Defrosting PolarEdge’s Backdoor

This report presents an in-depth reverse-engineering analysis of the PolarEdge Backdoor (SHA256: a3e2826090f009691442ff1585d07118c73c95e40088c47f0a16c8a59c9d9082), a TLS-based implant deployed after exploitation of CVE-2023-20118 against QNAP (and other vendor) devices; it documents configuration storage, a custom binary protocol for unauthenticated command execution, fingerprinting/connect-back/debug modes, anti-analysis measures, and supplies IoCs and a YARA detection rule.