IoT) devices across 40 countries, establishing an extensive network of over 140 command-and-control (C2) servers to support large-scale cybercrime operations.
First disclosed in February 2025, the PolarEdge botnet exploits vulnerable IoT and edge devices to create what researchers describe as an Operational Relay Box (ORB) network — effectively offering infrastructure-as-a-service for advanced persistent threat (APT) groups.
Technical Breakdown
PolarEdge operates through a client–server architecture consisting of two main components:
- RPX_Client – installed on compromised IoT or edge devices.
- RPX_Server – manages proxy and command services across various cloud environments.
The infection campaign began accelerating in May 2025, when global monitoring systems flagged IP address 111.119.223.196 for distributing an ELF file linked to PolarEdge activity. Subsequent analysis confirmed that this file was responsible for onboarding new devices into the botnet network.
Discovery and Attribution
Researchers from Qianxin uncovered the malware following detections by XLab’s Cyber Threat Insight and Analysis System. Correlation and reverse-engineering efforts revealed the RPX_Client module’s role in connecting infected devices to designated C2 proxy pools and enabling remote command execution capabilities.
The identification of both RPX_Server and RPX_Client components provided investigators with valuable insight into PolarEdge’s relay architecture, operational design, and infrastructure scalability.
Global Impact
Geographic distribution analysis shows that PolarEdge infections are heavily concentrated in Southeast Asia and North America:
| Country | Percentage of Infections |
|---|---|
 South Korea | 41.97% |
 China | 20.35% |
 Thailand | 8.37% |
| Other regions | Remaining 29.31% |
The botnet’s primary targets include:
- KT CCTV systems
- Shenzhen TVT DVRs
- Cyberoam UTM appliances
- Routers from Asus, DrayTek, Cisco, and D-Link
Behavior and Functionality
When executed, RPX_Client disguises its process name as connect_server and prevents duplicate startups using a PID file located at /tmp/.msc.
It attempts to read a hidden configuration file named .fccq, which stores parameters such as:
- C2 server address
- Communication port
- Device UUID
- Device brand or model
To obscure these settings, the configuration data is encrypted using a single-byte XOR key (0x25) before being written to disk.
Network Communication
PolarEdge establishes two independent network channels:
- Port 55555 – for node registration and proxy traffic.
- Port 55560 – for remote command execution via the go-admin service.
Its command structure is defined by specific magic field values (0x11, 0x12, 0x16), allowing operators to flexibly control compromised nodes.
Built-in functions include:
- change_pub_ip – updates C2 server addresses dynamically.
- update_vps – triggers self-upgrade routines.
Server logs further confirm the use of infrastructure migration commands, enabling operators to quickly relocate proxy pools when existing nodes are exposed or disrupted.
Operational Intent
Traffic analysis indicates that PolarEdge’s infrastructure is primarily used as a relay network rather than for direct attacks. Observed communications are largely non-targeted, often associated with mainstream services such as QQ, WeChat, Google, and Cloudflare — suggesting that the botnet provides anonymized proxy channels for downstream malicious activity.
Conclusion
The PolarEdge botnet exemplifies a new generation of modular, cloud-aware IoT malware, leveraging compromised devices to construct a scalable proxy ecosystem for cybercriminal operations.
Its ability to rapidly migrate infrastructure, maintain persistent communication, and serve as a proxy-as-a-service platform highlights the growing convergence between botnets and underground cloud infrastructure markets.
Continuous monitoring, timely firmware updates, and strict network segmentation remain essential defenses against this evolving threat landscape.
