{ "type": "Domain", "indicator": "centrequ.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/centrequ.cc", "alexa": "http://www.alexa.com/siteinfo/centrequ.cc", "indicator": "centrequ.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4040492931, "indicator": "centrequ.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "69025eeb36a0f5fdf2f85765", "name": "Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed", "description": "A new component of PolarEdge's infrastructure, RPX_Client, has been discovered, revealing insights into the threat actor's relay operations. The investigation uncovered 140 VPS nodes acting as RPX Servers and over 25,000 infected devices serving as RPX Clients. The system uses a multi-hop design to conceal attack sources, with compromised IoT devices and VPS servers forming robust barriers. RPX_Client functions as a jumpserver in the Operational Relay Box (ORB) network, providing proxy services and enabling remote command execution. The analysis also revealed connections between previously known PolarEdge infrastructure and the newly discovered components, confirming the attribution to this threat actor.", "modified": "2025-10-29T20:01:14.686000", "created": "2025-10-29T18:37:31.026000", "tags": [ "proxy", "infrastructure", "orb", "vps", "polaredge", "command execution", "iot", "cve-2023-20118", "evasion", "rpx_server", "rpx_client", "botnet" ], "references": [ "https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed" ], "public": 1, "adversary": "PolarEdge", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "China", "India", "Indonesia", "Israel", "Malaysia", "Russian Federation", "Thailand" ], "malware_families": [], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386867, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bd958b5dda19e4363aa95d", "name": "PolarEdge: Unveiling an uncovered ORB network", "description": "An analysis of the PolarEdge backdoor and its associated botnet reveals a sophisticated cyber threat targeting various edge devices. The botnet exploits vulnerabilities in Cisco, Asus, QNAP, and Synology devices, using a TLS backdoor to establish control. Active since at least late 2023, PolarEdge has infected over 2,000 devices globally, with a significant presence in Asia and South America. The attackers employ complex infrastructure for payload delivery and command and control, utilizing multiple domains and IP addresses. While the botnet's ultimate purpose remains unclear, it's suspected to potentially use compromised devices as Operational Relay Boxes for launching offensive cyber attacks. The sophistication of the operation suggests skilled operators behind this extensive and well-coordinated threat.", "modified": "2025-03-27T10:01:57.659000", "created": "2025-02-25T10:03:55.448000", "tags": [ "qnap", "polaredge", "asus", "cve-2023-20118", "tls backdoor", "infrastructure analysis", "synology", "edge devices", "botnet", "vulnerability exploitation", "cipher_log", "cisco" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "cipher_log", "display_name": "cipher_log", "target": null } ], "attack_ids": [ { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386867, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690334439c6be75a28edda73", "name": "Smoking Gun Uncovered: RPX Relay at PolarEdge s Core Exposed.", "description": "In May 2025, XLab's Cyber Threat Insight and Analysis System identified a suspicious ELF file dubbed \"w\" being distributed from the IP address 111.119.223.196, recognized as associated with PolarEdge but yielding no alerts on VirusTotal. This prompted a more detailed investigation that unveiled a previously undocumented component, RPX_Client. This software plays a critical role in onboarding compromised devices into a proxy pool linked to command and control (C2) nodes, facilitating remote command execution and proxy services used by attackers.", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:47:47.538000", "tags": [ "botnet", "proxy", "polaredge", "rpxserver", "rpxclient", "rpx server", "goadmin", "uuid", "xlab", "censys", "mbed tls", "polarssl test", "virustotal", "february", "malware", "indonesia", "april", "june", "trojan", "cloud", "from hunter", "as45102 alibaba", "alibaba", "backdoor c2", "downloader", "floid llc", "huawei clouds", "rpx sample", "script" ], "references": [ "https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 5, "URL": 2, "domain": 3 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6908350df33aefa1a66d5437", "name": "Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed", "description": "", "modified": "2025-11-03T04:52:29.652000", "created": "2025-11-03T04:52:29.652000", "tags": [ "proxy", "infrastructure", "orb", "vps", "polaredge", "command execution", "iot", "cve-2023-20118", "evasion", "rpx_server", "rpx_client", "botnet" ], "references": [ "https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed" ], "public": 1, "adversary": "PolarEdge", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "China", "India", "Indonesia", "Israel", "Malaysia", "Russian Federation", "Thailand" ], "malware_families": [], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": "69025eeb36a0f5fdf2f85765", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "211 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c22b3841c96fb90972ced5", "name": "PolarEdge Botnet Targets Unpatched Flaw in Edge Devices", "description": "The PolarEdge botnet is exploiting an unpatched vulnerability to install a TLS-based backdoor on edge devices from different vendors.", "modified": "2025-03-30T21:00:16.856000", "created": "2025-02-28T21:31:36.465000", "tags": [ "cyber threat", "march", "time", "crypto cyber", "defence", "classification", "confidential", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c04334b965faa684b6ac50", "name": "PolarEdge: Unveiling an uncovered ORB network - Sekoia.io Blog", "description": "A security researcher from Sekoia has identified a malicious backdoor and its associated botnet, which has been active since the end of 2023 and is believed to be active for at least a decade.", "modified": "2025-03-29T10:02:50.535000", "created": "2025-02-27T10:49:24.254000", "tags": [ "ip address", "february", "tls backdoor", "virustotal", "synology", "asus", "polaredge", "january", "elf binary", "december", "stark", "polar", "august", "execution", "openssl", "ukraine", "kremlin", "mexico", "chaos", "quad7", "gobrat", "qnap", "flint", "tls" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "QNAP", "display_name": "QNAP", "target": null }, { "id": "Synology", "display_name": "Synology", "target": null }, { "id": "FLINT", "display_name": "FLINT", "target": null }, { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "Asus", "display_name": "Asus", "target": null }, { "id": "TLS", "display_name": "TLS", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 6, "domain": 17 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c67913675e6e09a54530f3", "name": "PolarEdge: Unveiling an uncovered ORB network", "description": "", "modified": "2025-03-27T10:01:57.659000", "created": "2025-03-04T03:52:51.378000", "tags": [ "qnap", "polaredge", "asus", "cve-2023-20118", "tls backdoor", "infrastructure analysis", "synology", "edge devices", "botnet", "vulnerability exploitation", "cipher_log", "cisco" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "cipher_log", "display_name": "cipher_log", "target": null } ], "attack_ids": [ { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "67bd958b5dda19e4363aa95d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c67916a6ea32aac5ec989e", "name": "PolarEdge: Unveiling an uncovered ORB network", "description": "", "modified": "2025-03-27T10:01:57.659000", "created": "2025-03-04T03:52:54.537000", "tags": [ "qnap", "polaredge", "asus", "cve-2023-20118", "tls backdoor", "infrastructure analysis", "synology", "edge devices", "botnet", "vulnerability exploitation", "cipher_log", "cisco" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "cipher_log", "display_name": "cipher_log", "target": null } ], "attack_ids": [ { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "67bd958b5dda19e4363aa95d", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/", "https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed", "Nov.Week1.pdf", "Oct week.3.pdf", "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/", "https://threatfox.abuse.ch/export/csv/recent/", "OCT.pdf" ], "related": { "alienvault": { "adversary": [ "PolarEdge" ], "malware_families": [ "Cipher_log", "Polaredge" ], "industries": [] }, "other": { "adversary": [ "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "PolarEdge", "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor" ], "malware_families": [ "Polaredge", "Flint", "Tls", "Synology", "Cipher_log", "Qnap", "Asus" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "69025eeb36a0f5fdf2f85765", "name": "Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed", "description": "A new component of PolarEdge's infrastructure, RPX_Client, has been discovered, revealing insights into the threat actor's relay operations. The investigation uncovered 140 VPS nodes acting as RPX Servers and over 25,000 infected devices serving as RPX Clients. The system uses a multi-hop design to conceal attack sources, with compromised IoT devices and VPS servers forming robust barriers. RPX_Client functions as a jumpserver in the Operational Relay Box (ORB) network, providing proxy services and enabling remote command execution. The analysis also revealed connections between previously known PolarEdge infrastructure and the newly discovered components, confirming the attribution to this threat actor.", "modified": "2025-10-29T20:01:14.686000", "created": "2025-10-29T18:37:31.026000", "tags": [ "proxy", "infrastructure", "orb", "vps", "polaredge", "command execution", "iot", "cve-2023-20118", "evasion", "rpx_server", "rpx_client", "botnet" ], "references": [ "https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed" ], "public": 1, "adversary": "PolarEdge", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "China", "India", "Indonesia", "Israel", "Malaysia", "Russian Federation", "Thailand" ], "malware_families": [], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386867, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bd958b5dda19e4363aa95d", "name": "PolarEdge: Unveiling an uncovered ORB network", "description": "An