← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Smoking Gun Uncovered: RPX Relay at PolarEdge s Core Exposed.
WHITE PetrP.73 2025-10-30 Modified: 2025-11-29
19
IOCs
MEDIUM VOLUME
In May 2025, XLab's Cyber Threat Insight and Analysis System identified a suspicious ELF file dubbed "w" being distributed from the IP address 111.119.223.196, recognized as associated with PolarEdge but yielding no alerts on VirusTotal. This prompted a more detailed investigation that unveiled a previously undocumented component, RPX_Client. This software plays a critical role in onboarding compromised devices into a proxy pool linked to command and control (C2) nodes, facilitating remote command execution and proxy services used by attackers.
botnetproxypolaredgerpxserverrpxclientrpx servergoadminuuidxlabcensysmbed tlspolarssl testvirustotalfebruarymalwareindonesiaapriljunetrojancloudfrom hunteras45102 alibabaalibababackdoor c2downloaderfloid llchuawei cloudsrpx samplescript
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (19)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2023-20118 2025-10-30
FileHash-MD5 1fb2dfb09a31f0e8c63cc83283532f06 2025-10-30
FileHash-MD5 3e5e99b77012206d4d4469e84c767e6b 2025-10-30
FileHash-MD5 571088182ed7e33d986b3aa2c51efd27 2025-10-30
FileHash-MD5 7fa5fb15098efdf76e4c016e2e17bb38 2025-10-30
FileHash-MD5 96b3be4cf3ad232ca456f343f468da0e 2025-10-30
FileHash-SHA1 2c0184a1eb37fe0c26a76b96466d6ba44028632f SHA1 of 1fb2dfb09a31f0e8c63cc83283532f06 2025-10-30
FileHash-SHA1 5612c6546685bd86eb8effba89aa1e8942d5c120 SHA1 of 571088182ed7e33d986b3aa2c51efd27 2025-10-30
FileHash-SHA1 7fd4a8a95bcfe30efa51b3e83cb426baa23a66ae SHA1 of 3e5e99b77012206d4d4469e84c767e6b 2025-10-30
FileHash-SHA256 3f00058448b8f7e9a296d0cdf6567ceb23895345eae39d472350a27b24efe999 2025-10-30
FileHash-SHA256 51a9d90a021c8a2a77658a3eca8f1a2297db52c13c17be3b5a08867a7d73d1ad SHA256 of 571088182ed7e33d986b3aa2c51efd27 2025-10-30
FileHash-SHA256 827797a9bff728ae6f46abd505e67a15e40b0ba69a8dc92a36fd90d9974c9593 SHA256 of 1fb2dfb09a31f0e8c63cc83283532f06 2025-10-30
FileHash-SHA256 e234e102cd8de90e258906d253157aeb7699a3c6df0c4e79e05d01801999dcb5 2025-10-30
FileHash-SHA256 f564cc807bb663f814eec5a47ba0279dbcfea8002f2bf45c7aa400b82aa3788d SHA256 of 3e5e99b77012206d4d4469e84c767e6b 2025-10-30
URL http://111.119.223.196:51715/q 2025-10-30
URL http://111.119.223.196:51715/w 2025-10-30
domain beastdositadvtofm.site 2025-10-30
domain centrequ.cc 2025-10-30
domain icecreand.cc 2025-10-30
References (1)
↗ https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/