Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed

SUMMARY :

A new component of PolarEdge's infrastructure, RPX_Client, has been discovered, revealing insights into the threat actor's relay operations. The investigation uncovered 140 VPS nodes acting as RPX Servers and over 25,000 infected devices serving as RPX Clients. The system uses a multi-hop design to conceal attack sources, with compromised IoT devices and VPS servers forming robust barriers. RPX_Client functions as a jumpserver in the Operational Relay Box (ORB) network, providing proxy services and enabling remote command execution. The analysis also revealed connections between previously known PolarEdge infrastructure and the newly discovered components, confirming the attribution to this threat actor.

OPENCTI LABELS :

cve-2023-20118,polaredge,vps,orb,proxy,iot,infrastructure,botnet,evasion,command execution,rpx_server,rpx_client


AI COMMENTARY :

1. Executive Summary The recent revelation known as Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed unveils a critical component of the threat actor's arsenal and offers an overview of a newly discovered infrastructure segment that underpins their relay operations. Building on publicly known exploits and using the CVE-2023-20118 as a foothold, attackers expanded their reach in unprecedented ways that demand our close attention.

2. Discovery of RPX_Client The investigation into PolarEdge's infrastructure led to the identification of a new element named RPX_Client. Analysis revealed over 25,000 infected devices repurposed as jumpservers within the Operational Relay Box network. These clients connect to a network of 140 VPS nodes acting as RPX_Servers. This multi-hop design conceals the true origin of malicious activity, leveraging proxy techniques for both evasion and command execution.

3. Architecture and Operations The structure of this relay network relies on compromised IoT devices and virtual private servers to form a resilient tiered system. RPX_Client provides proxy services that facilitate remote command execution across the botnet. At each node, the ORB network orchestrates traffic, routing and obfuscating communications to ensure that analysts and automated defenses struggle to trace the attack back to its source.

4. Attribution and Connections By correlating logs, domain registration records and network patterns with previously documented PolarEdge operations, analysts confirmed the threat actor's involvement. The newly uncovered RPX infrastructure shares code signatures and operational tactics with the malware variants linked to polaredge. The consistency of techniques across vps deployments and client proxies solidifies the attribution to this sophisticated campaign.

5. Security Implications and Recommendations The emergence of the RPX relay system signals a heightened level of threat complexity, combining botnet scale with advanced evasion mechanisms. Organizations should prioritize patching known vulnerabilities such as CVE-2023-20118, harden IoT devices against compromise and closely monitor outbound traffic to vps endpoints. Implementing strict network segmentation and deploying advanced threat detection solutions will be essential in mitigating the risks posed by this evolving infrastructure.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed