A sophisticated botnet known as PolarEdge has significantly expanded its operations, now targeting popular router brands including Cisco, ASUS, QNAP, and Synology. First identified in early 2025, this evolving threat leverages known vulnerabilities to compromise network devices, potentially for undisclosed malicious purposes. The botnet's infrastructure and methods suggest a well-coordinated and skilled threat actor.

Key Takeaways

• The PolarEdge botnet is actively compromising routers from major manufacturers like Cisco, ASUS, QNAP, and Synology.

• Exploitation of known vulnerabilities, such as CVE-2023-20118 in Cisco routers, is a primary infection vector.

• The botnet's ultimate goal remains undetermined, but possibilities include DDoS attacks, proxy services, or malware distribution.

• The malware employs anti-analysis techniques and process masquerading to evade detection.

• Activity associated with PolarEdge may have begun as early as June 2023.

The Expanding Threat Landscape

Cybersecurity researchers have detailed the inner workings of the PolarEdge botnet, which has been actively expanding its reach since at least late 2023. Initially documented by Sekoia, the botnet was observed exploiting a critical security flaw (CVE-2023-20118) in Cisco Small Business routers. This vulnerability, affecting end-of-life devices, allows for arbitrary command execution.

The attack chain typically involves downloading a shell script named "q" via FTP, which then retrieves and executes the PolarEdge backdoor. This implant is designed to establish a TLS-based connection with its command-and-control (C2) server, sending a host fingerprint and awaiting further instructions.

Malware Capabilities and Evasion Tactics

PolarEdge operates with a TLS server implemented using mbedTLS, listening for commands. It supports two modes: a connect-back mode where it acts as a TLS client to download files, and a debug mode for on-the-fly configuration changes. The malware's configuration is embedded within the ELF image and obfuscated.

Once active, PolarEdge can perform actions such as cleaning log files, terminating suspicious processes, and downloading additional payloads. It also exhibits persistence mechanisms, with a child process monitoring the parent process and relaunching the backdoor if it disappears.

To evade detection, PolarEdge employs several anti-analysis techniques. During initialization, it uses process masquerading, randomly selecting names from a predefined list such as , , , and .

Widespread Impact and Unknown Objectives

While the initial exploitation targeted Cisco devices, further analysis revealed similar PolarEdge payloads affecting ASUS, QNAP, and Synology routers. The botnet is estimated to have compromised over 2,000 unique IP addresses globally. The majority of detected infections are in the United States, but the botnet appears particularly prevalent in Asia and South America.

The ultimate purpose of the PolarEdge botnet remains undetermined. Researchers speculate it could be used to transform compromised devices into Operational Relay Boxes (ORBs) for launching offensive cyberattacks, or for other common botnet activities like Distributed Denial of Service (DDoS) attacks, setting up residential proxies, or distributing malware.

The complexity of the payloads and the exploitation of multiple vulnerabilities across different device types indicate a sophisticated and well-coordinated operation conducted by skilled threat actors, making PolarEdge a significant cyber threat.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign, The Hacker News.

• Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet, TechRadar.

• PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices, The Hacker News.