Researchers at Sekoia have examined the inner workings of the PolarEdge botnet. First described by the company’s specialists in February 2025, the malware is linked to a campaign targeting Cisco, ASUS, QNAP, and Synology devices. The devices are being combined into a botnet for as-yet undetermined purposes.
In August 2025, Censys analysts took a closer look at the botnet’s infrastructure. At the time, it was noted that PolarEdge exhibits characteristics typical of Operational Relay Box (ORB) networks, and the malware’s activity may have started as early as June 2023.
In attacks observed in February 2025, the attackers exploited a known vulnerability in Cisco routers (CVE-2023-20118) to upload, via FTP, a shell script named q. This script then downloaded and executed the PolarEdge backdoor on the compromised device.
“The backdoor’s primary function is to send host data to the command-and-control (C2) server, then await commands via a built-in TLS server implemented with mbedTLS,” the Sekoia researchers now report.
PolarEdge supports two operating modes: a reverse connection mode, where the backdoor acts as a TLS client to download a file from a remote server, and a debug mode, where the backdoor switches to an interactive mode to modify the configuration (i.e., the server information).
The configuration is embedded in the last 512 bytes of the ELF file and obfuscated using XOR with a one-byte key 0x11. However, by default the malware operates as a TLS server that transmits information about the infected system to its operators and awaits further commands.
The TLS server is implemented using mbedTLS v2.8.0 and uses a custom binary protocol to parse incoming requests that meet certain criteria, including a parameter named HasCommand. If the HasCommand parameter equals the ASCII character 1, the backdoor extracts and executes the command specified in the Command field and returns the result of the executed command.
After launch, PolarEdge also moves (/usr/bin/wget, /sbin/curl) and deletes certain files (/share/CACHEDEV1_DATA/.qpkg/CMS-WS/cgi-bin/library.cgi.bak) on the infected device. Notably, it remains unclear what purpose this step serves for the attackers.
In addition, the backdoor employs a wide range of anti-analysis techniques to conceal information about the TLS server configuration and fingerprinting logic. To evade detection, it performs process masquerading during initialization, randomly selecting a name from a predefined list. Some of the names include: igmpproxy, wscd, /sbin/dhcpd, httpd, upnpd, and iapp.
“Although the backdoor does not provide persistence after a reboot, it performs a fork to spawn a child process that checks every 30 seconds whether /proc/<parent-pid> still exists,” the researchers explain. “If the directory disappears, the child process executes a shell command to restart the backdoor.”