Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 4 actorsExploits 2 CVEs

ShortLeash

ShortLeash is a custom backdoor used in the China-nexus Operational Relay Box (ORB) network dubbed LapDogs. It is primarily deployed against Linux-based SOHO routers, IoT devices, and other edge systems, with observed concentration on Ruckus Wireless access points and Buffalo routers, and additional affected products from vendors including ASUS, Cisco-Linksys, D-Link, Microsoft, Panasonic, and Synology. SecurityScorecard reported LapDogs activity from at least September 2023, with infections concentrated in the United States, Japan, South Korea, Hong Kong, and Taiwan, and victims spanning IT, networking, media, real estate, and related sectors.

ShortLeash is used to maintain persistent, stealthy, long-term access on compromised devices and provides root-level access. It is assessed to be delivered primarily via shell script, with startup Bash-script execution requiring root privileges, environment checks for Ubuntu or CentOS, and persistence established by dropping a malicious systemd .service file so it survives reboot. Researchers also found artifacts indicating a Windows variant exists. Once active, ShortLeash sets up a fake Nginx web server and generates a unique self-signed TLS certificate per infected node with issuer metadata spoofing "LAPD," apparently impersonating the Los Angeles Police Department. These spoofed certificates were a key fingerprint used to track more than 1,000 infected nodes. The malware has also been described as creating encrypted backups and running as a background service.

Initial access in LapDogs intrusions was obtained by exploiting known N-day vulnerabilities in Linux-based devices, including CVE-2015-1548 and CVE-2017-17663, and the campaign also targeted devices with old and unpatched SSH services. SecurityScorecard reported infections were launched in coordinated batches, often up to 60 devices at a time, with shared port assignments suggesting centralized operator control. Forensic evidence including developer notes in Mandarin strongly supports attribution to a Chinese actor. SecurityScorecard assessed with medium confidence that the China-linked group UAT-5918 used LapDogs in at least one operation targeting Taiwan, although it remains unclear whether UAT-5918 operated the network or used it as a client. Published indicators associated with ShortLeash and LapDogs include spoofed TLS certificate fingerprints, C2 domains, and malware signatures.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2015-1548Out-of-bounds Read in mini_httpd long protocol string handling

"...infecting small office/home office (SOHO) routers with a custom backdoor named ShortLeash, which provides stealthy, long-term access to the compromised devices." | Most of the infected devices are Ruckus Wireless access points, followed by Buffalo Technology AirStation wireless routers. Running old and unpatched SSH services, they were found vulnerable to CVE-2015-1548 and CVE-2017-17663.

via security weeksecurityweek.com
CVE-2017-17663Remote buffer overflow in mini_httpd/thttpd htpasswdExploited in the wild

"The attacks themselves weaponize N-day security vulnerabilities (e.g., CVE-2015-1548 and CVE-2017-17663) to obtain initial access." | LapDogs' beating heart is a custom backdoor called ShortLeash that's engineered to enlist infected devices in the network.

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UAT-5918

LapDogs leverages a custom backdoor ("ShortLeash") with unique self-signed TLS certificates mimicking LAPD metadata, focusing on Linux-based SOHO devices (notably Ruckus and Buffalo routers).

via huntio blogblog.alphahunt.io
LapDogs

LapDogs leverages a custom backdoor ("ShortLeash") with unique self-signed TLS certificates mimicking LAPD metadata, focusing on Linux-based SOHO devices (notably Ruckus and Buffalo routers).

via huntio blogblog.alphahunt.io
Flax Typhoon

Forensic evidence such as developer notes written in Mandarin in a custom backdoor SecurityScorecard named "ShortLeash," plus tools, techniques and procedures "strongly supports" attribution to a Chinese actor.

via bank info securitybankinfosecurity.com
Volt Typhoon

Forensic evidence such as developer notes written in Mandarin in a custom backdoor SecurityScorecard named "ShortLeash," plus tools, techniques and procedures "strongly supports" attribution to a Chinese actor.

via bank info securitybankinfosecurity.com
INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app1 year ago
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
the hacker newsNews
Jun 30, 2025
⚡ Weekly Recap: Airline Hacks, Citrix 0-Day, Outlook Malware, Banking Trojans and more

ShortLeash is a backdoor malware deployed on compromised SOHO devices, such as routers and IoT devices, as part of a China-linked espionage campaign. Its specific capabilities are not fully detailed, but it is used to maintain long-term access to victim networks.

Read more
the hacker newsNews
Jun 27, 2025
Over 1,000 SOHO Devices Hacked in China-linked LapDogs Cyber Espionage Campaign

Custom backdoor used to enlist compromised SOHO/IoT and some Windows/VPS systems into the LapDogs ORB network; sets up a fake Nginx web server, generates a unique self-signed TLS certificate (issuer 'LAPD'), and persists via a .service file with root-level privileges on Linux-based devices.

Read more
huntio blogNews
Jun 26, 2025
LapDogs, PolarEdge, and Volt Typhoon: China-Linked ORB Networks Escalate Espionage Against SOHO and Critical Infrastructure

Custom backdoor used by the LapDogs ORB network to maintain covert command-and-control and persistence on Linux-based SOHO devices, using unique self-signed TLS certificates and systemd-based persistence.

Read more
dark readingNews
Jun 24, 2025
China-Nexus 'LapDogs' Network Thrives on Backdoored SOHO Devices

Custom backdoor used to maintain persistent access on compromised Linux-based SOHO devices within the LapDogs ORB network; generates unique self-signed TLS certificates with spoofed metadata per node to help masquerade infected nodes as legitimate devices and support C2/relay operations.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution4

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.