PolarEdge Botnet
Security researchers have recently unpacked the mechanics of a router-focused botnet family dubbed PolarEdge. Its combination of TLS-based communication, embedded configuration tricks, and deliberate anti-analysis measures make it a notable threat to home and SMB network appliances.
Table of Contents
Timeline And Discovery
Researchers first documented PolarEdge in February 2025, linking it to campaigns that targeted routers and NAS devices from multiple vendors. By August 2025, analysts had mapped much of the botnet's infrastructure and observed traits consistent with an Operational Relay Box (ORB) style network. Retrospective telemetry suggests some PolarEdge activity may date back as far as June 2023.
Targets And Initial Access
Devices from major vendors, including Cisco, ASUS, QNAP, and Synology, have been identified as targets, highlighting that both enterprise-grade and consumer-grade routers and NAS systems are at risk of exploitation.
In the February 2025 attack chains, threat actors exploited a known Cisco vulnerability (CVE-2023-20118) to fetch a small FTP-delivered shell script named 'q.' That script's role was to retrieve and launch the PolarEdge ELF backdoor on the compromised host.
Core Implant Design
PolarEdge is a TLS-capable ELF implant that primarily:
- Sends a host fingerprint to a command-and-control (C2) server, then
- Waits for commands over a built-in TLS server implemented using mbedTLS v2.8.0.
The implant's default behavior is to act as a TLS server using a custom binary protocol. One key protocol field is HasCommand: when this field equals the ASCII character 1, the implant reads the Command field, executes the specified command locally, and returns the raw command output to the C2.
Modes Of Operation
PolarEdge supports two additional modes:
Connect-back mode: the implant behaves as a TLS client to pull files from remote servers.
Debug mode: an interactive mode that allows operators to alter configuration parameters (for example, server addresses) on the fly.
Embedded Configuration And Obfuscation
The botnet stores its runtime configuration inside the final 512 bytes of the ELF image. That block is obfuscated with a single-byte XOR; the researchers report the XOR key is 0x11, which must be applied to recover the configuration.
File Operations
After execution, the implant performs filesystem moves and removals (examples include moving binaries such as /usr/bin/wget and /sbin/curl, and deleting files such as /share/CACHEDEV1_DATA/.qpkg/CMS-WS/cgi-bin/library.cgi.bak). The precise operational intent behind these actions is not fully understood from the available data.
Evasion And Anti-analysis Techniques
PolarEdge incorporates a range of sophisticated defensive mechanisms designed to evade detection and impede analysis, making it more difficult for security researchers and automated tools to identify its behavior and dissect its inner workings.
It hides details of its TLS server initialization and fingerprinting routines via obfuscation.
During startup, it performs process masquerading, randomly choosing a process name from a built-in list to blend in with legitimate system services.
Some of the possible names include:
- igmpproxy
- wscd
- /sbin/dhcpd
- httpd
- upnpd
- iapp
Resilience Without Classic Persistence
PolarEdge does not appear to install a traditional persistence mechanism that survives reboots. Instead, it performs a runtime trick: it forks and the child process polls every 30 seconds to check whether the parent's/proc/ directory still exists. If that directory vanishes (indicating the parent process is gone), the child runs a shell command to relaunch the backdoor, effectively providing opportunistic runtime recovery rather than permanent boot-time persistence.
Defensive Takeaways
Organizations managing routers and NAS devices should ensure they apply vendor updates and mitigations for CVE-2023-20118 and similar remote-execution vulnerabilities. They should actively monitor for unusual TLS activity from network appliances and outbound connections to unexpected hosts. It is equally critical to watch for signs of process masquerading and any unauthorized changes or deletions of networking binaries and web-facing scripts.
