Over 1,000 SOHO devices were hacked in a China-linked spying campaign called LapDogs, forming a covert network to support cyber espionage.
Security researchers at SecurityScorecard’s STRIKE team have uncovered a cyber espionage campaign, dubbed LapDogs, involving over 1,000 hacked SOHO (small office/home office) devices. These compromised devices formed a hidden network, called an Operational Relay Box (ORB), used to support long-term spying operations linked to China-nexus hacking groups.
“SecurityScorecard’s STRIKE team has identified a previously unreported Operational Relay Box (ORB) Network—LapDogs—a novel and prolonged espionage infrastructure campaign that marks yet another instance of China-Nexus cyber actors leveraging ORB Networks.” reads the report published by SecurityScorecard. “Targets are highly localized in the United States and Southeast Asia, particularly Japan, South Korea, Hong Kong, and Taiwan.”
LapDogs targeted regions like Japan and Taiwan in different waves, showing strategic focus. The researchers linked the campaign to China-based APT UAT-5918 based on evidence and victim profiles.
The STRIKE team, with help from a third party, recovered a Linux-based ShortLeash malware sample and its startup Bash script. They found it closely matches another variant used in attacks on Taiwan’s critical infrastructure.
The script requires root access, checks if the system runs Ubuntu or CentOS, and installs itself accordingly to ensure it runs on every reboot. If the OS is unrecognized, it shows a Mandarin message saying “Unknown System.”
Once installed, the script renames and replaces a system service to stay hidden and persistent.
The malware’s core payload is encrypted in two layers with different decryption keys. After decryption and decompression, it reveals certificates, private keys, and a URL. It mimics Nginx server responses and randomly switches query parameters when contacting its command-and-control server.
This ShortLeash backdoor acts as the backbone of the LapDogs cyber-espionage network. The analysis is still on to explore its full capabilities.
LapDogs’ ShortLeash malware targets a wide range of hardware and firmware vendors without vendor restrictions. Confirmed targeted devices include models from ASUS, D-Link, Microsoft, Panasonic, Synology, and more. Infection depends only on OS compatibility, not hardware type, making many SOHO devices vulnerable. Systems running services like GoAhead web apps, WRT admin panels, and IIS are especially at risk.
SecurityScorecard researchers found that many devices in the LapDogs network are vulnerable to known flaws like CVE-2015-1548 and CVE-2017-17663, linked to outdated mini_httpd servers. Most infected devices run lightweight web servers (e.g., lighttpd, mini_httpd) typical of embedded systems. Ruckus devices often include outdated “GoAhead” web apps and old DropBearSSH. Many others run decades-old, unpatched versions of ACME mini_httpd and insecure SSH services, making them easy targets.
By analyzing certificate creation times and unique port numbers, the researchers identified clear patterns in the LapDogs cyber campaign. Using AI and large language models, they sorted the compromised devices into 162 distinct groups, many of which showed targeted behavior.
They discovered that most certificates within a group were generated just 1.8 seconds apart, a circumstance that demonstrates they are automated attacks rather than manual infections. Although 53 groups had only one target, the overall data still pointed to organized and scalable operations.
The researchers looked deeper into similarities between group members, focusing on geographic location and internet providers. They found that these two factors were strongly linked. In 37 of the 109 multi-device groups, over 95% of the members shared the same ISP or location—sometimes even the same city.
Key takeaways:
- LapDogs has slowly grown since at least September 2023.
- Most intrusion sets are small, with fewer than 60 infected devices.
- Attackers clearly favor certain countries and regions, especially the U.S. and Southeast Asia.
- Many intrusion sets center around specific locations, showing careful planning and long-term goals.
In short, LapDogs is not a random or opportunistic effort, it’s a deliberate, evolving campaign with both strategic and tactical precision.
The ORB network shares some traits with PolarEdge, a campaign spotted by Sekoia exploiting routers and IoT devices since late 2023. However, LapDogs and PolarEdge remain distinct campaigns. They differ in how they infect systems, maintain persistence, and in LapDogs’ broader targeting, which includes VPSs and Windows machines.
“While PolarEdge has only reportedly targeted router devices or similar embedded devices, we have observed ShortLeash with a Linux variant that is capable of running on virtual private servers (VPSs), routers and IoT devices by adjusting the installation process to native OS in the compromised environment.” continues the report. “We have also observed a Microsoft Windows variant, of which our scanners were able to find examples of active nodes running a Windows server (and even Windows XP).”
Attributing LapDogs to a single threat actor isn’t easy, since ORB networks often get shared across multiple groups. Cisco Talos links UAT-5918 to China-based espionage, and LapDogs reinforces that theory, especially with Mandarin code in its startup script and its focus on Southeast Asia and the U.S. Based on this, it’s likely that China-linked actors use LapDogs, and UAT-5918 likely used it during operations against targets in Taiwan. However, the experts don’t yet know if UAT-5918 controls the network or simply used it, and other actors might also gain access in the future.
“LapDogs is a gradually growing Operational Relay Box (ORB) Network, which we assess China-Nexus threat actors are using to conduct a targeted operation around the globe. This campaign shows a surging interest from China-Nexus threat actors in using ORB Networks to conduct covert intrusion campaigns both around the globe and tailored to specific victims of interest.” SecurityScorecard concludes. “With an increasing interest in this approach, security teams should be on alert that China-Nexus threat actors are disrupting traditional playbooks for IOC tracking, response, and remediation.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, UAT-5918)
