Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed

Oct. 29, 2025, 8:20 p.m.

Description

A new component of PolarEdge's infrastructure, RPX_Client, has been discovered, revealing insights into the threat actor's relay operations. The investigation uncovered 140 VPS nodes acting as RPX Servers and over 25,000 infected devices serving as RPX Clients. The system uses a multi-hop design to conceal attack sources, with compromised IoT devices and VPS servers forming robust barriers. RPX_Client functions as a jumpserver in the Operational Relay Box (ORB) network, providing proxy services and enabling remote command execution. The analysis also revealed connections between previously known PolarEdge infrastructure and the newly discovered components, confirming the attribution to this threat actor.

External References

https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed
https://otx.alienvault.com/pulse/69025eeb36a0f5fdf2f85765
Tags
evasion
iot
botnet
proxy
infrastructure
orb
command execution
polaredge
CVE-2023-20118
vps
2025-10-29
rpx_server
rpx_client

Date

  • Created: Oct. 29, 2025, 6:37 p.m.
  • Published: Oct. 29, 2025, 6:37 p.m.
  • Modified: Oct. 29, 2025, 8:20 p.m.

Indicators

  • e234e102cd8de90e258906d253157aeb7699a3c6df0c4e79e05d01801999dcb5
  • 3f00058448b8f7e9a296d0cdf6567ceb23895345eae39d472350a27b24efe999
  • 827797a9bff728ae6f46abd505e67a15e40b0ba69a8dc92a36fd90d9974c9593
  • beastdositadvtofm.site
  • icecreand.cc
  • centrequ.cc
  • blog.sekoia.io
Download all indicators here!

Attack Patterns

  • PolarEdge

Additional Informations

  • British Indian Ocean Territory
  • India
  • China
  • Thailand
  • Malaysia
  • Indonesia
  • Israel
  • United States of America
  • Russian Federation