LapDogs Hackers Leverages 1,000 SOHO Devices Using a Custom Backdoor to Act Covertly

A sophisticated China-linked cyber espionage campaign has emerged, targeting over 1,000 Small Office/Home Office (SOHO) devices worldwide through an advanced Operational Relay Box (ORB) network dubbed “LapDogs.”

This covert infrastructure operation, active since September 2023, represents a significant evolution in nation-state cyber warfare tactics, utilizing compromised devices not for disruptive attacks but as stealthy, long-term operational infrastructure.

The campaign demonstrates remarkable geographical precision, with targets highly concentrated in the United States and Southeast Asia, particularly Japan, South Korea, Hong Kong, and Taiwan.

Unlike traditional botnets that launch noisy, attention-grabbing attacks, the LapDogs network operates with surgical precision, maintaining infected devices that continue functioning normally while serving as covert relay points for malicious activities.

This approach makes detection and attribution exceptionally challenging for cybersecurity professionals.

SecurityScorecard analysts identified this previously unreported threat through extensive forensic analysis, revealing distinct operational patterns that suggest highly focused, goal-oriented attackers.

The researchers discovered evidence of deliberate campaign growth, with attackers launching intrusion waves targeting specific regions through well-planned intrusion sets over time.

Forensic evidence, including Mandarin coder notes and victimology patterns, led STRIKE team analysts to assess that the LapDogs infrastructure has been utilized by the Advanced Persistent Threat group known as UAT-5918.

The ShortLeash Backdoor: Technical Architecture and Persistence Mechanisms

The LapDogs campaign’s technical sophistication centers around “ShortLeash,” a custom backdoor malware specifically designed for establishing persistent footholds on compromised SOHO devices.

This malware employs a particularly clever obfuscation technique by generating self-signed TLS certificates that present as “LAPD,” appearing to reference the Los Angeles Police Department for plausible cover.

The certificate generation patterns revealed over 1,000 actively infected nodes globally, with distinct spikes corresponding to micro-intrusion campaigns targeting specific geographical regions.

The backdoor’s design prioritizes stealth over speed, enabling the threat actors to maintain long-term access while avoiding traditional detection mechanisms that focus on identifying noisy, disruptive malware behaviors.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial