PolarEdge refers to a covert cyber espionage infrastructure attributed to China-linked advanced persistent threat (APT) actors. It is a large-scale, stealthy network of compromised internet-connected devices—primarily routers and IoT devices—used to facilitate cyber operations globally.
Key Features of PolarEdge
• Operational Relay Box (ORB) Network: PolarEdge is an ORB network, meaning it uses compromised devices as relay points to route malicious traffic, hide the origin of cyber operations, and maintain persistence without disrupting the normal function of the infected devices.
• Scale and Activity: As of 2025, PolarEdge reportedly consists of over 2,000 infected routers and IoT devices, and has been active since at least 2023.
• Stealth and Flexibility: Unlike traditional botnets, ORB networks like PolarEdge are designed for long-term, stealthy operations. The infected devices continue to operate normally, making detection and attribution difficult.
• Purpose: The infrastructure is used to provide operational cover for malicious activity, including espionage campaigns, rather than for launching disruptive cyberattacks.
• Targeting: The campaign has focused on specific countries and geographies, including the United States and parts of Asia, and has targeted sectors such as real estate, IT, networking, and media.
• Attribution: Security researchers have linked PolarEdge to Chinese APT groups, including those associated with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit.
How PolarEdge Operates
• Compromise: Threat actors exploit known vulnerabilities in routers and IoT devices to gain initial access.
• Persistence: They deploy backdoors and open-source tools to maintain long-term access and control.
• Espionage: The infrastructure is used to relay traffic, harvest credentials, and support other post-compromise operations, all while remaining largely undetected.