PolarEdge: The evolution of persistent residential proxy infrastructure

Researchers at Censys have been tracking PolarEdge, a large-scale botnet targeting Internet of Things (IoT) and edge devices. First observed in mid-2023, PolarEdge has grown from approximately 150 infections in 2023 to nearly 40,000 compromised edge devices globally by August 2025.

PolarEdge’s infrastructure shares certain characteristics found in Operational Relay Box (ORB) networks, systems often used to support cybercrime, fraud, and espionage.

The botnet compromises both enterprise-grade hardware (e.g., Cisco APIC controllers and ASA firewalls) and consumer-grade devices (e.g., ASUS routers, Synology NAS, IP cameras, and VoIP phones). Infections are concentrated in South Korea (51.6%) and the United States (21.1%), with additional presence in Hong Kong, Sweden, and Canada.

Devices are compromised using a custom TLS backdoor derived from Mbed TLS (PolarSSL), which enables encrypted command-and-control and long-term persistence. Most infected hosts expose the backdoor on high TCP ports (40,000–50,000), which are less likely to be scanned or monitored.

Most infected devices remain active for months, indicating a stable and well-maintained infrastructure. The use of a PolarSSL Test CA certificate as an indicator of compromise (IOC) has allowed researchers to trace the botnet’s expansion and profile its victims.

PolarEdge is used to proxy traffic through compromised residential and small business networks, which allows threat actors to mask malicious activity behind legitimate IP space. Unlike commercial proxy services, this infrastructure is built without user consent. The campaign has low visibility on honeypots and does not rely on broad scanning, suggesting a focus on stealth and infrastructure longevity.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

The use of high, nonstandard ports and encrypted communications makes detection particularly challenging, especially in environments lacking deep packet inspection or behavioral analytics.

PolarEdge reflects a broader trend in cyber operations: the strategic deployment of long-lived, stealthy residential proxy networks to support espionage and obfuscate malicious traffic.

Mitigation requires expanding visibility into edge and consumer-grade devices, especially those operating within enterprise or hybrid environments. Organizations should monitor for traffic on high TCP ports and inspect TLS certificates for anomalies, such as the PolarSSL Test CA. Network segmentation and access control policies should be enforced to limit exposure.

Where patching is not possible, compensating controls such as firewalls and intrusion detection systems should be used to isolate vulnerable devices. Consumer-grade hardware should be treated as part of the threat surface and monitored accordingly.