Cybersecurity experts have issued an alert over a new cyber espionage network that’s believed to have compromised thousands of devices globally.
Dubbed 'LapDogs' by researchers at SecurityScorecard, the campaign has focused on the US, Japan, South Korea, Taiwan, and Hong Kong.
The use of Mandarin in developer notes within the startup script, along with the tools, techniques, and procedures (TTPs) used and the choice of targeted regions means it is likely to be run by a China-based group.
Victims recorded so far include ISPs, hardware vendors, and specific organizations in several sectors, including IT, networking, real estate, and media.
The campaign appears to have been running since September 2023, with infections remaining undetected for months, allowing for long-term surveillance and exploitation.
It involves stealthy, long-term intrusion campaigns, and exploits IoT devices and Small Office/Home Office (Soho) routers, including legacy devices from vendors such as Ruckus Wireless and Buffalo Technology.
Unlike traditional botnets, researchers said the campaign leverages sophisticated Operational Relay Boxes (ORBs) — malicious nodes that route traffic through legitimate devices without triggering alarms, thereby masking the attackers' activities.
"This campaign shows a surging interest from China-Nexus threat actors in using ORB Networks to conduct covert intrusion campaigns both around the globe and tailored to specific victims of interest," researchers warned.
"With an increasing interest in this approach, security teams should be on alert that China-Nexus threat actors are disrupting traditional playbooks for IOC tracking, response, and remediation."
A custom Linux- and Windows-compatible backdoor called ‘ShortLeash’ enables silent control, persistence, and lateral movement inside networks, researchers noted.
ShortLeash also generates TLS certificates that are spoofed as being signed by the Los Angeles Police Department (LAPD) to further obscure its origin.
The LapDogs campaign is expanding at pace
Researchers warned that LapDogs has been spreading methodically, with attackers using it both to anonymize their operations and to establish beachheads into broader infrastructure, including enterprise networks.
“LapDogs reflects a strategic shift in how cyber threat actors are leveraging distributed, low-visibility devices to gain persistent access,” said Ryan Sherstobitoff, chief threat intelligence officer at SecurityScorecard.
“These aren’t opportunistic smash-and-grab attacks—these are deliberate, geo-targeted campaigns that erode the value of traditional IOCs (Indicators of Compromise).”
While there are similarities with PolarEdge, another China-linked ORB network, LapDogs operates independently and its TTPs do differ.
Researchers said they identified 162 discrete intrusion sets, with around a third sharing a common geographical location or ISP. This, they added, suggests that the operators are highly focused on several specific locations and that LapDogs is a goal-oriented actor.
"Overall, LapDogs is a vast, prolonged intrusion operation with clear intent and planning, emphasizing the need for vigilance in securing embedded devices," the researchers warned.
MORE FROM ITPRO
-
Cyber skills shortages are pushing organizations into risky shortcutsNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Seagate and Acronis are teaming up to drive MSP storage capabilitiesNews Acronis will incorporate Seagate’s Lyve Cloud Object Storage into its archival storage offerings to help MSPs meet AI-driven data demands
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
Warning issued as new Pakistan-based malware group hits millions globallyNews Tempting people in with offers of pirated software, the network installs commodity infostealers, according to CloudSEK
-
Millions of customers have been exposed in the Qantas cyber attack – here’s everything we know so farNews While details remain murky, cyber experts told ITPro the Qantas incident bears all the hallmarks of the Scattered Spider ransomware group.
-
M&S aims for full online restoration within four weeks following major cyber attackNews M&S CEO Stuart Machin says the high street retailer plans to fully restore operations by August following a devastating cyber attack in April.
-
British IT worker jailed for revenge attack on employer that caused a “ripple effect of disruption” for colleagues and customersNews West Yorkshire man Mohammed Umar Taj was suspended from his job in Huddersfield in July 2022, and began taking revenge within hours.
-
Financial impact of cyber attacks on UK retailers laid bare in new reportNews Analysis from the Cyber Monitoring Centre shows the recent cyber attacks on a host of UK retailers could cost up to £440 million.
