A sneaky cyber espionage campaign is exploiting IoT devices and home office routers – here’s what you need to know

Cybersecurity experts have issued an alert over a new cyber espionage network that’s believed to have compromised thousands of devices globally.

Dubbed ‘LapDogs’ by researchers at SecurityScorecard, the campaign has focused on the US, Japan, South Korea, Taiwan, and Hong Kong.

The use of Mandarin in developer notes within the startup script, along with the tools, techniques, and procedures (TTPs) used and the choice of targeted regions means it is likely to be run by a China-based group.

Victims recorded so far include ISPs, hardware vendors, and specific organizations in several sectors, including IT, networking, real estate, and media.

The campaign appears to have been running since September 2023, with infections remaining undetected for months, allowing for long-term surveillance and exploitation.

It involves stealthy, long-term intrusion campaigns, and exploits IoT devices and Small Office/Home Office (Soho) routers, including legacy devices from vendors such as Ruckus Wireless and Buffalo Technology.

Unlike traditional botnets, researchers said the campaign leverages sophisticated Operational Relay Boxes (ORBs) — malicious nodes that route traffic through legitimate devices without triggering alarms, thereby masking the attackers’ activities.

“This campaign shows a surging interest from China-Nexus threat actors in using ORB Networks to conduct covert intrusion campaigns both around the globe and tailored to specific victims of interest,” researchers warned.

“With an increasing interest in this approach, security teams should be on alert that China-Nexus threat actors are disrupting traditional playbooks for IOC tracking, response, and remediation.”

A custom Linux- and Windows-compatible backdoor called ‘ShortLeash’ enables silent control, persistence, and lateral movement inside networks, researchers noted.

ShortLeash also generates TLS certificates that are spoofed as being signed by the Los Angeles Police Department (LAPD) to further obscure its origin.

The LapDogs campaign is expanding at pace

Researchers warned that LapDogs has been spreading methodically, with attackers using it both to anonymize their operations and to establish beachheads into broader infrastructure, including enterprise networks.

“LapDogs reflects a strategic shift in how cyber threat actors are leveraging distributed, low-visibility devices to gain persistent access,” said Ryan Sherstobitoff, chief threat intelligence officer at SecurityScorecard.

“These aren’t opportunistic smash-and-grab attacks—these are deliberate, geo-targeted campaigns that erode the value of traditional IOCs (Indicators of Compromise).”

While there are similarities with PolarEdge, another China-linked ORB network, LapDogs operates independently and its TTPs do differ.

Researchers said they identified 162 discrete intrusion sets, with around a third sharing a common geographical location or ISP. This, they added, suggests that the operators are highly focused on several specific locations and that LapDogs is a goal-oriented actor.

“Overall, LapDogs is a vast, prolonged intrusion operation with clear intent and planning, emphasizing the need for vigilance in securing embedded devices,” the researchers warned.

MORE FROM ITPRO