PolarEdge Botnet Compromises Over 25,000 IoT Devices Across 40 Countries
A sophisticated cyberattack has led to the compromise of more than 25,000 Internet of Things (IoT) devices across 40 countries, facilitated by the PolarEdge botnet. This extensive network has also established 140 command-and-control (C2) servers, enabling a range of cybercriminal activities.
Emergence and Expansion of PolarEdge
First identified in February 2025, the PolarEdge botnet exploits vulnerabilities in IoT and edge devices to create an Operational Relay Box network. This network serves as an infrastructure-as-a-service platform for advanced persistent threat (APT) actors. The malware employs a client-server architecture, with RPX_Client components installed on compromised devices and RPX_Server nodes managing proxy services across various cloud platforms.
The infection campaign gained significant momentum in May 2025 when security monitoring systems detected suspicious activity originating from IP address 111.119.223.196. This activity involved the distribution of an ELF file associated with PolarEdge. Through correlation analysis, researchers uncovered the RPX_Client component, which integrates compromised devices into designated C2 node proxy pools and enables remote command execution.
Researchers at Qianxin identified the malware following targeted investigations prompted by detections from XLab’s Cyber Threat Insight and Analysis System. The subsequent discovery of both RPX_Server and RPX_Client components provided deeper insights into the botnet’s relay operations and the scale of its infrastructure.
Geographic Distribution and Targeted Devices
Analysis of the botnet’s geographic distribution reveals a concentration of infections in Southeast Asia and North America. South Korea accounts for 41.97% of compromised devices, followed by China at 20.35% and Thailand at 8.37%. The primary targets include:
– KT CCTV systems
– Shenzhen TVT DVRs
– Cyberoam Unified Threat Management (UTM) appliances
– Various router models from manufacturers such as Asus, DrayTek, Cisco, and D-Link
The botnet’s infrastructure operates across Virtual Private Server (VPS) nodes concentrated in autonomous system numbers 45102, 37963, and 132203, predominantly hosted on Alibaba Cloud and Tencent Cloud platforms.
Technical Architecture and Infection Mechanism
The RPX system implements a multi-hop proxy architecture designed to conceal the source of attacks and complicate attribution. When attackers utilize the network, connections traverse from a local proxy through RPX_Server to RPX_Client on compromised devices before reaching their final destinations. This layered approach effectively obscures the origins of attacks while providing operational flexibility.
The malware achieves persistence by injecting itself into initialization scripts using the command:
“`shell
echo /bin/sh /mnt/mtd/rpx.sh & >> /etc/init.d/rcS
“`
Upon execution, RPX_Client disguises its process name as `connect_server` and enforces single-instance execution using the PID file `/tmp/.msc` to prevent duplicate startups.
The malware attempts to read the global configuration file `.fccq` to obtain parameters such as the C2 server address, communication port, device UUID, and brand information. Configuration data undergoes single-byte XOR encryption with 0x25 before storage.
Network operations utilize two independent connections:
– Port 55555 for node registration and traffic proxying
– Port 55560 for remote command execution through the `go-admin` service
The command structure enables flexible control through magic field values 0x11, 0x12, and 0x16 that define bot functions. Special built-in commands include `change_pub_ip` for updating C2 server addresses and `update_vps` for sample self-upgrade capabilities.
Server logs confirm the execution of infrastructure migration commands, demonstrating the operators’ ability to rapidly relocate proxy pools when nodes face exposure.
Traffic analysis reveals that the botnet’s operations are primarily directed toward mainstream platforms, including QQ, WeChat, Google, and Cloudflare services.
Implications and Recommendations
The PolarEdge botnet’s extensive reach and sophisticated architecture underscore the evolving threat landscape posed by IoT-targeted malware. The ability to compromise a vast number of devices across multiple countries highlights the critical need for robust security measures in IoT deployments.
To mitigate the risk of infection and propagation of such botnets, it is recommended that organizations and individuals:
– Regularly update firmware and software on all IoT devices to patch known vulnerabilities.
– Change default credentials to strong, unique passwords to prevent unauthorized access.
– Implement network segmentation to isolate IoT devices from critical systems.
– Monitor network traffic for unusual patterns that may indicate compromise.
– Deploy intrusion detection and prevention systems to identify and block malicious activities.
By adopting these proactive measures, the risk of IoT device compromise can be significantly reduced, thereby enhancing overall cybersecurity posture.
