A sophisticated botnet campaign has compromised more than 25,000 IoT devices across 40 countries while establishing 140 command-and-control servers to facilitate cybercrime operations.
The PolarEdge botnet, first disclosed in February 2025, exploits vulnerable IoT and edge devices to construct an Operational Relay Box network that provides infrastructure-as-a-service for advanced persistent threat actors.
The malware operates through a client-server architecture, with RPX_Client components installed on compromised devices and RPX_Server nodes managing proxy services across multiple cloud platforms.
The botnet’s infection campaign began gaining momentum in May 2025 when security monitoring systems detected suspicious activity from IP address 111.119.223.196 distributing an ELF file flagged as PolarEdge-related.
Through correlation analysis, researchers uncovered the RPX_Client component, which onboards compromised devices into designated C2 node proxy pools while enabling remote command execution.
Qianxin researchers identified the malware after conducting targeted investigation following detection by XLab’s Cyber Threat Insight and Analysis System.
The successive discoveries of RPX_Server and RPX_Client components enabled deeper understanding of the botnet’s relay operations and infrastructure scale.
.webp "PolarEdge Botnet Infected 25,000+ Devices and 140 C2 Servers Exploiting IoT Vulnerabilities 3")
Geographic distribution analysis reveals infection concentration in Southeast Asia and North America, with South Korea accounting for 41.97 percent of compromised devices, followed by China at 20.35 percent and Thailand at 8.37 percent.
Primary targets include KT CCTV systems, Shenzhen TVT DVRs, Cyberoam UTM appliances, and various router models from manufacturers including Asus, DrayTek, Cisco, and D-Link.
The botnet infrastructure operates across VPS nodes concentrated in autonomous system numbers 45102, 37963, and 132203, predominantly hosted on Alibaba Cloud and Tencent Cloud platforms.
Technical Architecture and Infection Mechanism
The RPX system implements a multi-hop proxy architecture designed for source concealment and attribution complexity. When attackers utilize the network, connections traverse from local proxy through RPX_Server to RPX_Client on compromised devices before reaching final destinations.
This layered approach effectively obscures attack origins while providing operational flexibility. The malware achieves persistence through injection into initialization scripts using the command:-
echo "/bin/sh /mnt/mtd/rpx.sh &" >> /etc/init.d/rcSUpon execution, RPX_Client disguises its process name as connect_server and enforces single-instance execution using PID file /tmp/.msc to prevent duplicate startups.
The malware attempts reading global configuration file .fccq to obtain parameters including C2 server address, communication port, device UUID, and brand information.
Configuration data undergoes single-byte XOR encryption with 0x25 before storage. Network operations utilize two independent connections: port 55555 for node registration and traffic proxying, and port 55560 for remote command execution through go-admin service.
The command structure enables flexible control through magic field values 0x11, 0x12, and 0x16 that define bot functions. Special built-in commands include change_pub_ip for updating C2 server addresses and update_vps for sample self-upgrade capabilities.
Server logs confirm execution of infrastructure migration commands, demonstrating operators’ ability to rapidly relocate proxy pools when nodes face exposure.
Traffic analysis reveals non-targeted operations primarily directed toward mainstream platforms including QQ, WeChat, Google, and Cloudflare services.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
