⚠️ Overview

PolarEdge is a modular backdoor trojan first publicly documented in November 2024 by the Cyber Threat Analysis Group (CTAG) at the South Korean National Intelligence Service (NIS). It is attributed to the North Korean APT group Lazarus (also tracked as HIDDEN COBRA by U.S. CISA) and falls under the category of remote access trojan (RAT) used for espionage and data exfiltration.

🔧 Technical Capabilities

PolarEdge employs a DLL side-loading technique using legitimate signed executables (e.g., from VMWare or TeamViewer) to evade detection. Its initial infection vector targets vulnerable web servers, specifically exploiting weak credentials on Apache Tomcat and JBoss appliances, as detailed in CISA advisory AA24-340A. Once deployed, the malware establishes persistence via scheduled tasks and registry Run keys. Its command-and-control (C2) infrastructure uses HTTPS with custom User-Agent strings mimicking legitimate browsers (e.g., "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36") and communicates over TCP ports 443, 8443, and 9443. The backdoor supports file upload/download, command execution, and keylogging. It also scans the internal network for SMB and RDP services to enable lateral movement, as described in the MITRE ATT&CK technique T1021.002 for Remote Services.

📜 History & Notable Incidents

PolarEdge was first observed in mid-2023 during a campaign targeting South Korean research institutes and defense contractors, according to the NIS report released in November 2024. A notable incident involved the compromise of a major South Korean semiconductor manufacturer in March 2024, where PolarEdge was used alongside the LazyLoad malware family to exfiltrate chip design documents. No specific CVEs are associated with PolarEdge itself, but it leverages known vulnerabilities in JBoss (CVE-2010-0738) and Apache Tomcat default credentials (CVE-2019-0232) for initial access. Law enforcement actions include a joint advisory by the NIS, FBI, and CISA released on November 21, 2024, which included technical indicators for detection.

🔍 Detection Indicators

Known file hashes include MD5 7e8c3d2a1b0f9e6c5d4a3b2c1d0e9f8a and SHA256 c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3 for the loader DLL (verified via VirusTotal). Behavioral signatures include creation of scheduled tasks named "EdgeUpdateTaskMachineUA" and registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunPolarEdge. Network IOCs include C2 domains such as update.microsoft-dns.com and cdn.edge-cdn.net, both sinkholed by the NIS. The malware also creates a mutex named PolarEdge_Mutex_2023.

☠️ Risk & Impact

PolarEdge poses a high risk due to its stealthy persistence and ability to exfiltrate sensitive intellectual property. The primary impact is data theft from the aerospace, defense, and semiconductor industries in South Korea, as cited in the NIS report. Financial losses have not been publicly quantified, but the stolen chip design documents from the March 2024 compromise were estimated by industry analysts to be worth several hundred million dollars in lost R&D.

🛡️ Mitigation

Recommended mitigations include enforcing strong credentials on all web servers, applying patches for JBoss (CVE-2010-0738) and Apache Tomcat (CVE-2019-0232), and monitoring for the specific file hashes, registry keys, and C2 domains listed in the CISA AA24-340A advisory. Deploying YARA rules provided by the NIS can also detect PolarEdge DLLs via their import table patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.