In the dim corridors of global cyber activity, a new actor has emerged not as a singular attacker, but as a silent, distributed network weaving through homes and small offices. The LapDogs campaign, uncovered by SecurityScorecard’s STRIKE team, presents a chilling example of how inconspicuous devices can be transformed into powerful espionage tools.
This discovery reveals over 1,000 compromised SOHO (Small Office/Home Office) routers and IoT devices quietly repurposed into an operational relay box (ORB) network. Aptly dubbed LapDogs, the campaign has been active since at least September 2023, gradually embedding itself deeper into regions like the U.S., Southeast Asia, Japan, South Korea, and Taiwan. Victims include sectors we depend on daily IT, networking, real estate, and media whose infrastructure is now quietly repurposed for adversarial reconnaissance and obfuscation.
At the core of LapDogs is ShortLeash, a custom backdoor designed to slip into Linux-based devices. Once inside, it quietly installs a fake Nginx server and uses a TLS certificate disguised with the issuer name “LAPD” , an ironic misdirection. With shell scripts as its delivery method, and aged but still potent vulnerabilities (like CVE-2015–1548 and CVE-2017–17663) as its keys, the attacker’s entry is silent but effective.
What makes LapDogs especially ominous is its design. Each intrusion set infects less than 60 devices, a strategy that lowers detection and mimics natural network noise. Yet over time, 162 such clusters have been mapped, making it evident that this operation is neither random nor small-scale.
The network shares eerie similarities with another campaign, PolarEdge, which exploits IoT vulnerabilities similarly. However, their differences in persistence techniques, infection targets, and architecture suggest distinct threat entities. Notably, LapDogs extends beyond routers to virtual private servers (VPS) and even Windows systems, hinting at broader ambitions.
There is moderate confidence that a China-linked threat group, UAT-5918, has leveraged LapDogs in operations targeting Taiwan. Yet whether they are architects or opportunistic clients remains uncertain. The use of ORB networks by Chinese APTs is not new. However, their evolution from simple obfuscation layers to full-spectrum intrusion frameworks points to a shift in how nation-state actors operate in today’s digital theater.
Unlike traditional botnets, ORBs serve as multi-functional, modular platforms. They support activities from stealthy reconnaissance and anonymized browsing to port scanning, vulnerability exploitation, C2 (Command-and-Control) relaying, and data exfiltration. These aren’t just tools; they’re arsenals operating behind the unassuming veil of consumer-grade routers.
Conclusion:
The LapDogs campaign exemplifies the growing sophistication of cyber espionage operations. By weaponizing overlooked consumer and small-office hardware, adversaries are crafting decentralized, persistent, and evasive attack infrastructures. The threat landscape no longer begins at enterprise firewalls, it begins at home, in the very routers and smart devices we trust.
Organizations must rethink security strategies to account for such distributed and low-profile threats. Threat hunting, secure configurations, and routine patching of SOHO and IoT devices should no longer be optional. This is especially true for industries in IT, real estate, media, and networking sectors that, by their nature, possess data flows and access vectors attractive to threat actors.
About COE Security:
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, IT, real estate, and government to secure AI-powered systems and ensure regulatory compliance.
Our capabilities go beyond traditional security to address emerging threats like ORB-based espionage, social engineering, and IoT compromise. Here’s how we help:
- AI-enhanced threat detection and real-time monitoring for advanced attack infrastructure.
- Social engineering countermeasures and awareness programs tailored for rapid internal threat detection.
- Secure model validation to guard against adversarial manipulations within intelligent systems.
- Data governance aligned with GDPR, HIPAA, and PCI DSS.
- Penetration Testing for Mobile, Web, AI, Product, IoT, Network & Cloud environments.
- Secure Software Development Consulting (SSDLC) for future-ready resilience.
- Customized CyberSecurity Services built for today’s complex attack surfaces.
Follow COE Security on LinkedIn for ongoing insights into safe, compliant, and resilient cybersecurity practices. Stay informed. Stay protected. Stay ahead.