PolarEdge: Unveiling an uncovered ORB network

Sekoia TDR observed active exploitation of CVE-2023-20118 against Cisco Small Business routers to deploy a multi-platform botnet family dubbed "PolarEdge"; analysis reveals a MIPS64 TLS backdoor (cipher_log) using Mbed TLS/PolarSSL certificates, multiple X86_64 payloads targeting Asus/QNAP/Synology, extensive C2/reporting infrastructure, and over 2,000 compromised edge devices with associated IoCs and domains.