Ethical Hacking News
A complex cyber espionage campaign using SOHO devices has been discovered, compromising over 1,000 devices across the United States and Southeast Asia. The "LapDogs" network, linked to China-nexus hacking groups, uses a custom backdoor called ShortLeash to enlist infected devices into its network. With evidence pointing towards a prolonged cyber espionage infrastructure, this campaign serves as a reminder of the ever-evolving threat landscape.
The "LapDogs" network, a custom-built operational relay box (ORB) network, has been discovered compromising over 1,000 small office and home office (SOHO) devices in the US and Southeast Asia. The ORB network is linked to China-nexus hacking groups and features a high concentration of victims across various sectors, including IT, networking, real estate, and media. The network's beating heart is a custom backdoor called ShortLeash, engineered to enlist infected devices into the network. ShortLeash delivers itself via shell scripts targeting Linux-based SOHO devices, utilizing N-day security vulnerabilities for initial access. The LapDogs network shares similarities with another cluster referred to as PolarEdge, but is assessed as a separate entity due to differences in infection process and persistence methods. Chinese threat actors are using ORB networks as means of obfuscation for highly targeted operations, utilizing compromised devices or virtual services to remain under the radar. The discovery of LapDogs serves as a reminder of the ever-evolving threat landscape, emphasizing the need for organizations to implement robust cybersecurity measures.
The cybersecurity landscape has witnessed numerous sophisticated attacks in recent times, but a latest campaign stands out for its sheer scale and complexity. The "LapDogs" network, a custom-built operational relay box (ORB) network, has been discovered by threat hunters at SecurityScorecard's STRIKE team, compromising over 1,000 small office and home office (SOHO) devices across the United States and Southeast Asia. This campaign is linked to China-nexus hacking groups, with evidence pointing towards a prolonged cyber espionage infrastructure.
The ORB network, codenamed LapDogs, has been identified as having a high concentration of victims across various sectors, including IT, networking, real estate, and media. Active infections have spanned devices and services from prominent brands like Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology. The network's beating heart is a custom backdoor called ShortLeash, engineered to enlist infected devices into the network.
Upon installation, ShortLeash sets up a fake Nginx web server and generates a unique, self-signed TLS certificate with the issuer name "LAPD" in an attempt to impersonate the Los Angeles Police Department. This clever tactic has given the ORB network its name, further emphasizing the sophistication of this campaign.
ShortLeash is delivered via a shell script primarily targeting Linux-based SOHO devices, although artifacts serving a Windows version of the backdoor have also been discovered. The attacks weaponize N-day security vulnerabilities to obtain initial access. First signs of activity related to LapDogs date back to September 6, 2023, in Taiwan, with the second attack recorded four months later on January 19, 2024.
The LapDogs network has been found to share similarities with another cluster referred to as PolarEdge, which was documented by Sekoia earlier this February. However, LapDogs and PolarEdge are assessed as two separate entities due to differences in the infection process, persistence methods used, and the former's ability to target virtual private servers (VPSs) and Windows systems.
Chinese threat actors' use of ORB networks has been previously documented by Google Mandiant, Sygnia, and SentinelOne, indicating a growing trend. These networks serve as means of obfuscation for highly targeted operations, utilizing compromised devices or virtual services to remain under the radar.
According to SecurityScorecard, "While both ORBs and botnets commonly consist of a large set of compromised, legitimate internet-facing devices or virtual services, ORB networks are more like Swiss Army knives, and can contribute to any stage of the intrusion lifecycle." The company further notes that the overlaps aside, LapDogs and PolarEdge are two separate entities due to their distinct characteristics.
The overlaps aside, LapDogs and PolarEdge are assessed as two separate entities due to differences in the infection process, persistence methods used, and the former's ability to also target virtual private servers (VPSs) and Windows systems. The ORB network has been found to share some similarities with another cluster referred to as PolarEdge, which was documented by Sekoia earlier this February.
While both ORBs and botnets commonly consist of a large set of compromised, legitimate internet-facing devices or virtual services, ORB networks are more like Swiss Army knives, and can contribute to any stage of the intrusion lifecycle, from reconnaissance, anonymized actor browsing, and netflow collection to port and vulnerability scanning, initiating intrusion cycles by reconfiguring nodes into staging or even C2 servers, and relaying exfiltrated data up the stream," SecurityScorecard said.
The discovery of the LapDogs network serves as a reminder of the ever-evolving threat landscape. As attackers continue to adapt and find new ways to exploit vulnerabilities, it is essential for organizations to remain vigilant and implement robust cybersecurity measures to protect themselves from sophisticated attacks like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/LapDogs-Unleashed-A-Sophisticated-Chinese-Cyber-Espionage-Campaign-Targets-SOHO-Devices-ehn.shtml
https://thehackernews.com/2025/06/over-1000-soho-devices-hacked-in-china.html
Published: Fri Jun 27 12:28:39 2025 by llama3.2 3B Q4_K_M
