By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
Hand-Picked Top-Read Stories
Trending Tags
By security practitioners, for security practitioners

Beyond Indicators of Compromise: Understanding LapDogs’ Cyber Strategy

September 9, 2025 16:07 GMT

What if the very tools your threat team or SOC relies on—IP blacklists, domain alerts, file hashes—were already outdated the moment you received them? LapDogs, a newly discovered China-linked cyber-espionage campaign, exposes this unsettling reality.

LapDogs operates in the shadows, quietly hijacking small batches of SOHO (small office/home office) devices in order to assemble an Operational Relay Box (ORB) network. This is in contrast to traditional botnets, which generate noise and attract attention.

This infrastructure allows attackers to mask their activity, spoof trusted TLS certificates, and rotate compromised nodes so quickly that conventional indicators of compromise (IOCs) become useless almost overnight.

LapDogs APT Cyber Strategy

This covert-espionage infrastructure is known as the LapDogs Advanced Persistent Threat (APT), and it makes use of compromised devices to support and relay intrusion activities in a stealthy manner. The network currently has more than one thousand nodes that are actively infected all over the world.

This campaign is unique because it makes use of Internet of Things hardware and SOHO routers that have been compromised. They are then transformed into Operational Relay Boxes (ORBs), which enables the threat actors to continue their surveillance for an extended period of time. They mainly use devices located in the United States, South Korea, Japan, Hong Kong, and Taiwan.

Nuts and Bolts of an ORB Network

An ORB Network can be summed up as including several components:

  • The Adversary Controlled Operations Server, also known as ACOS, is responsible for managing the ORB network.
  • Nodes that are used to authenticate and allow traffic into the network are known as relay nodes. These nodes are typically virtual private server instances that are hosted in China or Hong Kong.
  • The majority of traversal nodes are comprised of both provisioned or leased virtual private servers (VPS) and non-provisioned nodes that are made up of compromised software and hardware. They are utilized for the purpose of relaying and obscuring traffic.
  • Exit/Staging Nodes: These nodes are used to bridge traffic from the ORB network to the targeted victim. They are controlled by the threat actors and were designed to facilitate the movement of traffic.
  • Servers that are targeted by the attack are known as victim servers. These servers are responsible for picking up communication from the ORB exit nodes.

One example from the real world is the ORB/SPACEHOP network, which is a provisioned ORB network that is powered by servers located in China. Many advanced persistent threat (APT) groups, such as APT5, APT15, and UNC2630, make use of it. The vulnerability known as CVE-2022-27518 was discovered by security researchers toward the end of the year 2022.

LapDogs APT Targeted Victims

LapDogs APT is targeting a wide range of sectors, including IT, real estate, networking, municipal services, media, and others. Specifically, security researchers say it focuses on Small Office/Home Office (SOHO) devices, including routers and IoT hardware from vendors that include Ruckus Wireless, Asus, Buffalo Technology, D-Link, Panasonic, Microsoft, and Synology.

The earliest nodes were discovered in September 2023 by security researchers, and the network has grown over time with a maximum infection rate of 60 devices at a time. In addition, researchers say there are 162 distinct intrusion sets where more devices are added to the ORB network with each campaign.

LapDogs Malware and Techniques

The LapDogs campaign represents a sophisticated espionage platform built by the China-linked group. Since September 2023, this hidden network has been silently expanding, compromising hundreds of devices to leverage as stealthy infrastructure for the group’s surveillance and intrusion activities.

The group’s malware and techniques:

  • The threat actors use a custom backdoor called ShortLeash that allows them to gain and maintain control over compromised devices.
  • ShortLeash uses self-signed TLS certificates that are spoofed to appear as issued by the Los Angeles Police Department. This adds a layer of plausible benign traffic, which helps them avoid detection.
  • The LapDogs operation is methodical and structured and has grown through geographically focused micro-intrusions.

In addition, ORB networks such as LapDogs enable long-term, stealthy espionage by acting as flexible infrastructure for reconnaissance, anonymized browsing, data collection, and relaying stolen data in a far more versatile way than traditional botnets.

The campaign clearly illustrates a growing trend of China-linked threat actors leveraging decentralized embedded devices for hard-to-detect, long-duration espionage.

Why is the LapDogs Campaign Relevant

When it comes to conventional cybersecurity defenses, the LapDogs campaign demonstrates how embedded devices that are frequently overlooked can be weaponized into covert infrastructure that undermines those defenses. All of these campaigns make it abundantly clear that:

  • Because of the rotating nature of ORB networks, it is possible that indicators of compromise (IOCs) will become obsolete in a short amount of time.
  • Security teams should implement proactive, infrastructure-level strategies that provide robust cyber protections. Some examples of these strategies include rigorous firmware management, device validation, anomaly detection, and network segmentation.

For example, the LapDogs advanced persistent threat (APT) campaign demonstrates a significant shift toward low-noise, discipline-driven cyber espionage, which is made possible by compromised SOHO and Internet of Things devices. The fact that it is persistent, stealthy, and targets specific regions is indicative of the fact that a sophisticated threat actor is increasingly favoring invisibility over blunt force. As a result of this developing trend, there is an increased and pressing requirement for stringent security strategies that provide protection against these kinds of covert threats.

Protecting Networks from LapDogs

To defend against these stealthy threats, teams should focus on layered defenses. Here are a few suggestions:

  • Ensure routers, NAS devices, and IP cameras are running the latest vendor firmware.
  • Replace EOL devices with actively supported models.
  • Disable unused services (UPnP, Telnet) and enforce strong, unique admin credentials.
  • Network Segmentation
  • Use VLANs or firewalled segments to isolate SOHO/IoT devices from critical enterprise systems.
  • Apply zero-trust principles to limit lateral movement from compromised nodes.
  • Actively scan internal and external traffic for suspicious self-signed certificates—especially ones spoofing legitimate authorities (like the LAPD used by LapDogs).
  • Use certificate transparency logs to detect anomalous patterns.
  • Deploy intrusion detection/prevention systems (IDS/IPS) to flag unusual outbound traffic from non-standard devices.
  • Automate vulnerability management for all Linux and Windows endpoints. Apply EDR/XDR solutions that can recognize implants, such as ShortLeash, that attempt persistence.

Traditional defenses that rely on static indicators will not be enough against threats like LapDogs using low-noise, rotating infrastructures. By closing blind spots, security teams can reduce the effectiveness of covert espionage attempts.

Previous Post

Weekly Top 10: 09.08.2025: ViewState Zero-Day in Sitecore (CVE-2025-53690); Debunking Microsoft 365 & Identity Myths; New AI-Powered HexStrike-AI Tool Exploits Citrix Flaws, and More.

September 8, 2025 16:00 GMT
Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.