Close Menu
TechurzTechurz
    What's Hot

    IQM, Europe’s first public quantum company, admits the future of the tech is uncertain

    July 2, 2026

    Indian tech tycoon bets $30M of his own money to build AI alternative to Microsoft Office

    July 2, 2026

    Bending Spoons defies SaaS slump, surges 40% on first day of trading

    July 1, 2026
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Tech Pulse
    • IQM, Europe’s first public quantum company, admits the future of the tech is uncertain
    • Indian tech tycoon bets $30M of his own money to build AI alternative to Microsoft Office
    • Bending Spoons defies SaaS slump, surges 40% on first day of trading
    • Humble Robotics’ CEO says the tech finally caught up to the vision for autonomous vehicles
    • Autonomous vehicle hype is back, and Humble Robotics is bringing it to freights
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    TechurzTechurz
    • Home
    • Tech Pulse
    • Future Tech
    • AI Systems
    • Cyber Reality
    • Disruption Lab
    • Signals
    TechurzTechurz
    Home - Cyber Reality - PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign
    Cyber Reality

    PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign

    TechurzBy TechurzOctober 21, 2025Updated:May 10, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Botnet Campaign
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Oct 21, 2025Ravie LakshmananMalware / Vulnerability

    Cybersecurity researchers have shed light on the inner workings of a botnet malware called PolarEdge.

    PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose.

    The TLS-based ELF implant, at its core, is designed to monitor incoming client connections and execute commands within them.

    Then, in August 2025, attack surface management platform Censys detailed the infrastructural backbone powering the botnet, with the company noting that PolarEdge exhibits characteristics that are consistent with an Operational Relay Box (ORB) network. There is evidence to suggest that the activity involving the malware may have started as far back as June 2023.

    In the attack chains observed in February 2025, the threat actors have been observed exploiting a known security flaw impacting Cisco routers (CVE-2023-20118) to download a shell script named “q” over FTP, which is then responsible for retrieving and executing the PolarEdge backdoor on the compromised system.

    “The backdoor’s primary function is to send a host fingerprint to its command-and-control server and then listen for commands over a built-in TLS server implemented with mbedTLS,” the French cybersecurity company said in a technical breakdown of the malware.

    PolarEdge is designed to support two modes of operation: a connect-back mode, where the backdoor acts as a TLS client to download a file from a remote server, and debug mode, where the backdoor enters into an interactive mode to modify its configuration (i.e., server information) on-the-fly.

    The configuration is embedded in the final 512 bytes of the ELF image, obfuscated by a one-byte XOR that can be decrypted with single-byte key 0x11.

    However, its default mode is to function as a TLS server in order to send a host fingerprint to the command-and-control (C2) server and wait for commands to be sent. The TLS server is implemented with mbedTLS v2.8.0 and relies on a custom binary protocol for parsing incoming requests matching specific criteria, including a parameter named “HasCommand.”

    Encryption algorithms used to obfuscate parts of the backdoor

    If the “HasCommand” parameter equals the ASCII character 1, the backdoor proceeds to extract and run the command specified in the “Command” field and transmits back the raw output of the executed command.

    Once launched, PolarEdge also moves (e.g., /usr/bin/wget, /sbin/curl) and deletes certain files (“/share/CACHEDEV1_DATA/.qpkg/CMS-WS/cgi-bin/library.cgi.bak”) on the infected device, although the exact purpose behind this step is unclear.

    Furthermore, the backdoor incorporates a wide range of anti-analysis techniques to obfuscate information related to the TLS server setup and fingerprinting logic. To evade detection, it employs process masquerading during its initialization phase by choosing from a predefined list a name at random. Some of the names included are: igmpproxy, wscd, /sbin/dhcpd, httpd, upnpd, and iapp.

    “Although the backdoor does not ensure persistence across reboots, it calls fork to spawn a child process that, every 30 seconds, checks whether /proc/ still exists,” Sekoia researchers explained. “If the directory has disappeared, the child executes a shell command to relaunch the backdoor.”

    The disclosure comes as Synthient highlighted GhostSocks’ ability to convert compromised devices into SOCKS5 residential proxies. GhostSocks is said to have been first advertised under the malware-as-a-service (MaaS) model on the XSS forum in October 2023.

    It’s worth noting that the offering has been integrated into Lumma Stealer as of early 2024, allowing customers of the stealer malware to monetize the compromised devices post-infection.

    “GhostSocks provides clients with the ability to build a 32-bit DLL or executable,” Synthient said in a recent analysis. “GhostSocks will attempt to locate a configuration file in %TEMP%. In the scenario that the configuration file cannot be found, it will fall back to a hard-coded config.”

    The configuration contains details of the C2 server to which a connection is established for provisioning the SOCKS5 proxy and ultimately spawning a connection using the open-source go-socks5 and yamux libraries.

    Asus botnet campaign Cisco expanding PolarEdge QNAP Routers Synology targets
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleOpen source agentic startup LangChain hits $1.25B valuation
    Next Article Sesame, the conversational AI startup from Oculus founders, raises $250M and launches beta
    Techurz
    • Website

    Related Posts

    Cyber Reality

    Digital Identity Protection: 7 Hidden Risks Most Users Miss

    May 25, 2026
    Cyber Reality

    Neural Data Policy: 7 Risks That Brain Privacy Laws Miss

    May 25, 2026
    Cyber Reality

    How AI Changing Cyber Crime: 7 Critical Shifts to Watch

    May 25, 2026
    Add A Comment
    Latest Tech Pulse

    College social app Fizz expands into grocery delivery

    September 3, 20252,290

    12 Father’s Day E-Card Sites That Are Actually Good

    June 4, 202523

    SolarSquare in talks to raise up to $60M as India’s rooftop solar market draws major VC interest

    May 23, 202622
    Stay In Touch
    • YouTube
    • WhatsApp
    • Twitter
    • Pinterest
    • LinkedIn

    Techurz helps readers stay ahead of digital change with clear, practical, future focused technology intelligence written today,searched tomorrow.

    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Company
    • About Us
    • Contact Us
    • Our Authors / Editorial Team
    • Write For Us
    • Advertise
    Policy
    • Editorial Policy
    • Privacy Policy
    • Terms and Conditions
    • Affiliate Disclosure
    • Cookie Policy
    • Disclaimer
    • DMCA
    Explore
    • AI Systems
    • Cyber Reality
    • Future Tech
    • Disruption Lab
    • Signals
    • Tech Pulse
    • Sitemap

    Join the Techurz Brief

    The future does not arrive suddenly.
    Stay ahead with fast, sharp tech signals.

    Type above and press Enter to search. Press Esc to cancel.