Cybersecurity experts have discovered a large-scale PolarEdge botnet campaign that is infecting routers from leading brands — Cisco, ASUS, QNAP, and Synology. The attackers’ goal is to create a distributed network of infected devices that can be used for further attacks or covert operations. The vulnerability allows commands to be executed on devices without the users’ knowledge, turning them into botnet nodes.
The PolarEdge botnet was first documented by Sekoia researchers in February 2025. They observed that hackers exploited a known vulnerability in Cisco routers (CVE-2023-20118) to download a malicious script called “q” that installed the PolarEdge backdoor. This malicious code is a TLS-protected ELF implant that can monitor client connections and execute remote commands using its own TLS server based on mbedTLS 2.8.0.
PolarEdge has two modes of operation:
connect-back — connecting to a remote server to retrieve files;
debug-mode — changing the configuration in real time.
Configuration data is encrypted in the last 512 bytes of the ELF file using a single-byte XOR key (0x11).
To avoid detection, attackers use process masking (names like igmpproxy, httpd, dhcpd) and anti-analysis techniques. PolarEdge does not persist across reboots, but checks the parent process for activity every 30 seconds, restarting itself as needed.
In addition, the botnet is capable of deleting or modifying system files, although the exact purpose of these actions remains unknown.
In August 2025, Censys analysts described the PolarEdge infrastructure, defining it as an operational relay network (ORB-network) — a complex architecture for covert control of infected nodes. There is reason to believe that the botnet activity began as early as 2023.
Experts also compare PolarEdge to GhostSocks — a system that converts compromised devices into SOCKS5 proxies, which was later integrated into Lumma Stealer to monetize infected hosts. This demonstrates a trend — the merger of botnets and malicious services into commercial MaaS (malware-as-a-service) platforms.
PolarEdge is another example of the evolution of malicious botnets that masquerade as legitimate processes and operate through known hardware vulnerabilities. Experts urge administrators to immediately update router firmware, monitor suspicious TLS traffic, and inspect system processes. Without timely updates, even a regular home router can become part of a global botnet.
