PolarEdge Botnet Hits 25K IoT Devices in Major Cyber Campaign

Cybersecurity researchers at XLab have uncovered a sophisticated infrastructure-as-a-service botnet operation called PolarEdge, which has compromised over 25,000 Internet of Things devices and established 140 command-and-control servers through systematic exploitation of vulnerable edge devices.

The newly exposed RPX relay system reveals how threat actors construct operational relay box networks that effectively conceal attack sources and undermine traditional detection methods.

On May 30, 2025, XLab’s Cyber Threat Insight and Analysis System detected IP address 111.119.223.196 distributing an ELF file that initially showed zero detections on VirusTotal, prompting a comprehensive investigation.

Through targeted correlation analysis, researchers discovered RPX_Client, a previously undocumented component responsible for onboarding compromised devices into proxy pools, providing proxy services, and enabling remote command execution.

The investigation revealed that PolarEdge, first disclosed by Sekoia in February 2025, exploits vulnerable IoT and edge devices alongside purchased virtual private servers to build an ...