Researchers at Censys have found that PolarEdge is rapidly expanding throughout the world, in an alarming sign that connected technology is becoming increasingly weaponised. PolarEdge is an advanced botnet orchestrating large-scale attacks against Internet of Things (IoT) and edge devices all over the world, a threat that has become increasingly prevalent in recent years. 

When the malicious network was first discovered in mid-2023, only around 150 confirmed infections were identified. Since then, the network has grown into an extensive digital threat, compromising nearly 40,000 devices worldwide by August 2025. Analysts have pointed out that PolarEdge's architecture is very similar to Operational Relay Box (ORB) infrastructures, which are covert systems commonly used to facilitate espionage, fraud, and cybercrime. 

PolarEdge has grown at a rapid rate in recent years, and this highlights the fact that undersecured IoT environments are becoming increasingly exploited, placing them among the most rapidly expanding and dangerous botnet campaigns in recent years. PolarEdge has helped shed light on the rapidly evolving nature of cyber threats affecting the hyperconnected world of today. 

PolarEdge, a carefully crafted campaign that demonstrates how compromised Internet of Things (IoT) ecosystems can be turned into powerful weapons of cyber warfare, emerged as an expertly orchestrated campaign. There are more than 25,000 infected devices spread across 40 countries that are a part of the botnet, and the botnet is characterised by its massive scope and sophistication due to its network of 140 command and control servers. 

Unlike many other distributed denial-of-service (DDoS) attacks, PolarEdge is not only a tool for distributing denial-of-service attacks, but also a platform for criminal infrastructure as a service (IaaS), specifically made to support advanced persistent threats (APT). By exploiting vulnerabilities in IoT devices and edge devices through systematic methods, the software constructs an Operational Relay Box (ORB) network, which creates a layer of obfuscating malicious traffic, enabling covert operations such as espionage, data theft, and ransomware.

By adopting this model, the cybercrime economy is reshaped in a way that enables even moderately skilled adversaries to access capabilities that were once exclusively the domain of elite threat groups. As further investigation into PolarEdge's evolving infrastructure was conducted, it turned out that a previously unknown component known as RPX_Client was uncovered, which is an integral part of the botnet that transforms vulnerable IoT devices into proxy nodes. 

In May 2025, XLab's Cyber Threat Insight and Analysis System detected a suspicious activity from IP address 111.119.223.196, which was distributing an ELF file named "w," a file that initially eluded detection on VirusTotal. The file was identified as having the remote location DNS IP address 111.119.223.196. A deeper forensic analysis of the attack was conducted to uncover the RPX_Client mechanism and its integral role in the construction of Operational Relay Box networks. 

These networks are designed to hide malicious activity behind layers of compromised systems to make it appear as if everything is normal. An examination of the device logs carried out by the researchers revealed that the infection had spread all over the world, with the highest concentration occurring in South Korea (41.97%), followed by China (20.35%) and Thailand (8.37%), while smaller clusters emerged in Southeast Asia and North America. KT CCTV surveillance cameras, Shenzhen TVT digital video recorders and Asus routers have been identified as the most frequently infected devices, whereas other devices that have been infected include Cyberoam UTM appliances, Cisco RV340 VPN routers, D-Link routers, and Uniview webcams have also been infected. 

140 RPX_Server nodes are running the campaign, which all operate under three autonomous system numbers (45102, 37963, and 132203), and are primarily hosted on Alibaba Cloud and Tencent Cloud virtual private servers. Each of these nodes communicates via port 55555 with a PolarSSL test certificate that was derived from version 3.4.0 of the Mbed TLS protocol, which enabled XLab to reverse engineer the communication flow so that it would be possible to determine the validity and scope of the active servers.

As far as the technical aspect of the RPX_Client is concerned, it establishes two connections simultaneously. One is connected to RPX_Server via port 55555 for node registration and traffic routing, while the other is connected to Go-Admin via port 55560 for remote command execution. As a result of its hidden presence, this malware is disguised as a process named “connect_server,” enforces a single-instance rule by using a PID file (/tmp/.msc), and keeps itself alive by injecting itself into the rcS initialisation script. 

In light of these efforts, it has been found that the PolarEdge infrastructure is highly associated with the RPX infrastructure, as evidenced by overlapping code patterns, domain associations and server logs. Notably, IP address 82.118.22.155, which was associated with PolarEdge distribution chains in the early 1990s, was found to be related to a host named jurgencindy.asuscomm.com, which is the same host that is associated with PolarEdge C2 servers like icecreand.cc and centrequ.cc. 

As the captured server records confirmed that RPX_Client payloads had been delivered, as well as that commands such as change_pub_ip had been executed, in addition to verifying its role in overseeing the botnet's distribution framework, further validated this claim. Its multi-hop proxy architecture – utilising compromised IoT devices as its first layer and inexpensive Virtual Private Servers as its second layer – creates a dense network of obfuscation that effectively masks the origin of attacks. 

This further confirms Mandiant's assessment that cloud-based infrastructures are posing a serious challenge to conventional indicator-based detection techniques. Several experts emphasised the fact that in order to mitigate the growing threat posed by botnets, such as PolarEdge, one needs to develop a comprehensive and layered cybersecurity strategy, which includes both proactive defence measures and swift incident response approaches. In response to the proliferation of connected devices, organisations and individuals need to realise the threat landscape that is becoming more prevalent. 

Therefore, IoT and edge security must become an operational priority rather than an afterthought. It is a fundamental step in making sure that all devices are running on the latest firmware, since manufacturers release patches frequently to address known vulnerabilities regularly. Furthermore, it is equally important to change default credentials immediately with strong, unique passwords. This is an essential component of defence against large-scale exploitation, but is often ignored.

Security professionals recommend that network segmentation be implemented, that IoT devices should be isolated within specific VLANs or restricted network zones, so as to minimise lateral movement within networks. As an additional precaution, organisations are advised to disable non-essential ports and services, so that there are fewer entry points that attackers could exploit. 

The continuous monitoring of the network, with a strong emphasis on intrusion detection and prevention (IDS/IPS) systems, has a crucial role to play in detecting suspicious traffic patterns that are indicative of active compromises. The installation of a robust patch management program is essential in order to make sure that all connected assets are updated with security updates promptly and uniformly. 

Enterprises should also conduct due diligence when it comes to the supply chain: they should choose vendors who have demonstrated a commitment to transparency, timely security updates, and disclosure of vulnerabilities responsibly. As far as the technical aspect of IoT defence is concerned, several tools have proven to be effective in detecting and counteracting IoT-based threats. Nessus, for instance, provides comprehensive vulnerability scanning services, and Shodan provides analysts with a way to identify exposed or misconfigured internet-connected devices. 

Among the tools that can be used for deeper network analysis is Wireshark, which is a protocol inspection tool used by most organisations, and Snort or Suricata are powerful IDS/IPS systems that can detect malicious traffic in real-time. In addition to these, IoT Inspector offers comprehensive assessments of device security and privacy, giving us a much better idea of what connected hardware is doing and how it behaves. 

By combining these tools and practices, a critical defensive framework can be created - one that is capable of reducing the attack surface and curbing the propagation of sophisticated botnets, such as PolarEdge, resulting in a reduction in the number of attacks. In a comprehensive geospatial study of PolarEdge's infection footprint, it has been revealed that it has been spread primarily in Southeast Asia and North America, with South Korea claiming 41.97 percent of the total number of compromised devices to have been compromised. 

The number of total infections in China comes in at 20.35 per cent, while Thailand makes up 8.37 per cent. As part of the campaign, there are several key victims, including KT CCTV systems, Shenzhen TVT digital video recorders (DVRs), Cyberoam Unified Threat Management (UTM) appliances, along with a variety of router models made by major companies such as Asus, DrayTek, Cisco, and D-Link. Virtual private servers (VPS) are used primarily to control the botnet's command-and-control ecosystem, which clusters within autonomous systems 45102, 37963, and 132203. 

The vast majority of the botnet's operations are hosted by Alibaba Cloud and Tencent Cloud infrastructure – a reflection of the botnet's dependency on commercial, scalable cloud environments for maintaining its vast operations. PolarEdge's technical sophistication is based on a multi-hop proxy framework, RPX, a multi-hop proxy framework meticulously designed to conceal attack origins and make it more difficult for the company to attribute blame. 

In the layered communication chain, traffic is routed from a local proxy to RPX_Server nodes to RPX_Client instances on IoT devices that are infected, thus masking the true source of command, while allowing for fluid, covert communication across global networks. It is the malware's strategy to maintain persistence by injecting itself into initialisation scripts. Specifically, the command echo "/bin/sh /mnt/mtd/rpx.sh &" >> /etc/init.d/rcS ensures that it executes automatically at the start-up of the system. 

Upon becoming active, it conceals itself as a process known as “connect_server” and enforces single-instance execution using the PID file located at /tmp/.msc to enforce this. This client is capable of configuring itself by accessing a global configuration file called “.fccq” that extracts parameters such as the command-and-control (C2) address, communication ports, device UUIDs, and brand identifiers, among many others. 

As a result, these values have been obfuscated using a single-byte XOR encryption (0x25), an effective yet simple method of preventing static analysis of the values. This malware uses two network ports in order to establish two network channels—port 55555 for node registration and traffic proxying, and port 55560 for remote command execution via the Go-Admin service. 

Command management is accomplished through the use of “magic field” identifiers (0x11, 0x12, and 0x16), which define specific operational functions, as well as the ability to update malware components self-aware of themselves using built-in commands like update_vps, which rotates C2 addresses.

A server-side log shows that the attackers executed infrastructure migration commands, which demonstrates their ability to dynamically switch proxy pools to evade detection each and every time a node is compromised or exposed, which is evidence of the attacker’s ability to evade detection, according to the log. It is evident from network telemetry that PolarEdge is primarily interested in non-targeted activities aimed at legitimate platforms like QQ, WeChat, Google, and Cloudflare. 

It suggests its infrastructure may be used as both a means for concealing malicious activity as well as staging it as a form of ordinary internet communication. In light of the PolarEdge campaign, which highlights the fragility of today's interconnected digital ecosystem, it serves as a stark reminder that cybersecurity must evolve in tandem with the sophistication of today's threats, rather than just react to them. 

A culture of cyber awareness, cross-industry collaboration, and transparent threat intelligence sharing is are crucial component of cybersecurity, beyond technical countermeasures. Every unsecured device, whether it is owned by governments, businesses, or consumers, can represent a potential entryway into the digital world. Therefore, governments, businesses, and consumers all must recognise this. The only sustainable way for tomorrow's digital infrastructure to be protected is through education, accountability, and global cooperation.