Cybersecurity experts have issued an alert over a new cyber espionage network that’s believed to have compromised thousands of devices globally.
Dubbed 'LapDogs' by researchers at SecurityScorecard, the campaign has focused on the US, Japan, South Korea, Taiwan, and Hong Kong.
The use of Mandarin in developer notes within the startup script, along with the tools, techniques, and procedures (TTPs) used and the choice of targeted regions means it is likely to be run by a China-based group.
Victims recorded so far include ISPs, hardware vendors, and specific organizations in several sectors, including IT, networking, real estate, and media.
The campaign appears to have been running since September 2023, with infections remaining undetected for months, allowing for long-term surveillance and exploitation.
It involves stealthy, long-term intrusion campaigns, and exploits IoT devices and Small Office/Home Office (Soho) routers, including legacy devices from vendors such as Ruckus Wireless and Buffalo Technology.
Unlike traditional botnets, researchers said the campaign leverages sophisticated Operational Relay Boxes (ORBs) — malicious nodes that route traffic through legitimate devices without triggering alarms, thereby masking the attackers' activities.
"This campaign shows a surging interest from China-Nexus threat actors in using ORB Networks to conduct covert intrusion campaigns both around the globe and tailored to specific victims of interest," researchers warned.
"With an increasing interest in this approach, security teams should be on alert that China-Nexus threat actors are disrupting traditional playbooks for IOC tracking, response, and remediation."
A custom Linux- and Windows-compatible backdoor called ‘ShortLeash’ enables silent control, persistence, and lateral movement inside networks, researchers noted.
ShortLeash also generates TLS certificates that are spoofed as being signed by the Los Angeles Police Department (LAPD) to further obscure its origin.
The LapDogs campaign is expanding at pace
Researchers warned that LapDogs has been spreading methodically, with attackers using it both to anonymize their operations and to establish beachheads into broader infrastructure, including enterprise networks.
“LapDogs reflects a strategic shift in how cyber threat actors are leveraging distributed, low-visibility devices to gain persistent access,” said Ryan Sherstobitoff, chief threat intelligence officer at SecurityScorecard.
“These aren’t opportunistic smash-and-grab attacks—these are deliberate, geo-targeted campaigns that erode the value of traditional IOCs (Indicators of Compromise).”
While there are similarities with PolarEdge, another China-linked ORB network, LapDogs operates independently and its TTPs do differ.
Researchers said they identified 162 discrete intrusion sets, with around a third sharing a common geographical location or ISP. This, they added, suggests that the operators are highly focused on several specific locations and that LapDogs is a goal-oriented actor.
"Overall, LapDogs is a vast, prolonged intrusion operation with clear intent and planning, emphasizing the need for vigilance in securing embedded devices," the researchers warned.
MORE FROM ITPRO
-
Everything we know about the Ingram Micro cyber attack so farNews A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
Brother UK revamps inkjet lineup to drive partner opportunitiesNews The vendor has replaced its A4 Mini Business and A4 Mini Regular printers to help channel partners meet increasing market demand.
-
Millions of customers have been exposed in the Qantas cyber attack – here’s everything we know so farNews While details remain murky, cyber experts told ITPro the Qantas incident bears all the hallmarks of the Scattered Spider ransomware group.
-
M&S aims for full online restoration within four weeks following major cyber attackNews M&S CEO Stuart Machin says the high street retailer plans to fully restore operations by August following a devastating cyber attack in April.
-
British IT worker jailed for revenge attack on employer that caused a “ripple effect of disruption” for colleagues and customersNews West Yorkshire man Mohammed Umar Taj was suspended from his job in Huddersfield in July 2022, and began taking revenge within hours.
-
Financial impact of cyber attacks on UK retailers laid bare in new reportNews Analysis from the Cyber Monitoring Centre shows the recent cyber attacks on a host of UK retailers could cost up to £440 million.
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategyNews Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s whyNews Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
-
Billions of IoT devices will need to be secured in the next four years – zero trust could be the key to successNews Researchers have warned more than 28 billion IoT devices will need to be secured by 2028 as attacks on connected devices surge.
