UPDATE 9/24/2025: Clarifications on Our PolarEdge Research
We were recently informed by a community member that the certificate highlighted in earlier versions of this research is also present in older versions of Mbed TLS, version 3.4.0, previously known as PolarSSL. Additionally, the TLS certificate we had associated with the “PolarEdge” malware also originates from the same Mbed TLS repository. This new context reduces the confidence of the evidence linking the exposure footprint or the RPX server we analyzed directly to PolarEdge.
While our follow-up investigation was derived from examining the historical data of a host known to have distributed the PolarEdge payload, it is now believed the actor is leveraging known, exposed certificates as a means of reducing unique attributes. Based on this, we believe the RPX server discussed in the blog was most likely either running on the attacker’s infrastructure or functioning as a relay server.
To ensure our reporting reflects this correction:
- We have removed the original research content (still available at the following archive link for transparency: “Pondering my ORB – A look at PolarEdge Adjacent Infrastructure”).
- We have published a new post that reflects the most updated and verified analysis of the infrastructure analyzed.
- Our threat intelligence dataset has been updated accordingly.
Transparency, reproducibility and accuracy are central to our research, and we will continue to clearly acknowledge situations like this in order to provide our community with the most reliable information possible.
