Smoking Gun Uncovered: RPX Relay at PolarEdge’s Core Exposed

    Tuesday, November 4, 2025 In: Threat Research Print

    Date: 11/04/2025

    Severity: Medium

    Summary

    On May 30, 2025, researchers discovered an ELF file “w” from IP 111.119.223.196, linked to the PolarEdge malware family. Analysis revealed a new component, RPX_Client, that connects compromised devices to PolarEdge’s proxy (ORB) network for traffic relaying and remote control. Together with RPX_Server, it forms the backbone of PolarEdge’s relay infrastructure. Investigations uncovered 140 C2 servers and over 25,000 infected devices, confirming RPX as the core of PolarEdge operations.

    Indicators of Compromise (IOC) List

    URLs/Domains

    beastdositadvtofm.site

    missionim.cc

    icecreand.cc 

    centrequ.cc

    IP Address

    47.79.7.193

    47.236.38.206

    47.236.230.216

    47.237.26.232

    47.237.70.132

    47.76.214.52

    43.128.226.160

    129.226.216.242

    8.211.172.183

    159.138.90.5

    8.219.214.27

    8.153.163.19

    8.153.205.139

    8.153.207.128

    8.159.129.39

    8.159.130.12

    8.159.135.220

    8.159.136.155

    8.159.139.71

    8.216.14.9

    82.118.22.155

    111.119.223.196

    Hash

    96b3be4cf3ad232ca456f343f468da0e

    1fb2dfb09a31f0e8c63cc83283532f06

    7fa5fb15098efdf76e4c016e2e17bb38

    571088182ed7e33d986b3aa2c51efd27

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "beastdositadvtofm.site" or siteurl like "beastdositadvtofm.site" or url like "beastdositadvtofm.site" or domainname like "icecreand.cc" or siteurl like "icecreand.cc" or url like "icecreand.cc" or domainname like "centrequ.cc" or siteurl like "centrequ.cc" or url like "centrequ.cc" or domainname like "missionim.cc" or siteurl like "missionim.cc" or url like "missionim.cc"

    Detection Query 2 :

    dstipaddress IN ("43.128.226.160","8.159.136.155","47.76.214.52","47.79.7.193","8.211.172.183","8.153.207.128","8.159.129.39","47.237.26.232","8.159.139.71","82.118.22.155","111.119.223.196","47.236.38.206","129.226.216.242","8.216.14.9","47.236.230.216","47.237.70.132","159.138.90.5","8.219.214.27","8.153.163.19","8.153.205.139","8.159.130.12","8.159.135.220") or srcipaddress IN ("43.128.226.160","8.159.136.155","47.76.214.52","47.79.7.193","8.211.172.183","8.153.207.128","8.159.129.39","47.237.26.232","8.159.139.71","82.118.22.155","111.119.223.196","47.236.38.206","129.226.216.242","8.216.14.9","47.236.230.216","47.237.70.132","159.138.90.5","8.219.214.27","8.153.163.19","8.153.205.139","8.159.130.12","8.159.135.220")

    Detection Query 3 :

    md5hash IN ("571088182ed7e33d986b3aa2c51efd27","96b3be4cf3ad232ca456f343f468da0e","1fb2dfb09a31f0e8c63cc83283532f06","7fa5fb15098efdf76e4c016e2e17bb38")

    Reference:

    https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/


    Tags

    MalwareRPX RelayPolarEdge

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.