analysis of the PolarEdge backdoor and its associated botnet reveals a sophisticated cyber threat targeting various edge devices. The botnet exploits vulnerabilities in Cisco, Asus, QNAP, and Synology devices, using a TLS backdoor to establish control. Active since at least late 2023, PolarEdge has infected over 2,000 devices globally, with a significant presence in Asia and South America. The attackers employ complex infrastructure for payload delivery and command and control, utilizing multiple domains and IP addresses. While the botnet's ultimate purpose remains unclear, it's suspected to potentially use compromised devices as Operational Relay Boxes for launching offensive cyber attacks. The sophistication of the operation suggests skilled operators behind this extensive and well-coordinated threat.", "modified": "2025-03-27T10:01:57.659000", "created": "2025-02-25T10:03:55.448000", "tags": [ "qnap", "polaredge", "asus", "cve-2023-20118", "tls backdoor", "infrastructure analysis", "synology", "edge devices", "botnet", "vulnerability exploitation", "cipher_log", "cisco" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "cipher_log", "display_name": "cipher_log", "target": null } ], "attack_ids": [ { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386867, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690334439c6be75a28edda73", "name": "Smoking Gun Uncovered: RPX Relay at PolarEdge s Core Exposed.", "description": "In May 2025, XLab's Cyber Threat Insight and Analysis System identified a suspicious ELF file dubbed \"w\" being distributed from the IP address 111.119.223.196, recognized as associated with PolarEdge but yielding no alerts on VirusTotal. This prompted a more detailed investigation that unveiled a previously undocumented component, RPX_Client. This software plays a critical role in onboarding compromised devices into a proxy pool linked to command and control (C2) nodes, facilitating remote command execution and proxy services used by attackers.", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:47:47.538000", "tags": [ "botnet", "proxy", "polaredge", "rpxserver", "rpxclient", "rpx server", "goadmin", "uuid", "xlab", "censys", "mbed tls", "polarssl test", "virustotal", "february", "malware", "indonesia", "april", "june", "trojan", "cloud", "from hunter", "as45102 alibaba", "alibaba", "backdoor c2", "downloader", "floid llc", "huawei clouds", "rpx sample", "script" ], "references": [ "https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 5, "URL": 2, "domain": 3 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6908350df33aefa1a66d5437", "name": "Smoking Gun Uncovered: RPX Relay at PolarEdge's Core Exposed", "description": "", "modified": "2025-11-03T04:52:29.652000", "created": "2025-11-03T04:52:29.652000", "tags": [ "proxy", "infrastructure", "orb", "vps", "polaredge", "command execution", "iot", "cve-2023-20118", "evasion", "rpx_server", "rpx_client", "botnet" ], "references": [ "https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed" ], "public": 1, "adversary": "PolarEdge", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "China", "India", "Indonesia", "Israel", "Malaysia", "Russian Federation", "Thailand" ], "malware_families": [], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": "69025eeb36a0f5fdf2f85765", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "211 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c22b3841c96fb90972ced5", "name": "PolarEdge Botnet Targets Unpatched Flaw in Edge Devices", "description": "The PolarEdge botnet is exploiting an unpatched vulnerability to install a TLS-based backdoor on edge devices from different vendors.", "modified": "2025-03-30T21:00:16.856000", "created": "2025-02-28T21:31:36.465000", "tags": [ "cyber threat", "march", "time", "crypto cyber", "defence", "classification", "confidential", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c04334b965faa684b6ac50", "name": "PolarEdge: Unveiling an uncovered ORB network - Sekoia.io Blog", "description": "A security researcher from Sekoia has identified a malicious backdoor and its associated botnet, which has been active since the end of 2023 and is believed to be active for at least a decade.", "modified": "2025-03-29T10:02:50.535000", "created": "2025-02-27T10:49:24.254000", "tags": [ "ip address", "february", "tls backdoor", "virustotal", "synology", "asus", "polaredge", "january", "elf binary", "december", "stark", "polar", "august", "execution", "openssl", "ukraine", "kremlin", "mexico", "chaos", "quad7", "gobrat", "qnap", "flint", "tls" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "QNAP", "display_name": "QNAP", "target": null }, { "id": "Synology", "display_name": "Synology", "target": null }, { "id": "FLINT", "display_name": "FLINT", "target": null }, { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "Asus", "display_name": "Asus", "target": null }, { "id": "TLS", "display_name": "TLS", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 6, "domain": 17 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "centrequ.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "centrequ.cc", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780399453.5958755 }