Chinese “LapDogs” ORB Network Targets US and Asia
Summary:
SecurityScorecard’s STRIKE team has uncovered a sophisticated and gradually expanding Operational Relay Box network known as “LapDogs,” believed to be operated by China-nexus threat actors. This network primarily targets Linux-based Small Office/Home Office (SOHO) routers and embedded devices in the United States and Southeast Asia particularly Japan, South Korea, Taiwan, and Hong Kong. LapDogs uses a custom backdoor named ShortLeash, which allows attackers to establish persistent access to compromised devices. Once installed, ShortLeash deploys a fake Nginx web server and generates unique self-signed TLS certificates spoofed to appear as if issued by the Los Angeles Police Department. These certificates, along with consistent infrastructure patterns and embedded Mandarin code, support attribution to China-linked advanced persistent threats.
The LapDogs network is composed of over 1,000 infected nodes, and campaign growth has been steady since at least September 2023. Each instance of ShortLeash generates a new TLS certificate, and certificate issue dates, port assignments, and geographic targeting all point to deliberate, methodical campaign execution. The campaign has been mapped into 162 distinct intrusion sets, over a third of which show a strong correlation in ISP or geographic location, suggesting targeted operations rather than opportunistic infections. Notably, 55% of infected devices are Ruckus Wireless access points, with Buffalo AirStation routers also significantly impacted.
Security Officer Comments:
SecurityScorecard’s analysis shows that LapDogs differs from typical botnets in both purpose and execution. Instead of performing noisy attacks, the ORB operates quietly, focusing on espionage and covert access. It leverages lightweight web servers and exploits unpatched vulnerabilities like CVE-2015-1548 and CVE-2017-17663 to compromise devices. Devices infected by LapDogs may be used solely as relays or could become hybrid victims if attackers pivot into internal networks. Though it shares some infrastructure traits with another ORB network known as “PolarEdge,” LapDogs is functionally distinct. The PolarEdge malware uses different persistence methods and is limited to router targets, while LapDogs demonstrates broader adaptability across Linux, VPS, IoT devices, and even Microsoft Windows systems. Unlike PolarEdge, which reuses identical TLS certificates, LapDogs generates unique certificates per infected node.
For attribution, STRIKE assesses with moderate confidence that China-nexus actor UAT-5918 has used the LapDogs network, possibly as an operator or client. Given the structured design, targeted geography, and Mandarin-language artifacts, the network appears to support strategic cyber espionage campaigns focused on critical sectors such as IT, real estate, networking, and media.
Suggested Corrections:
To mitigate the threat posed by the LapDogs ORB network, organizations should immediately update and patch all SOHO devices, particularly those running outdated web servers or embedded systems. Disable remote management interfaces when not needed, and enforce strong authentication for device access. Monitor network traffic for unusual TLS certificates and high, uncommon port activity, especially from devices presenting fake Nginx banners. Finally, implement network segmentation to prevent lateral movement from compromised devices and use threat intelligence to detect indicators linked to ShortLeash and LapDogs infrastructure.
Link(s):
https://www.infosecurity-magazine.com/news/chinese-lapdogs-orb-network/
https://securityscorecard.com/blog/...vert-orb-network-inside-the-lapdogs-campaign/
SecurityScorecard’s STRIKE team has uncovered a sophisticated and gradually expanding Operational Relay Box network known as “LapDogs,” believed to be operated by China-nexus threat actors. This network primarily targets Linux-based Small Office/Home Office (SOHO) routers and embedded devices in the United States and Southeast Asia particularly Japan, South Korea, Taiwan, and Hong Kong. LapDogs uses a custom backdoor named ShortLeash, which allows attackers to establish persistent access to compromised devices. Once installed, ShortLeash deploys a fake Nginx web server and generates unique self-signed TLS certificates spoofed to appear as if issued by the Los Angeles Police Department. These certificates, along with consistent infrastructure patterns and embedded Mandarin code, support attribution to China-linked advanced persistent threats.
The LapDogs network is composed of over 1,000 infected nodes, and campaign growth has been steady since at least September 2023. Each instance of ShortLeash generates a new TLS certificate, and certificate issue dates, port assignments, and geographic targeting all point to deliberate, methodical campaign execution. The campaign has been mapped into 162 distinct intrusion sets, over a third of which show a strong correlation in ISP or geographic location, suggesting targeted operations rather than opportunistic infections. Notably, 55% of infected devices are Ruckus Wireless access points, with Buffalo AirStation routers also significantly impacted.
Security Officer Comments:
SecurityScorecard’s analysis shows that LapDogs differs from typical botnets in both purpose and execution. Instead of performing noisy attacks, the ORB operates quietly, focusing on espionage and covert access. It leverages lightweight web servers and exploits unpatched vulnerabilities like CVE-2015-1548 and CVE-2017-17663 to compromise devices. Devices infected by LapDogs may be used solely as relays or could become hybrid victims if attackers pivot into internal networks. Though it shares some infrastructure traits with another ORB network known as “PolarEdge,” LapDogs is functionally distinct. The PolarEdge malware uses different persistence methods and is limited to router targets, while LapDogs demonstrates broader adaptability across Linux, VPS, IoT devices, and even Microsoft Windows systems. Unlike PolarEdge, which reuses identical TLS certificates, LapDogs generates unique certificates per infected node.
For attribution, STRIKE assesses with moderate confidence that China-nexus actor UAT-5918 has used the LapDogs network, possibly as an operator or client. Given the structured design, targeted geography, and Mandarin-language artifacts, the network appears to support strategic cyber espionage campaigns focused on critical sectors such as IT, real estate, networking, and media.
Suggested Corrections:
To mitigate the threat posed by the LapDogs ORB network, organizations should immediately update and patch all SOHO devices, particularly those running outdated web servers or embedded systems. Disable remote management interfaces when not needed, and enforce strong authentication for device access. Monitor network traffic for unusual TLS certificates and high, uncommon port activity, especially from devices presenting fake Nginx banners. Finally, implement network segmentation to prevent lateral movement from compromised devices and use threat intelligence to detect indicators linked to ShortLeash and LapDogs infrastructure.
Link(s):
https://www.infosecurity-magazine.com/news/chinese-lapdogs-orb-network/
https://securityscorecard.com/blog/...vert-orb-network-inside-the-lapdogs-campaign/