A sophisticated backdoor malware targeting Internet of Things devices has surfaced, employing advanced communication techniques to maintain persistent access to compromised systems.
The PolarEdge backdoor, first detected in January 2025, represents a significant evolution in IoT-focused threats, utilizing a custom TLS server implementation and proprietary binary protocol for command and control operations.
The malware initially emerged through exploitation of CVE-2023-20118, a vulnerability affecting Cisco routers that enables remote code execution.
Attackers leveraged this flaw to deploy web shells on target routers, establishing initial footholds for subsequent payload delivery.
The attack chain involves downloading and executing a shell script named “q” via FTP, which then retrieves and launches the PolarEdge backdoor on compromised systems.
PolarEdge demonstrates remarkable versatility in its target selection, with variants identified that specifically target Asus, QNAP, and Synology network devices.
The malware’s sophisticated design suggests careful development aimed at establishing long-term presence within network infrastructure components.
Its deployment pattern indicates coordinated campaigns originating from multiple IP addresses across different countries, all utilizing identical User-Agent HTTP headers during exploitation attempts.
Sekoia analysts identified the malware’s complex architecture during detailed reverse engineering analysis, revealing a 1.6 MB ELF 64-bit executable that employs multiple operational modes.
.webp "PolarEdge With Custom TLS Server Uses Custom Binary Protocol for C2 Communication 3")
The backdoor functions primarily as a TLS server listening for incoming commands while simultaneously maintaining communication with command and control infrastructure through daily fingerprinting operations.
Advanced TLS Implementation and Communication Protocol
The PolarEdge backdoor’s most distinctive feature lies in its custom TLS server implementation built using mbedTLS v2.8.0 library.
This approach represents a departure from conventional malware communication methods, providing encrypted channels that closely resemble legitimate network traffic.
The TLS implementation utilizes multiple certificates including leaf certificates and certificate authority chains, creating an authentic-looking encrypted communication infrastructure.
.webp "PolarEdge With Custom TLS Server Uses Custom Binary Protocol for C2 Communication 4")
The malware implements a proprietary binary protocol operating over the TLS connection, utilizing hardcoded tokens embedded within the executable’s data sections.
This protocol requires specific magic values for request validation, including tokens stored in the malware’s configuration and others hardcoded within the binary.
Command execution occurs when incoming requests contain the ASCII character “1” in the HasCommand field, followed by a two-byte length indicator and the actual command string.
Fingerprinting operations run continuously in dedicated threads, collecting comprehensive system information including local IP addresses, MAC addresses, process identifiers, and device-specific details.
This data gets transmitted to command and control servers using HTTP GET requests with specific query string formats.
The malware constructs these requests using encrypted format strings that decode to reveal parameters such as device brand, module version, and collected system identifiers.
The backdoor supports multiple operational modes beyond its default server functionality. Connect-back mode enables the malware to function as a TLS client for file download operations, while debug mode provides configuration update capabilities for command and control server addresses.
These operational modes demonstrate the malware’s flexibility and the developers’ consideration for various deployment scenarios and maintenance requirements.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
