A Look at PolarEdge Adjacent Infrastructure

Censys researchers investigated PolarEdge, an IoT botnet exploiting CVE-2023-20118, and discovered an RPX reverse-connect proxy server (binary SHA256: 827797a9...) that manages proxy nodes (ORBs) and exposes SOCKS5/TLS/Trojan services. The RPX server orchestrates reverse connections from compromised devices, bridges client traffic to chosen proxy nodes, uses simple XOR/DES obfuscation, and was found alongside reused Mbed TLS test certificates and multiple hosts and logs; several IOCs (IPs, cert fingerprints, and binary hash) are provided, though certificate overlap tempers direct attribution to PolarEdge.