Cybersecurity experts have issued an alert over a new cyber espionage network that’s believed to have compromised thousands of devices globally.
Dubbed 'LapDogs' by researchers at SecurityScorecard, the campaign has focused on the US, Japan, South Korea, Taiwan, and Hong Kong.
The use of Mandarin in developer notes within the startup script, along with the tools, techniques, and procedures (TTPs) used and the choice of targeted regions means it is likely to be run by a China-based group.
Victims recorded so far include ISPs, hardware vendors, and specific organizations in several sectors, including IT, networking, real estate, and media.
The campaign appears to have been running since September 2023, with infections remaining undetected for months, allowing for long-term surveillance and exploitation.
It involves stealthy, long-term intrusion campaigns, and exploits IoT devices and Small Office/Home Office (Soho) routers, including legacy devices from vendors such as Ruckus Wireless and Buffalo Technology.
Unlike traditional botnets, researchers said the campaign leverages sophisticated Operational Relay Boxes (ORBs) — malicious nodes that route traffic through legitimate devices without triggering alarms, thereby masking the attackers' activities.
"This campaign shows a surging interest from China-Nexus threat actors in using ORB Networks to conduct covert intrusion campaigns both around the globe and tailored to specific victims of interest," researchers warned.
"With an increasing interest in this approach, security teams should be on alert that China-Nexus threat actors are disrupting traditional playbooks for IOC tracking, response, and remediation."
A custom Linux- and Windows-compatible backdoor called ‘ShortLeash’ enables silent control, persistence, and lateral movement inside networks, researchers noted.
ShortLeash also generates TLS certificates that are spoofed as being signed by the Los Angeles Police Department (LAPD) to further obscure its origin.
The LapDogs campaign is expanding at pace
Researchers warned that LapDogs has been spreading methodically, with attackers using it both to anonymize their operations and to establish beachheads into broader infrastructure, including enterprise networks.
“LapDogs reflects a strategic shift in how cyber threat actors are leveraging distributed, low-visibility devices to gain persistent access,” said Ryan Sherstobitoff, chief threat intelligence officer at SecurityScorecard.
“These aren’t opportunistic smash-and-grab attacks—these are deliberate, geo-targeted campaigns that erode the value of traditional IOCs (Indicators of Compromise).”
While there are similarities with PolarEdge, another China-linked ORB network, LapDogs operates independently and its TTPs do differ.
Researchers said they identified 162 discrete intrusion sets, with around a third sharing a common geographical location or ISP. This, they added, suggests that the operators are highly focused on several specific locations and that LapDogs is a goal-oriented actor.
"Overall, LapDogs is a vast, prolonged intrusion operation with clear intent and planning, emphasizing the need for vigilance in securing embedded devices," the researchers warned.
MORE FROM ITPRO
-
Developers are now packing codebases with automated codeNews While AI-generated code is helping to streamline operations for developer teams, many are overlooking crucial security considerations.
-
Managing machine identities in 2025Tracking and managing such machine identities needs strong governance
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategyNews Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s whyNews Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
-
Billions of IoT devices will need to be secured in the next four years – zero trust could be the key to successNews Researchers have warned more than 28 billion IoT devices will need to be secured by 2028 as attacks on connected devices surge.
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
2024 was a record year for commercial cyber attacksNews China-backed attacks on IoT systems helped keep numbers high
-
Four requirements for a zero trust branchWhitepaper Effectively navigate the complex and ever-changing demands of security and network connectivity
