PolarEdge botnet activity targeting Cisco, ASUS, QNAP, and Synology routers
Malware Activity
Summary
Hide ▲
Show ▼
PolarEdge is a botnet malware operation whose updated analysis shows how infected Cisco, ASUS, QNAP, and Synology routers can be turned into remote-control footholds. Observed February 2025 attack chains used CVE-2023-20118 to deliver the implant, raising the risk for exposed router fleets. Once installed, the malware can execute commands and keep TLS-based C2 communication alive on compromised devices.
Related Happenings
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
KadNap Asus router proxy botnet
Malware Activity
First: 10.03.2026 18:00
Last: 10.03.2026 18:00
Sources 1
About this happening:
**KadNap** is a **proxy botnet** that compromises **Asus routers** and other edge devices, creating a stealth channel for malicious traffic from **over 14,000 infected devices**....
KadNap Asus router proxy botnet
Malware ActivityAbout this happening: **KadNap** is a **proxy botnet** that compromises **Asus routers** and other edge devices, creating a stealth channel for malicious traffic from **over 14,000 infected devices**....
KadNap botnet turns ASUS routers into residential proxies
Malware Activity
First: 10.03.2026 17:01
Last: 10.03.2026 17:01
Sources 1
About this happening:
The **KadNap** botnet is now compromising **ASUS routers** and other edge networking devices, turning them into **residential proxies** that can hide malicious traffic. The networ...
KadNap botnet turns ASUS routers into residential proxies
Malware ActivityAbout this happening: The **KadNap** botnet is now compromising **ASUS routers** and other edge networking devices, turning them into **residential proxies** that can hide malicious traffic. The networ...
Kimwolf IoT botnet activity disrupting I2P
Malware Activity
First: 11.02.2026 18:08
Last: 11.02.2026 18:08
Sources 1
About this happening:
The **Kimwolf** botnet disrupted **I2P** over the past week after operators tried to join **700,000 infected bots** as nodes, briefly overwhelming the anonymity network and disrup...
Kimwolf IoT botnet activity disrupting I2P
Malware ActivityAbout this happening: The **Kimwolf** botnet disrupted **I2P** over the past week after operators tried to join **700,000 infected bots** as nodes, briefly overwhelming the anonymity network and disrup...
Timeline
-
21.10.2025 16:47 2 articles · 7mo ago
PolarEdge botnet analysis and router targeting
Initial DisclosureResearchers described PolarEdge as a botnet malware operation targeting Cisco, ASUS, QNAP, and Synology routers, with first documentation in February 2025 and evidence suggesting activity may have begun as far back as June 2023. Observed February 2025 attack chains used CVE-2023-20118 to fetch a shell script named "q" over FTP and install a TLS-based ELF backdoor that sends a host fingerprint to C2, supports connect-back and debug modes, uses mbedTLS v2.8.0, performs process masquerading, deletes or moves files on infected devices, and can relaunch itself if the parent process disappears; later analysis in August 2025 characterized the infrastructure as consistent with an Operational Relay Box (ORB) network.
Show sources
- PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign — thehackernews.com — 21.10.2025 16:47
- PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign — thehackernews.com — 21.10.2025 16:47