Smoking gun uncovered: rpx relay at polaredge’s core exposed

Intel Name: Smoking gun uncovered: rpx relay at polaredge’s core exposed

Date of Scan: November 4, 2025

Impact: Medium

Summary:
On May 30, 2025, researchers discovered an ELF file “w” from IP 111.119.223.196, linked to the PolarEdge malware family. Analysis revealed a new component, RPX_Client, that connects compromised devices to PolarEdge’s proxy (ORB) network for traffic relaying and remote control. Together with RPX_Server, it forms the backbone of PolarEdge’s relay infrastructure. Investigations uncovered 140 C2 servers and over 25,000 infected devices, confirming RPX as the core of PolarEdge operations.

More Details