TL;DR

China-linked hackers have compromised over 1,000 SOHO devices in a sophisticated espionage campaign dubbed LapDogs. This campaign, targeting regions like the United States, Japan, and Taiwan, leverages a covert network to support long-term spying operations. The malware used, ShortLeash, is designed to remain hidden and persistent, highlighting the strategic focus and precision of the attackers.

Introduction

A recent investigation by SecurityScorecard’s STRIKE team has uncovered a sophisticated cyber espionage campaign known as LapDogs. This campaign has compromised over 1,000 small office/home office (SOHO) devices, creating a hidden network to support long-term spying operations linked to China-based hacking groups.

Overview of the LapDogs Campaign

Security researchers at SecurityScorecard have identified a novel and prolonged espionage infrastructure campaign dubbed LapDogs. This campaign involves over 1,000 compromised SOHO devices, forming an Operational Relay Box (ORB) network used to support long-term cyber espionage activities.

“SecurityScorecard’s STRIKE team has identified a previously unreported Operational Relay Box (ORB) Network—LapDogs—a novel and prolonged espionage infrastructure campaign that marks yet another instance of China-Nexus cyber actors leveraging ORB Networks.” ¹

Targeted Regions and Links to APT Groups

The LapDogs campaign has targeted regions such as Japan, South Korea, Hong Kong, and Taiwan, with a strategic focus on these areas. Researchers have linked this campaign to the China-based APT group UAT-5918 based on evidence and victim profiles.

Malware Analysis: ShortLeash

The STRIKE team, with the help of a third party, recovered a Linux-based ShortLeash malware sample and its startup Bash script. This malware closely matches another variant used in attacks on Taiwan’s critical infrastructure.

Key Features of ShortLeash

• Root Access Requirement: The script requires root access and checks if the system runs Ubuntu or CentOS, installing itself accordingly to ensure persistence.
• Encryption and Obfuscation: The malware’s core payload is encrypted in two layers with different decryption keys, revealing certificates, private keys, and a URL after decryption.
• Persistence Mechanism: Once installed, the script renames and replaces a system service to stay hidden and persistent.

Vulnerable Devices and Exploited Flaws

LapDogs targets a wide range of hardware and firmware vendors without vendor restrictions. Confirmed targeted devices include models from ASUS, D-Link, Microsoft, Panasonic, Synology, and more. Many of these devices are vulnerable to known flaws like CVE-2015-1548 and CVE-2017-17663, linked to outdated mini_httpd servers.

Patterns and Group Analysis

By analyzing certificate creation times and unique port numbers, researchers identified clear patterns in the LapDogs campaign. Using AI and large language models, they sorted the compromised devices into 162 distinct groups, many of which showed targeted behavior.

Key Takeaways

• Growth and Scale: LapDogs has been growing since at least September 2023, with most intrusion sets being small but strategically focused.
• Geographic Focus: Attackers clearly favor certain countries and regions, especially the U.S. and Southeast Asia.
• Long-Term Planning: Many intrusion sets center around specific locations, indicating careful planning and long-term goals.

Comparison with PolarEdge

The ORB network shares some traits with the PolarEdge campaign, which exploits routers and IoT devices. However, LapDogs differs in its infection methods, persistence mechanisms, and broader targeting, which includes VPSs and Windows machines.

“While PolarEdge has only reportedly targeted router devices or similar embedded devices, we have observed ShortLeash with a Linux variant that is capable of running on virtual private servers (VPSs), routers, and IoT devices by adjusting the installation process to native OS in the compromised environment.” ²

Attribution and Implications

Attributing LapDogs to a single threat actor is challenging due to the shared nature of ORB networks. However, the campaign’s focus on Southeast Asia and the U.S., along with Mandarin code in its startup script, suggests a link to China-based actors.

“LapDogs is a gradually growing Operational Relay Box (ORB) Network, which we assess China-Nexus threat actors are using to conduct targeted operations around the globe.” ³

Conclusion

LapDogs represents a deliberate and evolving campaign with both strategic and tactical precision. As China-linked threat actors continue to leverage ORB networks for covert operations, security teams must remain vigilant and adapt their strategies to counter these emerging threats.

Additional Resources

For further insights, check:

• SecurityScorecard Report on LapDogs
• Sekoia Analysis on PolarEdge

References

1. SecurityScorecard (2025). “Unmasking a New China-Linked Covert ORB Network Inside the LapDogs Campaign”. SecurityScorecard. Retrieved 2025-06-28. ↩︎

2. Sekoia (2023). “PolarEdge: Unveiling an Uncovered IoT Botnet”. Sekoia. Retrieved 2025-06-28. ↩︎

3. SecurityScorecard (2025). “Unmasking a New China-Linked Covert ORB Network Inside the LapDogs Campaign”. SecurityScorecard. Retrieved 2025-06-28. ↩︎