China Behind “LapDogs”: How ORB Networks Are Redefining Cyberespionage Against the U.S. and Asia

SecurityScorecard has issued a warning about a sophisticated cyber espionage campaign, dubbed "LapDogs," which utilizes an Operational Relay Box (ORB) network comprising over 1,000 compromised Small Office/Home Office (SOHO) devices worldwide. This network, operated by Chinese actors, targets victims in the United States and Asia, with a particular focus on Japan, South Korea, Hong Kong, and Taiwan.

The "LapDogs" Botnet: Structure and Tactics

The LapDogs botnet exploits vulnerabilities in SOHO devices, such as routers and IoT endpoints, combining them with Virtual Private Servers (VPS) to create ORB networks. The primary goal of these networks is to obfuscate communications and enable plausible deniability, making it extremely difficult for investigators to trace the origin of attacks. This tactic is increasingly common among Chinese actors, including the notorious Volt Typhoon group and others, who use it to conceal command and control (C2) communications, evade detection, and complicate attribution.

"ShortLeash": The Custom Backdoor

At the heart of the LapDogs campaign is a custom backdoor called "ShortLeash." This malware allows attackers to maintain persistence on infected devices and connect them to the ORB network. A distinctive feature of ShortLeash is its ability to generate falsified TLS certificates that appear to be signed by the Los Angeles Police Department (LAPD). This clever misdirection technique aims to confuse investigators and delay their efforts.

Targets and Attack Vectors

The campaign, active since at least September 2023, has gradually expanded its reach, adding new compromised devices and victims. The most affected sectors include real estate, IT, networking, and media. SecurityScorecard identified 162 distinct intrusion sets, demonstrating the meticulous planning of the operators.

Victims can fall into several categories:

• Compromised SOHO device ownership: Threat actors directly compromise the victims' SOHO devices.

• Targeting via compromised devices: Victims are attacked by leveraging compromised SOHO devices as a starting point.

• Local network breach: A compromised SOHO device is used as an initial access vector to infiltrate the victim's local network.

  
  

Attribution and Links to Other Threats

Forensic evidence collected by SecurityScorecard, including developer notes in Mandarin within the startup scripts, the Tactics, Techniques, and Procedures (TTPs) used, and victim profiling, strongly supports attributing the LapDogs campaign to China-nexus Advanced Persistent Threat (APT) actors. The geographical focus on the United States and Southeast Asian countries further reinforces this attribution.

It's been noted that LapDogs shares some infrastructure with another similar ORB network, "PolarEdge," although their TTPs and certificate management differ. This suggests a growing interest among China-nexus actors in using ORB networks to conduct targeted and covert intrusion campaigns.

Security Implications

According to Ryan Sherstobitoff, Head of Threat Intelligence at SecurityScorecard, LapDogs represents a strategic shift in how cyber threat actors leverage distributed, low-visibility devices to gain persistent access. "These are not opportunistic smash-and-grab attacks, but deliberate, geo-located campaigns that erode the value of traditional CIOs," Sherstobitoff stated.

The increasing use of ORB networks by China-nexus actors highlights the need for security teams to be vigilant and adapt their traditional playbooks for Indicator of Compromise (IOC) tracking, response, and remediation. The LapDogs campaign is a vast, prolonged intrusion operation with clear intent and planning, underscoring the critical importance of securing embedded devices.