Covert Cyberstrike – LapDogs Hackers Exploit 1,000 SOHO Devices with Custom Backdoor

SecurityScorecard’s STRIKE team has uncovered a highly organized and stealthy cyber espionage campaign codenamed “LapDogs,” which targets small office and home office (SOHO) devices worldwide.

More than 1,000 devices have been infected by a custom backdoor malware known as “ShortLeash,” as part of a suspected China-orchestrated operation.

The LapDogs ORB Network and Its Stealthy Tactics

In a recent detailed report, SecurityScorecard reveals that the LapDogs espionage campaign is leveraging a complex network known as an Operational Relay Box (ORB) Network.

ORB networks are rapidly gaining popularity among nation-state hackers thanks to their ability to provide persistent, covert infrastructure without triggering alarms.

Unlike traditional botnets, which may launch noisy attacks, ORBs hijack devices to silently relay malicious traffic, making detection and attribution particularly challenging.

LapDogs began operations as early as September 2023, according to forensic data. Its operators use the ShortLeash malware to gain a foothold on compromised devices, then commandeer them to create a resilient, globally distributed network.

The malware generates self-signed TLS certificates, shockingly, some are marked “LAPD,” a likely attempt to spoof the Los Angeles Police Department and confuse investigators.

Over 1,000 infected nodes have been identified, predominantly in the United States, Japan, South Korea, Hong Kong, and Taiwan.

The targeting is highly localized, suggesting organized and deliberate tasking for each campaign wave.

When operators targeted Japan, for example, analysts observed a spike in activity tied specifically to devices in that country; another spike was noted for Taiwan on a different date.

Technical Insights and Targeted Sectors

ShortLeash allows attackers to maintain persistent access, exfiltrate sensitive data, and execute additional payloads on infected machines.

By targeting SOHO devices, a segment often overlooked by corporate IT teams, the group maintains a low profile and evades many conventional security measures.

Victims span several sectors, including real estate, IT, networking, and media. The attackers’ meticulous planning is evident in the structured nature of their campaigns, which launch in waves tailored to specific regions and industries.

Forensically, SecurityScorecard found evidence, including Mandarin coder notes and bespoke attacker tooling, which solidified the hypothesis of China-linked threat actor involvement.

The team also links the operation to the advanced persistent threat (APT) group UAT-5918.

Security Implications and Recommendations

The LapDogs campaign is a stark reminder of the evolving tactics used by cyber espionage groups tied to nation-states.

By leveraging ORB networks and custom malware, these actors are making traditional indicators of compromise (IOC) tracking less effective.

SecurityScorecard recommends heightened vigilance for organizations using SOHO devices and calls for a proactive approach to threat hunting and incident response.

SecurityScorecard’s STRIKE Team is available for incident response, providing access to a vast repository of cybersecurity signals and expertise in dealing with threats that bypass conventional defenses.

Organizations are advised to review their third-party security posture and monitor for signs of compromise in small office/home office (SOHO) environments.

The full report is available for further reading, shedding more light on the technical underpinnings and global implications of the LapDogs ORB network.