VERY IMPORTANT

A new component of PolarEdge's infrastructure, RPX_Client, has been discovered, revealing insights into the threat actor's relay operations. The investigation uncovered 140 VPS nodes acting as RPX Servers and over 25,000 infected devices serving as RPX Clients. The system uses a multi-hop design to conceal attack sources, with compromised IoT devices and VPS servers forming robust barriers. RPX_Client functions as a jumpserver in the Operational Relay Box (ORB) network, providing proxy services and enabling remote command execution. The analysis also revealed connections between previously known PolarEdge infrastructure and the newly discovered components, confirming the attribution to this threat actor.