Operational Relay Box - SparTech Software

An Operational Relay Box (ORB) network is a sophisticated infrastructure used by cyber threat actors to conduct covert operations, primarily to evade detection, obscure attack origins, and complicate cyber defense efforts via a mesh-like architecture. ORB networks are constructed from a mix of compromised devices—such as routers, Internet of Things (IoT) devices, industrial control systems, and commercially leased virtual private servers (VPS). These devices are often “farmed” by exploiting vulnerabilities in forgotten or unpatched hardware.

How ORB Networks Function

ORB networks create a decentralized mesh of nodes. Traffic is routed through multiple “relay boxes,” with connections occurring between the nodes themselves. This structure makes it difficult to trace the original source of an attack, as the entry and exit points are constantly changing. Each node in the network acts as a proxy, relaying traffic between the attacker’s command-and-control (C2) infrastructure and the intended target. This helps mask the true identity and location of the threat actors.

The lifespan of individual nodes (IP addresses) can be very short—sometimes as brief as 31 days—due to frequent cycling of compromised or leased devices. This rapid turnover further complicates detection and attribution.

ORB networks can be made up of both leased VPS and compromised devices, offering flexibility and resilience. Administrators can easily expand the network by adding new vulnerable devices.

Comparison to Botnets

While ORB networks share similarities with traditional botnets—such as the use of compromised devices—they differ in important ways:

Feature	Botnet	ORB Network
Control	Centralized (“bot herder”)	Decentralized or mesh-based
Devices	Mostly compromised	Mix of compromised and leased VPS
Purpose	DDoS, spam, attacks	Espionage, stealth, obfuscation
Traffic Obfuscation	Moderate	High (via multiple relays)

Why ORB Networks Are Used

ORB networks are particularly favored by state-sponsored actors for cyber espionage. By routing traffic through a complex web of nodes, these networks make it extremely difficult for defenders to identify and block malicious activity, or to attribute attacks to a specific group or country. The use of ORB networks is a growing trend among China-linked advanced persistent threat (APT) groups, who leverage them to conduct long-term intelligence gathering and maintain plausible deniability.

Synonyms:

ORB

China-linked APT group has built an ORB network (LapDogs) comprising > 1,000 compromised devices for cyber-espionage targeting the United States.
A China-linked advanced persistent threat (APT) group has built a large-scale Operational Relay Box (ORB) network named LapDogs, comprising over 1,000 compromised devices globally. This infrastructure supports covert cyber-espionage operations targeting entities in the United States and Southeast Asia, with a focus on sectors like real estate, IT, networking, and media.
Glossary: PolarEdge
PolarEdge refers to a covert cyber espionage infrastructure attributed to China-linked advanced persistent threat (APT) actors. It is a large-scale, stealthy network of compromised internet-connected devices—primarily routers and IoT devices—used to facilitate cyber operations globally.
Glossary: SPACEHOP
SPACEHOP is the codename for a sophisticated, China-linked cyber infrastructure known as an Operational Relay Box (ORB) network. It is actively used by multiple Chinese advanced persistent threat (APT) groups—including APT5 and APT15—for espionage, reconnaissance, and exploitation of vulnerabilities in targeted systems.
Glossary: LapDogs
The LapDogs infrastructure is a covert cyber-espionage network attributed to China-nexus threat actors. It represents a sophisticated and methodically expanding Operational Relay Box (ORB) network, primarily targeting Small Office/Home Office (SOHO) routers and Internet of Things (IoT) devices globally, with a particular focus on the United States and key regions in Southeast Asia, including Japan, South Korea, Taiwan, and Hong Kong.
How to detect a Operational Relay Box (ORB) network infrastructure.
Detecting Operational Relay Box (ORB) networks requires specialized techniques due to their design for stealth and evasion. These networks blend malicious traffic with legitimate flows by leveraging compromised devices (e.g., routers, IoT equipment) and leased infrastructure. Below are key detection strategies based on current cybersecurity research.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

How ORB Networks Function

Comparison to Botnets

Why ORB Networks Are Used

Related