A major cyber espionage operation dubbed “LapDogs” has been uncovered, targeting more than 1,000 SOHO (Small Office/Home Office) devices to create a covert Operational Relay Box (ORB) network used by China-affiliated hackers. The campaign, attributed to the China-nexus group UAT‑5918, leverages outdated devices across the U.S. and Asia for advanced surveillance and data ex-filtration.
ShortLeash Backdoor: The Core Weapon
According to a cybersecurity firm’s STRIKE team, the operation uses a custom backdoor dubbed ShortLeash to hijack devices like routers, DVRs, and NAS systems from brands including Cisco, D-Link, ASUS, Synology, and Panasonic.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
ShortLeash sets up a fake Nginx server with a TLS certificate falsely issued by “LAPD” (Los Angeles Police Department) the detail that inspired the campaign’s codename, LapDogs. The malware achieves persistence by installing itself as a .service file with root privileges, activating on system reboot.
Widespread Infection Across Regions and Sectors
The campaign is active in United States, Taiwan, Japan, South Korea, Hong Kong and Southeast Asia. Sectors affected include IT, networking, real estate, and media, Exploiting N-Day Flaws for Initial Access Attackers weaponize known vulnerabilities such as:
- CVE‑2015‑1548
- CVE‑2017‑17663
These flaws affect older firmware in SOHO devices, allowing remote access without detection. In some cases, Windows artifacts of ShortLeash have also been found, indicating cross-platform targeting.
Each intrusion wave infects no more than 60 devices at a time, but since September 2023, at least 162 intrusion sets have been tracked.
Orb Networks: More Than Just Botnets
Unlike typical botnets, ORB networks are versatile cyber tools. SecurityScorecard describes them as “Swiss Army knives” of hacking infrastructure, capable of:
- Actor obfuscation and anonymized browsing
- Port and vulnerability scanning
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
- Command-and-control (C2) relay operations
- Reconfiguring compromised nodes into attack launchpads
This mirrors methods seen in previous reports from Google Mandiant, SentinelOne, and Sygnia, indicating a growing shift toward ORB infrastructure by Chinese APTs.
LapDogs vs. PolarEdge
Although LapDogs shares similarities with the PolarEdge campaign documented by Sekoia, it’s assessed as a distinct entity due to:
- Different persistence mechanisms
- Broader targeting (includes VPS and Windows)
- Varying infection methods
Global Threat Outlook
With medium confidence, researchers tie UAT‑5918 to at least one LapDogs campaign against Taiwan. However, it remains unclear whether the group operates the network or rents it out, suggesting possible service-based cyber ops.
Security analysts warn that ORB networks are the future of state-aligned espionage, combining stealth, adaptability, and persistence making them much harder to detect and dismantle.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing