A China-linked advanced persistent threat (APT) group has built a large-scale Operational Relay Box (ORB) network named LapDogs, comprising over 1,000 compromised devices globally. This infrastructure supports covert cyber-espionage operations targeting entities in the United States and Southeast Asia, with a focus on sectors like real estate, IT, networking, and media.
Campaign Infrastructure
The APT uses a custom malware called ShortLeash to infect Small Office/Home Office (SOHO) devices—primarily routers (e.g., Ruckus Wireless, Buffalo AirStation) and IoT endpoints. ShortLeash establishes persistent access, enabling stealthy command-and-control (C2) operations.
Obfuscation Tactics
The ORB utilizes spoofed TLS certificates that impersonate the Los Angeles Police Department (LAPD) to mislead investigators. It exploits legacy vulnerabilities (e.g., CVE-2015-1548, CVE-2017-17663) in unpatched SSH services.
Targeting and Victimology
90% of victims are in the U.S. and Southeast Asia (Japan, South Korea, Hong Kong, Taiwan), primarily in real estate, IT services, media, and networking industries.
Modus Operandi
Devices in the ORB serve as proxies for anonymizing attacks and as initial access points to breach local networks.
Campaign Evolution
The campaign has been active since September 2023, with deliberate, small-scale expansions (≤60 devices per operation). Over 1,000 nodes confirmed, organized into 162 distinct intrusion sets for precise targeting. Forensic evidence includes Mandarin developer notes, infrastructure overlaps with known Chinese APTs (e.g., APT15), and victim alignment with Chinese geopolitical interests.
LapDogs reflects a broader shift among Chinese threat actors toward ORB networks for stealth by blending malicious traffic with legitimate device operations. It also offers plausible deniability by masking origins via layered proxy chains.
Broader Implications
ORB networks like LapDogs exemplify the strategic use of “low-and-slow” espionage tactics, complicating detection and attribution. Similar infrastructures (e.g., PolarEdge, SPACEHOP) are increasingly adopted by China-linked groups for long-term intelligence gathering.
This campaign highlights the urgent need for improved security and network monitoring of SOHO devices to counter state-sponsored cyber espionage.
