A look at PolarEdge Adjacent Infrastructure

Sept. 1, 2025, 10:35 a.m.

Description

This analysis examines the infrastructure associated with PolarEdge, an IoT botnet that exploits CVE-2023-20118. The investigation reveals connections between various certificates and services, including a WebRTC e-book certificate and suspicious PolarSSL certificates. A key discovery is the RPX server, a reverse-connect proxy gateway system found on a host with multiple suspicious certificates. The RPX server manages proxy nodes and provides SOCKS5 and Trojan-protocol services. Technical analysis of the RPX binary reveals its functionality in handling client connections, proxy node registration, and traffic obfuscation. The investigation highlights the potential relationship between the RPX system and the PolarEdge botnet, showcasing the complexity of IoT botnet infrastructure.

External References

https://censys.com/blog/pondering-my-orb-a-look-at-polaredge-adjacent-infrastructure
https://otx.alienvault.com/pulse/68b567c5f9a43f8e25f18f06
Tags
infrastructure
socks5
polaredge
CVE-2023-20118
2025-09-01
certificate analysis
proxy management
trojan-protocol
reverse-connect
iot botnet
rpx server

Date

  • Created: Sept. 1, 2025, 9:30 a.m.
  • Published: Sept. 1, 2025, 9:30 a.m.
  • Modified: Sept. 1, 2025, 10:35 a.m.

Indicators

  • 827797a9bff728ae6f46abd505e67a15e40b0ba69a8dc92a36fd90d9974c9593
  • 190.92.202.218
  • 159.138.83.57
  • 119.8.186.227
Download all indicators here!

Attack Patterns

  • PolarEdge
  • PolarEdge

Additional Informations

  • Singapore
  • China

Linked vulnerabilities

CVE-2023-20118

None
Published: