LapDogs Hackers Exploit 1,000 SOHO Devices with Custom Backdoor for Covert Operations

A sophisticated cyber-espionage campaign designated “LapDogs” has compromised more than 1,000 Small Office/Home Office (SOHO) devices worldwide, leveraging a custom backdoor dubbed “ShortLeash” and establishing an Operational Relay Box (ORB) network for covert and persistent operations.

Threat researchers assess this activity as a significant escalation in the use of ORB networks, particularly by China-nexus advanced persistent threat (APT) actors, fundamentally challenging traditional cybersecurity defenses.

Infection Lifecycle

LapDogs operates by constructing a decentralized network of compromised devices, primarily Linux-based SOHO routers, cameras, and smart IoT hardware, which are then orchestrated as operational nodes.

Unlike typical botnets, the ORB structure is optimized for stealth, espionage, and persistent lateral movement rather than noisy, large-scale attacks.

These nodes serve as proxies, anonymizing malicious actor traffic and facilitating access to targeted organizations most notably, critical infrastructure and enterprises in the United States and across East and Southeast Asia, with nearly 90% of infections localized to the U.S., Japan, South Korea, Taiwan, and Hong Kong.

Initial access is gained via unpatched vulnerabilities in internet-exposed management interfaces commonly exploiting CVE-2015-1548 and CVE-2017-17663 associated with legacy web and SSH server software prevalent in embedded devices.

The attackers show particular preference for Ruckus Wireless and Buffalo Technology AirStation devices, with 55% of observed infections impacting Ruckus models.

Upon compromise, a custom payload known as ShortLeash is deployed. The startup bash script verifies root privileges and OS type, installing itself as a persistent system service depending on whether the infected device runs Ubuntu or CentOS.

Non-standard devices output an error in Mandarin, suggesting the attackers’ possible origin and language proficiency.

ShortLeash encrypts its configuration using layered symmetric cryptography and leverages unique, self-signed TLS certificates branded to mimic the Los Angeles Police Department (LAPD), further obfuscating malicious network activity.

ShortLeash enables the device to run a fake Nginx web server for C2 communications, randomly cycling through hardcoded query strings and leveraging HTTPS for exfiltration and command relays.

Each infected node generates a unique certificate sharing common LAPD-themed metadata, aiding threat tracking but complicating automated defenses reliant on static IOCs.

Strategic Attack Patterns

Analysis of the LapDogs certificate issuance and malicious service port allocations reveals methodical, batch-based expansion campaigns.

These often target specific countries or regions at particular times evident by synchronized TLS certificate creation and port assignments across grouped infected devices.

Infections scale gradually, with each “intrusion set” typically affecting no more than 60 devices at once, and many sets focused on a single geography or ISP, indicating deliberate and strategic targeting rather than opportunistic spread.

Researchers have identified 162 discrete intrusion sets based on certificate and network analysis, with around one-third centered on a shared geographic or network theme.

Noteworthy is LapDogs’ capability to operate persistently, maintaining access to compromised nodes for extended periods, leveraging them both as attack infrastructure and as platforms for deeper network penetration.

Evidence including embedded Mandarin messages, focused targeting in line with China-nexus APT interests, and operational overlaps with previously documented actor UAT-5918 suggests moderate confidence in attribution to Chinese state-aligned threat groups.

While parallels are drawn between LapDogs and the similarly-architected PolarEdge ORB, the two remain technically and operationally distinct.

The LapDogs campaign exemplifies the evolution of threat actor tradecraft; by leveraging ORB networks, adversaries confound conventional threat intelligence and IOC tracking, requiring defenders to adopt behavior-based and multi-layered detection strategies.

Security teams are urged to audit SOHO and IoT devices for legacy vulnerabilities and unusual TLS certificates, especially those presenting LAPD metadata, and to monitor for fake Nginx banners on non-standard ports.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates