Cybersecurity researchers have recently detailed the inner workings of a potent botnet malware known as PolarEdge. First identified by Sekoia in February 2025, this campaign specifically targets routers and network-attached storage (NAS) devices made by Cisco, ASUS, QNAP, and Synology. The attackers’ goal is to corral these compromised devices into a large network for an as-yet-unknown purpose. Further investigation by the attack surface management platform Censys in August 2025 illuminated the botnet’s infrastructure, noting that PolarEdge functions as an Operational Relay Box (ORB) network, suggesting its use in relaying traffic.
Worryingly, the malware’s activity may have started long before its discovery, with evidence hinting at a timeline stretching back to June 2023. The initial attack chains often leverage a known security flaw in Cisco routers, CVE-2023-20118, to download a shell script that, in turn, retrieves and executes the PolarEdge backdoor on the vulnerable system.At its core, PolarEdge is a TLS-based ELF implant designed to monitor incoming client connections and execute commands within them. The French cybersecurity firm Sekoia emphasized that the backdoor’s main job is to first send a host fingerprint to its C2 server and then actively listen for commands via a built-in TLS server implemented with mbedTLS. This system supports two main modes: a connect-back mode, where the backdoor acts as a TLS client to download files, and a debug mode for modifying its configuration on the fly.
Its default operation, however, is to function as a TLS server, relying on a custom binary protocol to parse incoming requests. When a request includes the “HasCommand” parameter set to the ASCII character $1$, the backdoor executes the command specified in the “Command” field and transmits the raw output back to the attackers. The backdoor’s configuration data is cleverly embedded in the last $512$ bytes of the ELF image and obfuscated using a simple one-byte XOR operation.In addition to its command execution capabilities, PolarEdge employs various sophisticated techniques to remain hidden and ensure its survival. The malware incorporates a wide range of anti-analysis techniques to obscure information related to its TLS server setup and fingerprinting logic.
To evade detection, the backdoor utilizes process masquerading during its initialization phase, randomly selecting a name from a predefined list—such as igmpproxy, wscd, /sbin/dhcpd, httpd, upnpd, or iapp—to disguise itself. While the backdoor does not ensure persistence across reboots in the traditional sense, it calls the fork function to spawn a child process. This child process, Sekoia researchers explained, checks every $30$ seconds whether its parent process still exists; if the parent process directory has disappeared from /proc/, the child executes a shell command to relaunch the backdoor, thus maintaining its presence on the infected device.This disclosure arrives alongside news of a separate threat, GhostSocks, which converts compromised devices into SOCKS5 residential proxies.
First advertised under the malware-as-a-service (MaaS) model on the XSS forum in October 2023, GhostSocks has been integrated into the infamous Lumma Stealer since early 2024. This integration allows Lumma’s customers to easily monetize compromised devices by selling access to them after the initial infection. Synthient’s analysis highlights that GhostSocks provides clients with the ability to build a $32$-bit DLL or executable.
The malware first attempts to locate a configuration file in the %TEMP% directory and falls back to a hard-coded configuration if the file isn’t found.The configuration file contains the C2 server details to which GhostSocks establishes a connection. This connection is used to provision the SOCKS5 proxy, ultimately utilizing the open-source go-socks5 and yamux libraries to spawn the relay connection. The rise of malware like PolarEdge and GhostSocks underscores a growing trend where cybercriminals are actively building vast, resilient networks of compromised devices—whether for command-and-control operations or for generating illicit revenue through proxy services—presenting a significant and evolving challenge for network security.
Reference:
