{
	"id": "055e9720-f8e6-4b24-b14c-c59fcf222a57",
	"created_at": "2026-04-06T00:06:29.337591Z",
	"updated_at": "2026-04-10T13:12:38.013837Z",
	"deleted_at": null,
	"sha1_hash": "f8fe36cdd0e671c519dd289a674e7db3e12e9fa1",
	"title": "Smoking Gun Uncovered: RPX Relay at PolarEdge’s Core Exposed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3310407,
	"plain_text": "Smoking Gun Uncovered: RPX Relay at PolarEdge’s Core\r\nExposed\r\nBy Alex.Turing\r\nPublished: 2025-10-29 · Archived: 2026-04-05 21:53:09 UTC\r\nBackground\r\nOn May 30, 2025, XLab's Cyber Threat Insight and Analysis System(CTIA) detected IP address\r\n111.119.223.196 distributing an ELF file named \"w\". The AI detection module flagged the file as PolarEdge-related, yet it returned zero positive hits on VirusTotal—sparking speculation that PolarEdge might have quietly\r\nlaunched a new wave of operations. Curious to verify this, we launched an in-depth investigation. Through\r\ntargeted correlation analysis, we uncovered RPX_Client , a component never before documented publicly. Its core\r\nfunctions include onboarding compromised devices into the proxy pool of designated C2 nodes, providing proxy\r\nservices, and enabling remote command execution.\r\nPolarEdge was first disclosed by Sekoia on February 25, 2025. It exploits vulnerable IoT/edge devices and\r\npurchased VPS to build an Operational Relay Box (ORB) network for cybercrime support. Functionally akin to\r\nresidential proxies, ORB focuses on long-term stealth and traffic obfuscation—a classic infrastructure-as-a-service\r\nmalware.\r\nORB excels at evasion, source hiding, and attribution complexity, making it favored by APT actors and a 2025\r\ncybersecurity hotspot. Mandiant even coined \"As the ORBs rise, the IOC goes extinct\" arguing ORBs undermine\r\ntraditional indicators in detection and attribution.\r\nIn August/September 2025, Censys published two PolarEdge reports, using certificate links to analyze\r\ninfrastructure. Their September 23 report revealed RPX_SERVER, a reverse-proxy gateway. Confidence in tying\r\nit to PolarEdge waned after learning the certificates were from legacy Mbed TLS 3.4.0 (formerly PolarSSL).\r\nCensys Note:\r\n\"We were recently informed by a community member that the certificate highlighted in earlier versions\r\nof this research is also present in older versions of Mbed TLS, version 3.4.0, previously known as\r\nPolarSSL. Additionally, the TLS certificate we had associated with the “PolarEdge” malware also\r\noriginates from the same Mbed TLS repository. This new context reduces the confidence of the\r\nevidence linking the exposure footprint or the RPX server we analyzed directly to PolarEdge.\"\r\nHowever, from Xlab’s perspective, we have high confidence in attributing the PolarSSL test certificate\r\ninfrastructure and RPX_Server mentioned in Censys’ original report to PolarEdge. This judgment is primarily\r\nbased on unique intelligence from the captured RPX_Client sample, with the following specific evidence:\r\nThe coding style of the scripts spreading RPX_Client, along with the ELF sample w, exhibits clear\r\nhomology with known PolarEdge samples.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 1 of 20\n\nRPX_Client and RPX_Server are highly complementary in functionality — as their names suggest, they\r\nform a classic client-server relationship.\r\nA database from one RPX_Server contains records of RPX_Client distribution via 111.119.223.196.\r\nSome servers using PolarSSL test certificates correctly handle RPX_Client requests and are confirmed to\r\nhost RPX_Server instances.\r\nThe successive discoveries of RPX_Server and RPX_Client have enabled us to delve deeper into PolarEdge’s\r\nrelay operations and infrastructure. The results are promising:\r\nOperationally, we have gradually clarified how PolarEdge leverages RPX_Server, Go-Admin, and Nginx\r\nfor node management and traffic distribution.\r\nInfrastructurally, we have identified 140 C2 servers and uncovered over 25,000 infected devices.\r\nHowever, we must acknowledge that no single vendor has complete visibility — thorough threat analysis\r\ninevitably requires broad industry collaboration. To advance research on the PolarEdge ORB network, we are\r\npublishing these findings to the community, hoping that the combined efforts of Sekoia, Censys, and Xlab will\r\nlay a foundation for deeper future exploration of PolarEdge.\r\n1: Infrastructure \u0026 Scale\r\nRPX Server: 140 VPS Nodes\r\nWe captured 10 RPX Server IPs across different periods via script q . All use port 55555 and share the same\r\npublic PolarSSL test certificate.\r\nUsing the pattern certificate + port 55555, we identified 161 candidate IPs. After validating with the reverse-engineered communication protocol, 140 were confirmed as active RPX Servers.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 2 of 20\n\nThese 140 servers exhibit interesting characteristics: they are all VPS nodes, concentrated in ASNs 45102, 37963,\r\nand 132203, and hosted on Alibaba Cloud and Tencent Cloud.\r\nReverse engineering also revealed an API that exports proxy pool nodes into Clash configuration files, enabling\r\nuse by attackers or specific campaigns.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 3 of 20\n\nRPX Client: 25,000+ Infected Devices\r\nThrough technical means, we obtained partial RPX_Client datasets. The data includes fields such as IP, brand,\r\ncreateAt, and onlineTime, enabling in-depth analysis of PolarEdge RPX across multiple dimensions: infection\r\nscale, geographic distribution, and device types.\r\n# RPX Client Data Example\r\n{\r\n \"id\": 4,\r\n \"uuid\": \"6cee47cf79f94dc4bf2b867028fc{mask}\",\r\n \"ip\": \"12x.18x.18x.23x\",\r\n \"onlineTime\": \"2025-10-16T14:34:27+08:00\",\r\n \"antiConnTotal\": \"0\",\r\n \"antiConnNum\": \"0\",\r\n \"antiConnState\": \"1\",\r\n \"antiConnTime\": \"0001-01-01T00:00:00Z\",\r\n \"brand\": \"ktcctv_1\",\r\n \"version\": \"0.0.13\",\r\n \"heartbeat_time\": \"60\",\r\n \"no_response_num\": \"1\",\r\n ...\r\n \"createdAt\": \"2025-10-16T14:34:13+08:00\",\r\n \"updatedAt\": \"2025-10-20T13:08:04+08:00\",\r\n \"createBy\": 0,\r\n \"updateBy\": 0\r\n}\r\nStatistics show that since July 2024, over 25,000 IPs have been cumulatively infected, with the infection scale\r\nshowing a sustained upward trend.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 4 of 20\n\nInfected devices are distributed across 40 countries and regions, primarily concentrated in Southeast Asia and\r\nNorth America.\r\nThe top 10 countries are: South Korea 41.97%, China 20.35%, Thailand 8.37%, Malaysia 5.98%, India 3.79%,\r\nIsrael 3.73%, USA 3.69%, Vietnam 2.56%, Indonesia 2.12%, Russia 1.19%.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 5 of 20\n\nRPX_Client uses the brand field when reporting to the server to identify device grouping or type. The primary\r\ninfected devices are ktcctv and tvt, accounting for over 90%.\r\nBelow is the mapping of group strings to real device types.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 6 of 20\n\nGroup Device\r\nktcctv KT CCTV\r\ntvt Shenzhen TVT DVR\r\ncyberoam Cyberoam UTM\r\nfh unknow\r\nasus Asus Router\r\ndraytek DrayTek Router\r\nrv340 Cisco RV340 VPN Router\r\ndlink D-Link Router\r\nuniv Uniview Webcam\r\n2: Timeline \u0026 Attribution\r\nCapture Timeline of New Scripts\r\nApril 27, 2025: Attackers exploited CVE-2023-20118 via 111.119.223.196 to spread a script named s .\r\nDue to network issues, the script was not captured.\r\nMay 30, 2025: IP 111.119.223.196 distributed an ELF file w at 111.119.223.196:51715/w . This file was\r\nfirst seen on December 25, 2023, spread by 82.118.22.155. Analysis of 82’s activity revealed a clear chain:\r\nscript a → w → script q .\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 7 of 20\n\nInspired by this, we proactively monitored 111.119.223.196:51715/q in Xlab’s Payload system.\r\nJune 2, 2025: Successfully captured script q , which delivered the core subject of this research —\r\nrpx_client. Notably, IP 111 provided intermittent downloads; q was not persistently available.\r\nAttribution to PolarEdge\r\nRole of 82.118.22.155\r\nVirusTotal shows 82.118.22.155 spread shell script a and ELF w in December 2023, marking it as a likely\r\ndownloader server. PDNS records reveal domain beastdositadvtofm[.]site resolved to this IP during the same\r\nperiod. Its CNAME chained to jurgencindy.asuscomm.com — the same host pointed to by Sekoia-disclosed C2s\r\nicecreand[.]cc and centrequ[.]cc. These strong links confidently tie the domain and IP to PolarEdge\r\ninfrastructure.\r\nRecently, while cataloging PolarEdge samples, we found conclusive evidence: both the domain and IP appear in\r\nthe decrypted C2 config of PolarEdge backdoor sample 3e5e99b77012206d4d4469e84c767e6b. Thus,\r\n82.118.22.155 was PolarEdge infrastructure in December 2023; samples a and w were likely used to fetch\r\nPolarEdge payloads. Both of them were developed by the PolarEdge group and exhibit attribution-worthy traits.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 8 of 20\n\nELF Sample Similarity\r\nThe new w includes two unencrypted sections: xxxx and cccc. Known PolarEdge samples use encrypted sections\r\ninit_text and init_rodata. Despite encryption differences, the addition of custom sections reflects consistent\r\ndesign philosophy.\r\nCrucially, w ’s parameter strings and HTTP fields (e.g., Host, User-Agent) are highly distinctive and share clear\r\nhomology with PolarEdge backdoors. We assess w as a stripped connect-back module from the PolarEdge\r\ncore, dedicated to payload retrieval. This is reinforced by its sole supported mode \"curk\" — likely a misspelling\r\n(or playful nod) to curl , underscoring its role as a downloader.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 9 of 20\n\nScript Similarity\r\nBoth 111.119.223.196 and 82.118.22.155 spread w , and their propagation scripts are nearly identical in style and\r\nstructure.\r\nSo we confirm that IP 111.119.223.196 is PolarEdge infrastructure. The RPX_Client sample, spread via scripts\r\nq and w in this campaign, is attributed to PolarEdge and represents the first identified relay component of this\r\nthreat.\r\n3: Technical Analysis\r\nFunctionality of Script q\r\nWe captured a total of 11 script q variants with distinct hashes. Despite the use of obfuscation, analysis was\r\nstraightforward. All variants share nearly identical functionality: their purpose is to download and execute the\r\nRPX component, differing only in the C2 address.\r\nDownload wget.tar\r\nUses w to download wget.tar. Note the parameters of w: m indicates mode, h is the remote host, e is the port, f is\r\nthe local path, and q is the remote path.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 10 of 20\n\nThe wget.tar archive contains two files: rpx and rpx.sh. Among them, rpx is the core analysis subject of this\r\narticle, i.e., rpx_client; while rpx.sh is a persistence script. By executing the command echo \"/bin/sh\r\n/mnt/mtd/rpx.sh \u0026\" \u003e\u003e /etc/init.d/rcS , it injects rpx.sh into the rcS initialization script, thereby achieving\r\npersistent residency.\r\nLaunch RPX Core Component\r\nrpx adds the compromised device to the ORB network. Its first parameter is the control node IP, the second is the\r\nport, and the third is brand, likely indicating grouping. Across the 11 q scripts, we collected 10 unique control\r\nnode IPs, all using port 55555.\r\nRPX System Deep Dive\r\nRPX Server Node\r\nRPX server nodes typically run four core services: RPX_Server, Nginx, Go-Admin, and Go-Shadowsocks. Among\r\nthem, RPX_Server and the customized Go-Admin are key PolarEdge components — RPX_Server acts as the\r\nworker node, handling actual proxy services; Go-Admin serves as the administrator node, managing node\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 11 of 20\n\nregistration, session validation, command distribution, and Clash configuration export for third-party use. Nginx\r\noperates in reverse proxy mode, forwarding traffic from port 19999 to the Go-Admin service, while Go-Shadowsocks is dedicated to providing Shadowsocks proxy service.\r\nThese services produce distinct network fingerprints:\r\nService Port(s) Certificate Fingerprint / Trait\r\nNginx 19999\r\nFixed self-signed cert:\r\n3f00058448b8f7e9a296d0cdf6567ceb23895345eae39d472350a27b24efe999\r\nRPX_Server\r\n55555,\r\n55557,\r\n55558\r\nFixed self-signed cert:\r\ne234e102cd8de90e258906d253157aeb7699a3c6df0c4e79e05d01801999dcb5\r\nGo-Admin 55560 Dynamic self-signed cert with O = null, CN = null, serial 123456\r\nRPX Server\r\nIn brief, RPX Server is a reverse-connection proxy gateway. Its core mechanism: it does not connect directly to\r\nthe target, but instead schedules a registered proxy node to connect to the target, which then establishes a reverse\r\nconnection back to a dynamically allocated temporary port on the gateway. Traffic between the client and target\r\nis transparently bridged on this port.\r\nThis is demonstrated in a live test: we ran RPX_Client on a Japan test host 45.x.x.8 and registered it with RPX\r\nServer node 8.216.14.9 . Then, from a local machine, we connected a go-shadowsocks client to this control node\r\nand queried the exit IP via ipinfo.io .\r\nAlthough go-shadowsocks logs show the path as\r\nLocal proxy ←→ RPX Server ←→ ipinfo.io ,\r\nthe actual IP returned by curl --socks5 reveals the true full path:\r\nLocal proxy ←→ RPX Server ←→ RPX Client (45.x.x.8) ←→ ipinfo.io. In real-world attacks, this multi-hop\r\ndesign effectively conceals the attack source.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 12 of 20\n\nThe server accepts two runtime parameters: the first is the port for interacting with RPX_Client, and the second is\r\nthe base port for proxy services, which enables three protocols — SOCKS5 on the base port, SOCKS5 over TLS\r\non base+1, and Trojan on base+2. Observed values are 55555 and 55556, respectively. Implementation details of\r\nRPX Server have been thoroughly covered in Censys reports; this article does not repeat them, and interested\r\nreaders are encouraged to consult those publications.\r\nRPX Client\r\nWe captured a total of 4 RPX_Client samples: three from IP 111.119.223.196 (all ARM architecture) and one from\r\nVirusTotal (MIPS architecture), indicating additional distribution channels in the wild. All four samples are\r\nversion 0.0.13, which, according to current statistics, is the dominant version in active use.\r\nAmong the 4 samples, 7fa5fb15098efdf76e4c016e2e17bb38 stands out because it prints debug information to\r\nthe console at runtime. We selected it as the primary analysis target. Its basic details are as follows:\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 13 of 20\n\nMD5: 7fa5fb15098efdf76e4c016e2e17bb38\r\nMAGIC: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped\r\nPACKER: None\r\nRPX_Client acts as a jumpserver in the ORB — confirmed by leaked source paths and runtime logs.\r\nIts functional design is relatively straightforward. After compromising the target device, the program first\r\ndisguises its process name as connect_server and uses the PID file /tmp/.msc to enforce single-instance\r\nexecution, preventing duplicate startups. It then attempts to read the global configuration file .fccq to obtain key\r\nparameters such as the C2 server address, communication port, device UUID, and brand information. If the\r\nconfiguration file does not exist, it encrypts the runtime-passed parameters and saves them to .fccq for\r\nsubsequent use.