A sophisticated botnet, known as PolarEdge, has infected more than 25,000 IoT devices across 40 countries by establishing 140 command-and-control servers aimed at facilitating cybercrime. Disclosed in February 2025, the malware exploits vulnerable devices to create an Operational Relay Box network, designed to provide infrastructure for advanced persistent threat actors. The infection campaign gained traction in May 2025 when unusual activities were detected from a specific IP address distributing a malicious ELF file.
Qianxin researchers identified the PolarEdge malware through a targeted investigation, unraveling its dual-component architecture consisting of RPX_Client and RPX_Server. The botnet primarily targets surveillance equipment and routers from notable manufacturers, with a significant concentration of infections in Southeast Asia, particularly in South Korea, China, and Thailand. It employs a multi-hop proxy architecture to obscure attack origins while maintaining operational versatility. The malware achieves persistence by injecting commands into device initialization scripts, enabling remote command execution and complex configuration data management. Server logs suggest that operators can swiftly relocate proxy pools, underscoring the botnet’s adaptive capabilities.
👉 Pročitaj original: Cyber Security News
