PolarEdge returns: a deep-dive into the router botnet campaign

A stealthy, long-running campaign has been recruiting routers (Cisco, ASUS, QNAP, Synology) into the PolarEdge botnet. Operators delivered a TLS-based ELF implant that fingerprinted hosts, accepted remote commands and — in some variants — converted compromised devices into monetized SOCKS5 proxies tied to GhostSocks infrastructure. The activity dates back to mid-2023 and continues to pose a risk where management interfaces are exposed or unpatched.

Phase 1 — Recon and initial entry

Attackers scanned for exposed or vulnerable management interfaces on routers and edge devices. In observed chains, a known router vulnerability (e.g., CVE-2023-20118 on certain Cisco models) was abused to fetch a small shell dropper (named q in reports) over FTP/HTTP. That dropper then retrieved and launched the PolarEdge ELF implant on the device, effectively converting an internet-facing router into an execution point.

Key points

• Vector: exposed/unpatched management interfaces and known router flaws.

• Initial artifact: a lightweight shell script (q) that downloads and installs the ELF implant.

Phase 2 — Implantation and capabilities

PolarEdge installs as a TLS-aware ELF backdoor. Its default behavior is to run a TLS server (implemented with mbedTLS) that sends a host fingerprint to a C2 and waits for commands. Two operation modes were observed: a connect-back client mode (download files) and an interactive debug mode to change configuration on the fly. The implant stores configuration obfuscated (single-byte XOR) and disguises itself by randomly choosing common daemon names (e.g., igmpproxy, httpd, upnpd) to blend into process lists.

Capabilities delivered

• Host fingerprinting and telemetry.

• Remote command execution (“HasCommand” → execute → return output).

• On-demand config updates (connect-back / debug modes).

• Process masquerading and anti-analysis techniques.

Phase 3 — Operations and monetization

Once implanted, devices could be instructed to execute arbitrary commands and relay traffic. Some variants were repurposed into SOCKS5 residential proxies — reportedly connected to GhostSocks/monetization ecosystems — enabling attackers or customers to route traffic through compromised routers. This transforms compromised edge gear into infrastructure for further abuse (proxying, anonymized access, resale).

Operational risks

• Full device takeover and remote management by attackers.

• Use as proxy infrastructure for other illicit activity (fraud, scraping, anonymized C2).

Phase 4 — Evasion and persistence mechanics

PolarEdge used several stealth techniques: XOR-obfuscated config data, random daemon name selection, TLS on nonstandard ports, and a watchdog fork that relaunches the implant if its parent disappears. While not guaranteed to survive a full firmware reflash, the implant’s relaunch logic and disguise strategies increased time-to-detection.

Breach — what was exposed (vector, breach method, possible data)

Attackers exploited exposed/unpatched router management interfaces and known vulnerabilities to deliver a shell dropper that installed the PolarEdge ELF implant. The implant fingerprinted hosts, executed commands, and could relay traffic. Some deployments were turned into SOCKS5 proxies linked to GhostSocks. There are no widely confirmed reports of large-scale data exfiltration from end users, but the compromise could have exposed device configurations, stored credentials, network metadata and any sensitive information reachable from the hijacked device — which may enable lateral access or further compromise.

Who was affected (users & devices)

Home, SOHO and enterprise routers with public or unpatched management interfaces were targeted — with activity observed across multiple geographies (notably South Korea, the U.S., Taiwan and others). Any owner of internet-facing routers (consumer or business) whose firmware or management access was not hardened risked full device takeover, covert proxying and local network exposure.

Detection & hunting guidance (practical indicators)

• Unexpected TLS servers or TLS traffic on high/nonstandard ports from routers.

• Processes with suspicious names chosen from lists (igmpproxy, httpd, upnpd, wscd, etc.) that don’t match expected binaries.

• Presence of unexpected files or scripts named q or unusual startup scripts.

• Outbound connections to known C2 IPs/domains; periodic heartbeat or proxy-style traffic (SOCKS5).

• Sudden appearance of AnyDesk / remote-access tooling or unexplained open SOCKS5 ports.

• Unusual process respawn behavior (watchdog/fork patterns).

Hunt for these signs in router logs, network telemetry, and any management-plane recordings. Collect and correlate device-level telemetry with network flows (DNS, TLS SNI, destination IPs).

Mitigation & incident response (action checklist)

1. Patch routers and apply vendor firmware updates for Cisco, ASUS, QNAP, Synology and any other affected appliances.

2. Remove public exposure: disable remote/public management (block WAN-facing web/SSH/Telnet interfaces) or place management behind VPN or jump hosts.

3. Reset credentials: change all device admin passwords and any API keys or tokens stored on devices.

4. Rebuild suspected devices from clean firmware images (do not rely on in-place removal alone).

5. Isolate and sinkhole suspected devices from production networks until they are clean.

6. Block known C2 IPs/domains and monitor for SOCKS5/proxy traffic originating from edge devices.

7. Monitor for the indicators listed above and deploy EDR/network IDS/flow-analysis rules to flag anomalous TLS and proxying behavior.

8. Harden configuration: disable unnecessary services, enforce management access controls, MFA for admin portals, and network segmentation to limit lateral exposure.

PolarEdge illustrates how attackers are weaponizing edge devices to build resilient, covert infrastructure. Routers and network appliances — often overlooked once deployed — provide a powerful foothold: always-on connectivity, privileged placement on networks, and the ability to proxy or mask malicious activity. The campaign underscores three priorities for defenders:

• treat network infrastructure as crown-jewel assets (patch, monitor, restrict),

• assume internet-exposed management interfaces are high-risk and minimize them, and

• combine device telemetry with network flow analytics to detect proxying and covert tunnels early.

  
  

If you manage routers or edge gear: patch now, remove public management where possible, reflash suspected units from vendor images, and hunt for abnormal TLS/proxy behavior. The cost of ignoring edge security is not only a single compromised appliance but a potential platform for large-scale abuse.

Sekoia

https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet

https://blog.sekoia.io/polaredge-backdoor-qnap-cve-2023-20118-analysis

Censys

https://censys.io/blog/polaredge-mapping-a-new-router-botnet-infrastructure

Field Effect

https://fieldeffect.com/blog/polaredge-persistent-residential-proxy-infrastructure

The Hacker News

https://thehackernews.com/2025/10/polaredge-targets-cisco-asus-qnap.html

https://thehackernews.com/2025/10/polaredge-targets-cisco-asus-qnap.html?m=1