LapDogs: China-Nexus Threat Actors Deploy Covert ORB Network on 1,000+ SOHO Devices Globally

In a new report, SecurityScorecard’s STRIKE threat intelligence team has exposed a covert espionage campaign dubbed “LapDogs”, a sophisticated Operational Relay Box (ORB) network suspected to be operated by China-Nexus threat actors. The campaign primarily targets Linux-based Small Office/Home Office (SOHO) devices, with more than 1,000 active infected nodes scattered across the United States, Japan, South Korea, Taiwan, and Hong Kong.

Unlike typical botnets, LapDogs is meticulously engineered for stealth and persistence, powered by a custom backdoor known as ShortLeash. According to the STRIKE team, “ShortLeash generates unique, self-signed TLS certificates with spoofed metadata for each node,” and these certificates were pivotal in identifying compromised infrastructure.

The campaign’s name—LapDogs—derives from a forensic artifact: TLS certificates pretending to be signed by the Los Angeles Police Department. This strange misdirection was found in certificate metadata:

“…signed by the City of Los Angeles Police Department (LAPD), which indicates the hackers are potentially attempting to masquerade as a legitimate LAPD network device.”

But far from California, the real focus lies in East Asia, where the attackers appear to operate with geographical precision. STRIKE’s analysis revealed:

“These five targets—United States, Japan, South Korea, Taiwan, and Hong Kong—comprise nearly 90% of the entire network.”

The ShortLeash malware, which comes in both Linux and Windows variants, acts as the central nervous system of LapDogs. On Linux, it installs as a .service file for persistence, while on Windows, it has been found running even on outdated systems like Windows XP. ShortLeash immediately springs the malicious web service into action, triggering the generation of the certificate.

The payload is stealthy, encrypted in two layers, and carries critical configuration data, including embedded TLS keys and C2 URLs. Once deployed, it runs a web service that imitates Nginx, adding another layer of deception.

LapDogs is not just about mass infection—it’s about targeting with intent. STRIKE identified 162 unique intrusion sets, many of which focused on very narrow geographical or ISP-related clusters. Notably, the majority of compromised devices were Ruckus Wireless access points and Buffalo AirStation routers, especially in Tokyo.

“Over a third of the ORB operation revolves around a geographical focal point, occasionally even localized down to the city level.”

Victims include municipal services offices, IT providers, real estate companies in Japan, and even a UK-based media company. Many of these SOHO devices likely act as “ORB victims,” serving as stepping stones for more serious breaches.

STRIKE draws a comparison between LapDogs and a previously discovered ORB network known as PolarEdge, but emphasizes that they are separate entities.

“While ShortLeash and PolarEdge malware functionally serve a very similar purpose, a Diff comparison found very little code commonalities shared between them.”

PolarEdge tends to operate from /tmp/, whereas LapDogs’ ShortLeash persists in system directories like /etc/systemd/system/. Their distinct approaches suggest parallel but separate development paths—potentially by different teams within the same nation-state ecosystem.

Although definitive attribution remains elusive, STRIKE connects LapDogs to China-Nexus espionage actors. The presence of Mandarin developer notes in the Bash startup scripts and the alignment with past campaigns (like UAT-5918 described by Cisco Talos) adds weight to the attribution.

“We therefore assess with moderate confidence that LapDogs is an Operational Relay Box Network that China-Nexus threat actors use.”

SecurityScorecard warns:

“China-Nexus threat actors are disrupting traditional playbooks for IOC tracking, response, and remediation.”

Related Posts:

• China’s Cyber Espionage Actors Employ ORB Networks to Evade Detection
• Beyond VPNs and Botnets: Understanding the Danger of ORB Networks
• Operation Phantom Circuit: North Korea’s Global Data Exfiltration Campaign Unveiled
• Chinese APTs Shift Tactics to Evade Detection and Maintain Stealth
• China-Nexus APT Exploits Ivanti Connect Secure VPN in Global Cyber Espionage Campaign