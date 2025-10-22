Operations of the PolarEdge botnet which was previously noted to have targeted Asus, QNAP, and Synology routers, as well as resemble an Operational Relay Box network were discovered to either involve functioning as a TLS client for remote file downloads or on-the-fly configuration modifications, The Hacker News reports.

Execution of PolarEdge prompts default TLS server functioning to facilitate host fingerprint delivery to the command-and-control server and the erasure of some files for a still undetermined purpose, according to Sekoia researchers. Multiple anti-analysis approaches are then harnessed by PolarEdge to circumvent detection.

"Although the backdoor does not ensure persistence across reboots, it calls fork to spawn a child process that, every 30 seconds, checks whether /proc/ still exists. If the directory has disappeared, the child executes a shell command to relaunch the backdoor," said researchers.

Such findings follow a Synthient report detailing the transformation of breached devices into SOCKS5 residential proxies using the GhostSocks malware-as-a-service tool.