Stealthy backdoor found hiding in SOHO devices running Linux

SecurityScorecard’s STRIKE team has uncovered a network of compromised small office and home office (SOHO) devices they’re calling LapDogs. The threat is part of a broader shift in how China-Nexus threat actors are using Operational Relay Box (ORB) networks to hide their operations.

Targeted hardware and firmware vendors

Unlike traditional botnets, which are often noisy and scattershot, ORBs are more targeted. They repurpose everyday devices such as routers, IP cameras, and old smart tech to move through networks, collect data, or bounce traffic without raising alarms. What stands out about LapDogs is its focus on Linux-based SOHO gear, especially in the U.S., Japan, South Korea, Taiwan, and Hong Kong.

At the center of the operation is a custom backdoor called ShortLeash, which gives attackers root-level access and ensures persistence. Once installed, it sets up a fake Nginx web server and generates a self-signed TLS certificate spoofing the LAPD. That certificate became a key fingerprint and helped researchers trace over 1,000 infected nodes worldwide.

Small scale, strategic growth

Researchers found evidence that campaigns are launched in batches, with certificates generated in quick bursts. On some days, only one country was targeted. On others, several regions were hit at once, but all infected nodes used the same port number. These patterns allow defenders to link intrusion sets by time and port, which can help group related infections and speed up investigations.

In some cases, devices shared the same certificate across two IPs. This may indicate multiple interfaces or a single device used for several purposes. Either way, it points to a high level of control by the operators.

Why SOHO devices? Because they’re easy

LapDogs mostly targets older routers and devices running outdated or unpatched firmware. About 55% of the compromised hardware identified in the report came from Ruckus Wireless. Buffalo AirStation routers were also a common target, especially in Japan.

The common thread across these devices is the use of lightweight web servers such as mini_httpd and embedded management tools that often ship with default settings. Some devices were still running software from the early 2000s. Others had OpenSSH or DropBear SSH services exposed. These are often overlooked in audits and patching cycles, which makes them easy targets.

Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard, told Help Net Security that CISOs in sectors like real estate and media should take a more aggressive stance. These industries often rely on large numbers of third-party-managed edge devices, which can create hidden risks.

“Devices should come with secure defaults, built-in telemetry, and patchability,” Sherstobitoff says. “Legacy routers like Ruckus and Buffalo AirStation, which were repeatedly compromised in this campaign, need to be phased out.”

He also recommends changes to procurement and vendor management practices. “CISOs should require vendors to regularly scan for outdated services like mini_httpd or DropBearSSH and to support centralized monitoring,” he says. “Network segmentation policies should clearly separate SOHO-class devices from core systems.”

Sherstobitoff adds that managed service agreements need to address the visibility gap. “Include breach notification clauses that require third-party providers to alert you if a device under their control is compromised. That kind of risk still reflects back on your environment, especially when ORB operators like LapDogs are involved.”

LapDogs attribution

The STRIKE team did not name a specific threat actor. However, several clues point to a China-Nexus group. These include the use of Mandarin in code comments, the targeted regions, and tactics that match past campaigns linked to Chinese espionage efforts. Cisco Talos had previously identified a group called UAT-5918 that may have used LapDogs infrastructure in attacks on Taiwanese critical infrastructure.

It is unclear whether UAT-5918 runs LapDogs or simply uses it. Regardless, the structured campaign planning and consistent targeting patterns suggest a well-organized operation.

What CISOs should do

“Given the stealthy nature of LapDogs and its targeting of SOHO devices often outside EDR coverage, CISOs should request that MSSPs and SOCs implement passive TLS certificate inspection and JARM fingerprint matching, specifically flagging unique self-signed certs impersonating entities like the LAPD and matching JARM,” Sherstobitoff advised.

“Netflow and DNS telemetry should also be reviewed to detect anomalous outbound traffic to C2 domains like northumbra[.]com, while ports such as 42532 or other uncommon high ports should trigger alerts when seen on embedded or unmanaged devices. SOCs should baseline edge device behavior and actively hunt for fake Nginx banners or unexpected web services, which may indicate presence of the ShortLeash implant,” Sherstobitoff concluded.