Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
1 malware family

LapDogs

Also known asLapDogs

LapDogs is a China-nexus Operational Relay Box (ORB) network identified by SecurityScorecard’s STRIKE team and used to support prolonged cyber-espionage operations. It consists of more than 1,000 compromised nodes, primarily Linux-based SOHO and edge devices, and has been active since at least September 2023. Reported target geography includes the United States, Japan, South Korea, Hong Kong, Taiwan, and Southeast Asia. Affected sectors mentioned in the reporting include IT, networking, media, real estate, and municipal services. Reported affected device and service vendors include Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, D-Link, Microsoft, Panasonic, and Synology, with Ruckus devices making up a large share of observed infections. LapDogs is powered by a custom backdoor called ShortLeash. ShortLeash provides persistent root-level access, establishes persistence via a .service/systemd service, sets up a fake Nginx web server, and generates unique self-signed TLS certificates per node with issuer metadata referencing “LAPD,” which SecurityScorecard assessed was intended to impersonate the Los Angeles Police Department. Initial access reportedly relies on exploitation of known vulnerabilities in older or unpatched devices, including CVE-2015-1548 and CVE-2017-17663. Researchers observed batch-style infections, often infecting no more than 60 devices at a time, and identified 162 distinct intrusion sets. SecurityScorecard assessed LapDogs with moderate confidence as linked to China-nexus actors and described it as relay infrastructure used to obfuscate operations rather than conduct direct attacks. Reporting states LapDogs shares some similarities with the separate China-linked ORB cluster PolarEdge, but the two were assessed as distinct due to different infection and persistence methods. SecurityScorecard also stated with medium confidence that the China-linked group UAT-5918 used LapDogs in at least one operation targeting Taiwan, but it remains unclear whether UAT-5918 operates LapDogs or is a client of the network. Known alias in the provided content: LapDogs.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • critical-infrastructure
  • government
  • defense
  • technology
  • telecommunications
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ShortLeashLapDogs leverages a custom backdoor ("ShortLeash") with unique self-signed TLS certificates mimicking LAPD metadata, focusing on Linux-based SOHO devices (notably Ruckus and Buffalo routers).1Mar 18, 2026
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
the hacker newsNews
Nov 19, 2025
WrtHug Exploits Six ASUS WRT Flaws to Hijack Tens of Thousands of EoL Routers Worldwide

Named ORB activity cluster reported as targeting routers in recent months (no further details provided in the content).

Read more
the hacker newsNews
Jun 27, 2025
Over 1,000 SOHO Devices Hacked in China-linked LapDogs Cyber Espionage Campaign

A China-nexus cyber-espionage enabling ORB infrastructure built from >1,000 compromised SOHO/IoT and some VPS/Windows systems, used to provide anonymization/relay and potentially staging/C2 capabilities. Uses the custom ShortLeash backdoor, persists via a .service file, and leverages known (N-day) vulnerabilities for initial access.

Read more
huntio blogNews
Jun 26, 2025
LapDogs, PolarEdge, and Volt Typhoon: China-Linked ORB Networks Escalate Espionage Against SOHO and Critical Infrastructure

China-linked ORB network (discovered 2025) compromising Linux-based SOHO devices (notably Ruckus and Buffalo routers) to build relay infrastructure for persistent espionage. Uses the custom backdoor ShortLeash and unique self-signed TLS certificates mimicking LAPD metadata; persistence via systemd service modifications.

Read more
dark readingNews
Jun 24, 2025
China-Nexus 'LapDogs' Network Thrives on Backdoored SOHO Devices

China-nexus operational relay box (ORB) infrastructure built from backdoored Linux-based SOHO/IoT devices and routers, used to provide covert cyber-espionage infrastructure (relay/proxy) enabling reconnaissance, vulnerability scanning, anonymized browsing, and C2 for follow-on operations. Uses a custom backdoor ('ShortLeash') and per-node self-signed TLS certificates with spoofed LAPD metadata to blend in/evade detection.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.