PolarEdge is a sophisticated botnet malware targeting routers from major vendors including Cisco, ASUS, QNAP, and Synology. Initially identified by Sekoia in February 2025, the malware exploits known vulnerabilities such as CVE-2023-20118 in Cisco routers to gain initial access by downloading and executing a shell script that installs the PolarEdge backdoor. The backdoor is a TLS-based ELF implant that functions primarily as a TLS server implemented with mbedTLS v2.8.0, designed to send a unique host fingerprint to its command-and-control (C2) server and await commands. It supports two operational modes: a connect-back mode acting as a TLS client to download files, and a debug mode allowing interactive configuration changes. The malware uses a custom binary protocol with parameters like "HasCommand" to determine when to execute commands received from the C2 server, returning raw output to the attacker. To evade detection, PolarEdge employs process masquerading by randomly selecting process names from a list of legitimate system services and uses a child process to monitor and relaunch the backdoor if terminated, although it does not guarantee persistence after device reboot. The malware also deletes certain files and moves utilities like wget and curl, possibly to maintain stealth or prepare the environment for further exploitation. The botnet infrastructure resembles an Operational Relay Box (ORB) network, suggesting the compromised devices may be used as proxies or relays, potentially for anonymizing malicious traffic or other undisclosed purposes. The campaign has been active since at least mid-2023, with increasing activity noted in 2025. While no direct exploits are currently observed in the wild beyond initial vulnerability exploitation, the malware’s capabilities and stealth techniques pose a significant threat to network security and device integrity.

For European organizations, the PolarEdge botnet campaign presents multiple risks. Compromised routers can serve as entry points for lateral movement within corporate networks, enabling attackers to intercept, manipulate, or redirect sensitive data, undermining confidentiality and integrity. The use of infected routers as proxies or relays can facilitate further malicious activities such as anonymized command-and-control communications or distributed denial-of-service (DDoS) attacks, potentially impacting availability. Given the prevalence of Cisco, ASUS, QNAP, and Synology devices in European enterprises, small businesses, and critical infrastructure sectors, the threat could lead to widespread network disruptions and data breaches. The malware’s stealth features complicate detection and remediation, increasing dwell time and risk exposure. Additionally, the exploitation of known vulnerabilities indicates that unpatched or poorly managed devices are particularly vulnerable, emphasizing the importance of timely patch management. The potential for the botnet to be leveraged for future attacks or monetization schemes (e.g., proxy services) further elevates the threat to European digital ecosystems.

European organizations should prioritize the following mitigations: 1) Immediate patching and firmware updates for all affected router models, especially addressing CVE-2023-20118 and similar vulnerabilities. 2) Conduct comprehensive network audits to identify and isolate compromised devices, focusing on unusual TLS server activity on routers and unexpected outbound connections. 3) Implement strict network segmentation to limit router access and reduce lateral movement opportunities. 4) Deploy advanced endpoint and network monitoring tools capable of detecting process masquerading and anomalous child process behaviors indicative of PolarEdge’s persistence mechanisms. 5) Disable or restrict FTP and other legacy protocols used for malware delivery where possible. 6) Enforce strong authentication and access controls on router management interfaces to prevent unauthorized exploitation. 7) Educate IT staff on the specific indicators of compromise related to PolarEdge, including the presence of suspicious files or renamed system utilities. 8) Collaborate with vendors for threat intelligence sharing and leverage threat hunting to proactively identify infections. 9) Prepare incident response plans tailored to botnet infections involving network infrastructure devices. These steps go beyond generic advice by focusing on router-specific behaviors and the malware’s unique TLS-based command-and-control mechanisms.