EXECUTIVE SUMMARY:
A undocumented implant referred to here as the PolarEdge Backdoor has been observed being deployed to network-attached storage (NAS) and router devices after successful exploitation of CVE‑2023‑20118. Initial compromises used a remote command to download and run a small shell script which in turn fetched and launched an ELF payload that establishes persistent, encrypted command-and-control on the victim.
The attack stores its runtime configuration in a trailing fixed‑size block and implements three operational modes: a TLS server that listens for incoming commands, a TLS client connect‑back mode used to retrieve additional payloads, and an interactive debug mode. It uses mbedTLS for encrypted communications and carries an embedded certificate chain, implements a compact custom binary protocol and hardcoded request tokens, and reports a daily host fingerprint to its command‑and‑control infrastructure. Received payloads are written to temporary locations and executed; the binary also employs lightweight obfuscation and stores runtime parameters such as listening port inside its embedded configuration.
This backdoor presents a high post-exploitation risk on affected devices because it enables unauthenticated remote command execution following exploitation of the underlying vulnerability. Recommended actions are to apply vendor fixes and firmware updates for remove exposed management interfaces from public networks, scan devices for the implants indicators restore compromised devices from known-good images, rotate credentials, and increase monitoring for anomalous outbound TLS connections and bespoke protocol traffic.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public‑Facing Application | — |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Discovery | T1016.001 | System Network Configuration Discovery | Internet Connection Discovery |
| T1082 | System Information Discovery | — | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1219.002 | Remote Access Tools | Remote Desktop Software | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1113 | Screen Capture |
| F0002 | Keylogging | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0004 | Disable or Evade Security Tools |
| E1055 | Process Injection | |
| Discovery | E1082 | System Information Discovery |
| Execution | B0011 | Remote Commands |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Cryptography Micro-objective | C0027 | Encrypt Data |
| Data Micro-objective | C0026 | Encode Data |
| Operating System Micro-objective | C0036 | Registry |
| Process Micro-objective | C0017 | Create Process |
REFERENCES:
The following reports contain further technical details: