Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

LapDogs

LapDogs is a malware/operational relay box (ORB) network first identified in 2025 and described as China-linked. It primarily targets Linux-based SOHO edge devices, including routers such as Ruckus and Buffalo models, with targeting focused on the United States and Southeast Asia; additional referenced targeting includes Taiwan, Japan, South Korea, and Hong Kong. LapDogs uses a custom Linux backdoor named ShortLeash and maintains covert command-and-control through unique self-signed TLS certificates generated per node that mimic LAPD metadata. Persistence is described as using root-privileged systemd service files. The activity is characterized as supporting covert relay infrastructure and cyber espionage rather than conventional botnet use, and the content links LapDogs to the espionage actor UAT-5918 as referenced by Cisco Talos. High-confidence identifiers mentioned in the content include the ShortLeash backdoor and the distinctive LAPD-mimicking self-signed TLS certificates.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

"It leverages the proprietary AiCloud service with n-day vulnerabilities in order to gain high privileges on End-Of-Life ASUS WRT routers" ... "The attacks likely exploit vulnerabilities tracked as CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492 for proliferation."

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
the hacker newsNews
Jun 22, 2026
AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network

A router-focused ORB-style malware/network that compromises devices via n-day vulnerabilities to build relay and scanning infrastructure.

Read more
the hacker newsNews
Nov 19, 2025
WrtHug Exploits Six ASUS WRT Flaws to Hijack Tens of Thousands of EoL Routers Worldwide

Named ORB campaign targeting routers (no additional technical details provided in the content).

Read more
huntio blogNews
Jun 26, 2025
LapDogs, PolarEdge, and Volt Typhoon: China-Linked ORB Networks Escalate Espionage Against SOHO and Critical Infrastructure

China-linked ORB network leveraging a custom backdoor (ShortLeash) to compromise Linux-based SOHO devices for persistent espionage, using unique TLS certificates for covert C2.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.