Cybersecurity researchers have detailed the operational mechanics of a botnet malware named PolarEdge. This campaign, which targets routers from prominent manufacturers including Cisco, ASUS, QNAP, and Synology, aims to absorb the devices into a growing botnet. The ultimate purpose of this network remains undetermined based on current findings.

The activity was first formally documented by the security firm Sekoia in February 2025. Their analysis identified PolarEdge as a TLS-based ELF implant designed to monitor incoming client connections and execute commands received through them. Evidence suggests that the activity associated with the malware may have commenced as far back as June 2023, indicating a long-term operation.

Attack Infrastructure and Exploitation

In August 2025, attack surface management company Censys provided further insight into the botnet’s infrastructural backbone. Censys reported that PolarEdge’s network exhibits characteristics consistent with an Operational Relay Box (ORB) network. This type of infrastructure is often used to anonymize and relay malicious traffic, obscuring the true origin of the threat actors.

Attack chains observed by researchers in February 2025 demonstrated a clear exploitation method. The operators were seen leveraging a known security flaw in Cisco routers, tracked as CVE-2023-20118, as an initial access vector. This vulnerability was used to facilitate the download of the PolarEdge malware onto compromised devices, thereby enlisting them into the botnet.

Observed Characteristics and Campaign Scope

At its core, the PolarEdge implant is a specialized tool for establishing persistent control over infected routers. By targeting a diverse range of widely used router brands, the threat actors are able to build a large and geographically distributed network of compromised devices. The campaign highlights the ongoing threat to network edge devices and the importance of patching known vulnerabilities to prevent them from being co-opted for malicious activities.

Source: https://thehackernews.com/2025/10/polaredge-targets-cisco-asus-qnap.html