Ddos 
Beijing-based XLab has unveiled the discovery of RPX_Client, a previously undocumented module linked to the PolarEdge ORB (Operational Relay Box) network, a stealth infrastructure-as-a-service platform that hijacks compromised IoT and edge devices for global proxy operations.
XLab “detected IP address 111.119.223.196 distributing an ELF file named ‘w’. The AI detection module flagged the file as PolarEdge-related, yet it returned zero positive hits on VirusTotal — sparking speculation that PolarEdge might have quietly launched a new wave of operations.”
Further analysis led to the identification of RPX_Client, a malware component responsible for onboarding infected devices into the PolarEdge proxy pool, providing relay services, and executing remote commands.
The file “w,” distributed from the IP address 111.119.223.196, was found to be the initial downloader that fetched a second-stage script known as q. That script, in turn, delivered RPX_Client, marking the first publicly documented relay node in the PolarEdge ecosystem.
XLab’s researchers observed that “both 111.119.223.196 and 82.118.22.155 spread ‘w’, and their propagation scripts are nearly identical in style and structure.”
This pattern — along with infrastructure overlaps tied to domains such as beastdositadvtofm[.]site and jurgencindy.asuscomm.com — enabled attribution to PolarEdge infrastructure.
The report emphasizes that “the RPX_Client sample, spread via scripts ‘q’ and ‘w’ in this campaign, is attributed to PolarEdge and represents the first identified relay component of this threat.”
First disclosed by Sekoia in early 2025, PolarEdge is a modular cybercrime platform that builds an Operational Relay Box (ORB) — a distributed proxy and command network that masks attacker identities and complicates attribution.
As XLab explains, “PolarEdge exploits vulnerable IoT/edge devices and purchased VPS to build an ORB network for cybercrime support. Functionally akin to residential proxies, ORB focuses on long-term stealth and traffic obfuscation — a classic infrastructure-as-a-service malware.”
The new RPX_Client discovery reveals the relay layer that connects compromised devices to RPX_Server nodes. The researchers confirmed that “RPX_Client and RPX_Server are highly complementary in functionality — as their names suggest, they form a classic client-server relationship.”
XLab identified over 25,000 infected devices across 40 countries and regions, primarily located in South Korea (41.97%), China (20.35%), Thailand (8.37%), and the United States (3.69%).
The majority of infected hosts were network video recorders (NVRs) and routers, particularly brands like KT CCTV, Shenzhen TVT, and D-Link.
The command-and-control infrastructure is equally widespread, with 140 active RPX_Server nodes identified on Alibaba Cloud and Tencent Cloud, using the PolarSSL test certificate and listening on port 55555.
The RPX_Client module functions as the relay agent in PolarEdge’s multi-hop proxy architecture.
Once executed, the ELF binary disguises its process name as connect_server, creates a PID lock file (/tmp/.msc), and stores configuration data encrypted via XOR.
XLab explains, “After compromising the target device, the program first disguises its process name as connect_server and uses the PID file /tmp/.msc to enforce single-instance execution… It then attempts to read the global configuration file .fccq to obtain key parameters such as the C2 server address, communication port, device UUID, and brand information.”
The malware maintains two persistent C2 channels:
- Port 55555: Used for registration and proxy services.
- Port 55560: Dedicated to remote command execution, including updates (update_vps) and C2 switching (change_pub_ip).
These capabilities allow attackers to remotely migrate entire proxy clusters or reassign tasks dynamically — a key feature of the ORB’s resilience.
During testing, XLab observed a reverse-proxy relay mechanism in which the client, rather than the server, initiates outbound connections — a strategy designed to evade inbound filtering.
The researchers verified that traffic flowed through the following path: Local proxy ←→ RPX Server ←→ RPX Client ←→ Target site (e.g., Cloudflare or QQ).
This structure effectively conceals the attacker’s real IP, with the RPX_Client device acting as a jumpserver within the ORB network.
While previous research by Censys and Sekoia debated the exact link between PolarEdge and Mbed TLS (PolarSSL) certificates, XLab asserts with confidence that the infrastructure overlaps are genuine.
“From XLab’s perspective, we have high confidence in attributing the PolarSSL test certificate infrastructure and RPX_Server mentioned in Censys’ original report to PolarEdge,” the analysts stated, citing homologous coding patterns, shared infrastructure, and database evidence linking RPX_Client distributions to the same servers.
The report concludes that RPX_Client is the first confirmed relay node component of the PolarEdge ORB, proving its operational model beyond prior theoretical assessments.
Related Posts:
- PolarEdge Botnet: 2,000+ IoT Devices Infected
- Sekoia Exposes PolarEdge Backdoor: Custom mbedTLS C2 Compromising Cisco, QNAP, and Synology Devices
- China’s Cyber Espionage Actors Employ ORB Networks to Evade Detection
- Beyond VPNs and Botnets: Understanding the Danger of ORB Networks
- Chinese APTs Shift Tactics to Evade Detection and Maintain Stealth
Donate