\r\nAfter completing configuration initialization, RPX_Client establishes two independent network connections to the\r\nC2 server for different tasks:\r\nOne connects to the port specified by the PORT parameter (listened by RPX_Server) for node registration\r\nand traffic proxying\r\nThe other connects to the fixed port 55560 (listened by go-admin) for remote command execution\r\nDecrypting .fccq Config\r\nOn first run, RPX_Client encrypts the parameters and saves them to the .fccq file in the same directory using\r\nsingle-byte XOR with 0x25. A real-world example of the generated config, when decrypted, contains the fields\r\nUUID, C2, PORT, BRAND, version.\r\nPort 55555: Registration \u0026 Proxy\r\nWhen RPX_Client first joins the network, it must obtain a server-generated UUID as its identity. The network\r\ninteraction flow is as follows:\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 14 of 20\n\n1. Bot → C2: 33 bytes → flag(1 byte) + uuid(32 bytes)\r\n2. Bot → C2: 32 bytes → brand(16 bytes) + version(16 bytes)\r\n3. C2 → Bot: 33 bytes → flag(1 byte) + uuid(32 bytes)\r\nWhen the flag in the C2 response is 0x01 , it indicates UUID acceptance; the bot saves this UUID to the\r\nconfig file for future use.\r\nIt then awaits further C2 commands to provide proxy services. The command structure is:\r\nstruct Protocol\r\n{\r\n uint16_t magic;\r\n uint16_t port;\r\n uint16_t dst_port;\r\n uint16_t dest_length;\r\n char destination[256];\r\n};\r\nThe magic field defines the bot’s function, with possible values: 0x11 , 0x12 , 0x16 .\r\nOur Xlab command tracking system emulates this protocol. Statistics show no specific targeting — traffic is\r\nmostly to QQ, WeChat, Google, and Cloudflare.\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 15 of 20\n\nPort 55560: Remote Command Execution\r\nRPX_Client connects to the server’s port 55560, sends its UUID to authenticate, and receives remote commands.\r\nThe interaction flow is:\r\n1. Bot → C2: 11 bytes, fixed string \"xa2axasexqx\"\r\n2. Bot → C2: 32 bytes, UUID\r\n3. C2 → Bot: 4 bytes, command payload length\r\n4. C2 → Bot: command payload, specified by the \"cmd\" field\r\nBeyond standard system commands, the sample includes two special built-in commands:\r\nchange_pub_ip – updates the C2 server address\r\nupdate_vps – performs sample self-upgrade\r\nLeveraging UUID-based authentication and remote command execution, PolarEdge operators achieve fine-grained control and flexible scheduling of proxy nodes — enabling on-demand task reassignment, role\r\nswitching, or rapid migration of the entire proxy pool to a new C2 when one is exposed.\r\nWhile our command tracking system currently only captures simple heartbeat commands like echo hello ,\r\nserver logs clearly show real executions of change_pub_ip .\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 16 of 20\n\nAdditionally, logs contain commands tied to 111.119.223.196, confirming it not only served as a download server\r\nbut also as a reverse shell c2 — providing definitive proof that this IP is PolarEdge infrastructure and validating\r\nour initial assessment at the start of this report.\r\nSummary\r\nOur analysis of the RPX system concludes here with the key findings to date. RPX_Client offers a glimpse into\r\nPolarEdge’s relay mechanism, while RPX_Server and Go-Admin reveal—for the first time—the management\r\ntools and infrastructure behind this threat. In this architecture, a vast pool of compromised IoT devices serves as\r\nproxy nodes, complemented by server nodes built on inexpensive VPS, forming two robust barriers that provide\r\nattackers with effective cover and greatly increase the difficulty of tracking by security personnel.\r\nDue to limited visibility, the specific connections and interactions between PolarEdge backdoor samples and the\r\nRPX system remain an open question. We sincerely welcome industry peers with additional information to share\r\ntheir insights and jointly advance the understanding and defense against such threats.\r\nIf you are interested in our research or have clues related to PolarEdge, please feel free to contact us via the X\r\nplatform.\r\nIOC\r\nPolarEdge RPX C2\r\n# From q script\r\n47[.79.7.193 United States|Virginia|Ashburn AS45102|Alibaba Cloud\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 17 of 20\n\n47[.236.38.206 United States|None|None AS45102|Alibaba Cloud\r\n47[.236.230.216 United States|None|None AS45102|Alibaba Cloud\r\n47[.237.26.232 United States|None|None AS45102|Alibaba Cloud\r\n47[.237.70.132 United States|None|None AS45102|Alibaba Cloud\r\n47[.76.214.52 China|Hongkong|Hongkong AS45102|Alibaba Cloud\r\n43[.128.226.160 Japan|Tokyo|Tokyo AS132203|Tencent\r\n129[.226.216.242 Singapore|Singapore|Singapore AS132203|Tencent\r\n8[.211.172.183 Japan|Tokyo|Tokyo AS45102|Alibaba Cloud\r\n159[.138.90.5 Singapore|Singapore|Singapore AS136907|HUAWEI\r\n# From Hunter\r\n8[.219.214.27 AS45102 Alibaba (US) Technology Co., Ltd.\r\n8[.153.163.19 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\r\n8[.153.205.139 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\r\n8[.153.207.128 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\r\n8[.159.129.39 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\r\n8[.159.130.12 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\r\n8[.159.135.220 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\r\n8[.159.136.155 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\r\n8[.159.139.71 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\r\n8[.216.14.9 AS45102 Alibaba (US) Technology Co., Ltd.\r\nPolarEdge Backdoor C2\r\nbeastdositadvtofm[.site\r\nmissionim[.cc\r\nicecreand[.cc\r\ncentrequ[.cc\r\nDownloader\r\n82[.118.22.155 Poland|Pomorskie|Gdansk AS204957|GREEN FLOID LLC\r\n111[.119.223.196 Singapore|Singapore|Singapore AS136907 HUAWEI CLOUDS|\r\nRPX Sample\r\n# Script q\r\n96b3be4cf3ad232ca456f343f468da0e\r\n# RPX Server\r\n1fb2dfb09a31f0e8c63cc83283532f06\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 18 of 20\n\n# RPX Client\r\n7fa5fb15098efdf76e4c016e2e17bb38\r\n571088182ed7e33d986b3aa2c51efd27\r\nCertificates\r\n# 3f00058448b8f7e9a296d0cdf6567ceb23895345eae39d472350a27b24efe999\r\n-----BEGIN CERTIFICATE-----\r\nMIIFmTCCBIGgAwIBAgIQA/0Ssnj2KNvPpAAwE8RHPTANBgkqhkiG9w0BAQsFADBu\r\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\r\nd3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg\r\nRFYgVExTIENBIC0gRzEwHhcNMTgxMTI3MDAwMDAwWhcNMTkxMTI3MTIwMDAwWjAd\r\nMRswGQYDVQQDExJ3d3cubGVhcm5pbmdydGMuY24wggEiMA0GCSqGSIb3DQEBAQUA\r\nA4IBDwAwggEKAoIBAQCAQKsFEj2H8QTVCEtAEjGp5kUAWHihsCbuMYhHdAxSKYfF\r\nHldJGaRUpuQwxAte1k8b++C9rxKZRJJt05O85deMvdwF63yBG5DazGXKkwMluRrA\r\n/KsZy3lPj3uinSO8sLFfoTcsk57wAXbZtVFgvmgxAXFlX7Vx9MNgYMdko+jAltCa\r\n3CkmScqcPd/aOnjx4naz7k3Jl1AHY7jxIaRGLBd+aixOZw2CJdHjpYi++GRtVBIo\r\nw5ki3WVm1lensHo3GWVjUP5rIbsttpbpja2V0Uy5es1Gcrmkp9e4BUTyopJkGqrA\r\nF2uWZxZB8CcJkFceOUfCY3v5MWH311BwBaZ+GngBAgMBAAGjggKCMIICfjAfBgNV\r\nHSMEGDAWgBRVdE+yck/1YLpQ0dfmUVyaAYca1zAdBgNVHQ4EFgQUGCuoNOqYS8DF\r\n1dd4XIP/YilDUJEwLQYDVR0RBCYwJIISd3d3LmxlYXJuaW5ncnRjLmNugg5sZWFy\r\nbmluZ3J0Yy5jbjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG\r\nCCsGAQUFBwMCMEwGA1UdIARFMEMwNwYJYIZIAYb9bAECMCowKAYIKwYBBQUHAgEW\r\nHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIBMH0GCCsGAQUF\r\nBwEBBHEwbzAhBggrBgEFBQcwAYYVaHR0cDovL29jc3AuZGNvY3NwLmNuMEoGCCsG\r\nAQUFBzAChj5odHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRW5jcnlwdGlvbkV2\r\nZXJ5d2hlcmVEVlRMU0NBLUcxLmNydDAJBgNVHRMEAjAAMIIBBAYKKwYBBAHWeQIE\r\nAgSB9QSB8gDwAHUAu9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFn\r\nVArhKwAABAMARjBEAiBYzdYfv9uZCl7ItYugZ8rKwBdkl64L3Bo4hMyM2oLPdAIg\r\nOOy3aJnqp31jGrtIG5u6hPfAWNkiBPfGQCEDeBsRhaYAdwCHdb/nWXz4jEOZX73z\r\nbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWdUCuH+AAAEAwBIMEYCIQD4eai+g9Dx4ZhW\r\nh8+VDwRjrspTNycWeg0ehjf+p5NwBAIhAPQpUvUrdJp/KqLKz4TNnyJtU0ezPZdY\r\nXGQVeYtwkDOQMA0GCSqGSIb3DQEBCwUAA4IBAQAZwr2CFBCmPw4H16UpsbEK4Wie\r\nldbsrBhRMX2bH47Sr2CQvAJLm2MODVDi7XtF1ZR1XmLQOiKsHNVXveDq5UJomWIn\r\nNDkXxYPNMQzVB6WLxO9HZsM302CIrE4ds9PUWWZ8wVtyv6o/nqczu+uuyX0Vs0/J\r\ndclkw7r3TntrPwgTj/3dCSBchdT33vdTGjnyc9Hz7gN0aU8Ksnzf7Vxm53lmk4t1\r\naHKYUDQtPle5MKNgg88fjCsrfMZAfpcR3GKfCSa3I4f4vhvsg2ap4fJsXKjHtOLN\r\n8qfw7B8Qm5/PpsRzYHB+WEPkfwIKxR9gIifQEbNnSSCCl3GJVqH4c1HJcb1z\r\n-----END CERTIFICATE-----\r\n# e234e102cd8de90e258906d253157aeb7699a3c6df0c4e79e05d01801999dcb5\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 19 of 20\n\n-----BEGIN CERTIFICATE-----\r\nMIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\nA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\nMTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\nA1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\nCCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\nBgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\nPyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\nclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\nCCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\nC12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\nfGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n-----END CERTIFICATE-----\r\nReference\r\nSekioa\r\nhttps://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/\r\nhttps://blog.sekoia.io/polaredge-backdoor-qnap-cve-2023-20118-analysis/\r\nCensys\r\nhttps://censys.com/blog/2025-state-of-the-internet-digging-into-residential-proxy-infrastructure\r\nMandiant\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks\r\nSource: https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nhttps://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/\r\nPage 20 of 20\n\n https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/  \n47[.236.38.206 United States|None|None AS45102|Alibaba Cloud\n47[.236.230.216 United States|None|None AS45102|Alibaba Cloud\n47[.237.26.232 United States|None|None AS45102|Alibaba Cloud\n47[.237.70.132 United States|None|None AS45102|Alibaba Cloud\n47[.76.214.52 China|Hongkong|Hongkong AS45102|Alibaba Cloud\n43[.128.226.160 Japan|Tokyo|Tokyo AS132203|Tencent \n129[.226.216.242 Singapore|Singapore|Singapore  AS132203|Tencent\n8[.211.172.183 Japan|Tokyo|Tokyo AS45102|Alibaba Cloud \n159[.138.90.5 Singapore|Singapore|Singapore  AS136907|HUAWEI\n# From Hunter   \n8[.219.214.27 AS45102 Alibaba (US) Technology Co., Ltd.\n8[.153.163.19 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\n8[.153.205.139 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\n8[.153.207.128 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\n8[.159.129.39 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\n8[.159.130.12 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\n8[.159.135.220 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\n8[.159.136.155 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\n8[.159.139.71 AS37963 Hangzhou Alibaba Advertising Co.,Ltd.\n8[.216.14.9 AS45102 Alibaba (US) Technology Co., Ltd.\nPolarEdge Backdoor C2  \nbeastdositadvtofm[.site   \nmissionim[.cc   \nicecreand[.cc   \ncentrequ[.cc   \nDownloader   \n82[.118.22.155 Poland|Pomorskie|Gdansk AS204957|GREEN FLOID LLC\n111[.119.223.196 Singapore|Singapore|Singapore  AS136907 HUAWEI CLOUDS|\nRPX Sample   \n# Script q  \n96b3be4cf3ad232ca456f343f468da0e   \n# RPX Server   \n1fb2dfb09a31f0e8c63cc83283532f06   \n  Page 18 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/"
	],
	"report_names": [
		"smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433989,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8fe36cdd0e671c519dd289a674e7db3e12e9fa1.pdf",
		"text": "https://archive.orkl.eu/f8fe36cdd0e671c519dd289a674e7db3e12e9fa1.txt",
		"img": "https://archive.orkl.eu/f8fe36cdd0e671c519dd289a674e7db3e12e9fa1.jpg"
	}
}