Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed
Essential information
- Published
- 29/10/2025 18:37
- Modified
- 29/10/2025 20:20
- Tags
- 2025-10-29 CVE-2023-20118 botnet command execution evasion infrastructure iot orb polaredge proxy rpx_client rpx_server vps
- Related entities
- 7 observables, 1 intrusion sets (apt), 11 techniques (mitre), 9 others
Description
A new component of PolarEdge's infrastructure, RPX_Client, has been discovered, revealing insights into the threat actor's relay operations. The investigation uncovered 140 VPS nodes acting as RPX Servers and over 25,000 infected devices serving as RPX Clients. The system uses a multi-hop design to conceal attack sources, with compromised IoT devices and VPS servers forming robust barriers. RPX_Client functions as a jumpserver in the Operational Relay Box (ORB) network, providing proxy services and enabling remote command execution. The analysis also revealed connections between previously known PolarEdge infrastructure and the newly discovered components, confirming the attribution to this threat actor.