Cybersecurity researchers have uncovered the inner workings of a botnet malware called PolarEdge.
PolarEdge was first documented by Sekoia in February 2025 as a campaign targeting Cisco, ASUS, QNAP, and Synology routers with the as-yet-unspecified goal of corralling these routers into their networks.
At its core, TLS-based ELF implants are designed to monitor incoming client connections and execute commands within those connections.
Then, in August 2025, attack surface management platform Censys detailed the infrastructure backbone powering the botnet, noting that PolarEdge exhibits characteristics consistent with an operational relay box (ORB) network. There is evidence to suggest that activity related to this malware may have begun in June 2023.
In an attack chain observed in February 2025, an attacker was observed exploiting a known security flaw (CVE-2023-20118) affecting Cisco routers to download a shell script named ‘q’ via FTP. This script retrieves and executes the PolarEdge backdoor on the compromised system.
“The main function of the backdoor is to send the fingerprint of the host to a command and control server and listen for commands via the built-in TLS server implemented with mbedTLS,” the French cybersecurity firm said in technical details of the malware.
PolarEdge is designed to support two operating modes. One is in connect-back mode, where the backdoor acts as a TLS client and downloads files from a remote server, and the other is in debug mode, where the backdoor enters interactive mode and changes its configuration (i.e., server information) on the fly.
The configuration is embedded in the last 512 bytes of the ELF image, obfuscated by a 1-byte XOR, and can be decrypted with the 1-byte key 0x11.
However, its default mode is to act as a TLS server to send the host fingerprint to a command and control (C2) server and wait for commands to be sent. The TLS server is implemented with mbedTLS v2.8.0 and relies on a custom binary protocol to parse incoming requests that match certain criteria, including a parameter named “HasCommand.”
If the “HasCommand” parameter is equal to ASCII character 1, the backdoor begins extracting and executing the command specified in the “Command” field and sends back the raw output of the executed command.
Once launched, PolarEdge also deletes and deletes certain files on the infected device (such as /usr/bin/wget, /sbin/curl, etc.), but the exact purpose behind this step is unknown.
Additionally, the backdoor incorporates extensive anti-analysis techniques to obfuscate information related to TLS server setup and fingerprinting logic. To avoid detection, we use process masquerading, which randomly selects a name from a predefined list during the initialization phase. Some names include igmpproxy, wscd, /sbin/dhcpd, httpd, upnpd, and iapp.
“The backdoor does not guarantee persistence across reboots, but it calls fork to spawn a child process and checks every 30 seconds whether /proc/ still exists,” Sekoia researchers explained. “If the directory disappears, the child runs a shell command to restart the backdoor.”
The disclosure comes as Synthient highlights GhostSocks’ ability to transform compromised devices into SOCKS5 residential proxies. GhostSocks is said to have first been promoted on the XSS forum in October 2023 under a malware-as-a-service (MaaS) model.
It is worth noting that as of early 2024, this service has been integrated into Lumma Stealer, allowing stealer malware customers to monetize compromised devices after infection.
“GhostSocks provides clients with the ability to build 32-bit DLLs or executables,” Synthient said in a recent analysis. “GhostSocks will try to find the configuration file in %TEMP%. If the configuration file is not found, it will fall back to hard-coded configuration.”
This configuration contains details of the C2 server to which a connection will be established in order to provision a SOCKS5 proxy and ultimately generate connections using the open source go-socks5 and yamux libraries.
Source link
