PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign

PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign

Briefly

"PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose. The TLS-based ELF implant, at its core, is designed to monitor incoming client connections and execute commands within them. Then, in August 2025, attack surface management platform Censys detailed the infrastructural backbone powering the botnet,"

"In the attack chains observed in February 2025, the threat actors have been observed exploiting a known security flaw impacting Cisco routers (CVE-2023-20118) to download a shell script named "q" over FTP, which is then responsible for retrieving and executing the PolarEdge backdoor on the compromised system. "The backdoor's primary function is to send a host fingerprint to its command-and-control server and then listen for commands over a built-in TLS server implemented with mbedTLS,""

"PolarEdge is designed to support two modes of operation: a connect-back mode, where the backdoor acts as a TLS client to download a file from a remote server, and debug mode, where the backdoor enters into an interactive mode to modify its configuration (i.e., server information) on-the-fly. The configuration is embedded in the final 512 bytes of the ELF image, obfuscated by a one-byte XOR that can be decrypted with single-byte key 0x11."