- ShortLeash gives hackers root-level stealth and blends malicious activity into everyday network traffic
- LapDogs uses fake LAPD certificates to disguise malware, bypassing even the best endpoint protection systems
- The malware quietly hijacks routers and devices that often go unmonitored for months
A recently disclosed cyber espionage operation, dubbed LapDogs, has drawn scrutiny following revelations from SecurityScorecard’s Strike Team.
The operation, believed to be conducted by China-aligned threat actors, has quietly infiltrated over 1,000 devices across the United States, Japan, South Korea, Taiwan, and Hong Kong.
What makes this campaign distinctive is its use of hijacked SOHO routers and IoT hardware, transforming them into Operational Relay Boxes (ORBs) for sustained surveillance.
Stealth, persistence, and false identities
LapDogs is an ongoing campaign, active since September 2023, targeting real estate, media, municipal, and IT sectors.
Devices from known vendors such as Buffalo Technology and Ruckus Wireless have reportedly been compromised.
The attackers use a custom backdoor named ShortLeash, which grants extensive privileges and stealth, allowing them to blend in with legitimate traffic.
According to the report, once a device is infected, it may go undetected for months, and in worst-case scenarios, some are used as gateways to infiltrate internal networks.
Unlike typical botnets that prioritize disruption or spam, LapDogs reveals a more surgical approach.
“LapDogs reflects a strategic shift in how cyber threat actors are leveraging distributed, low-visibility devices to gain persistent access,” said Ryan Sherstobitoff, Chief Threat Intelligence Officer at SecurityScorecard.
“These aren’t opportunistic smash-and-grab attacks—these are deliberate, geo-targeted campaigns that erode the value of traditional IOCs (Indicators of Compromise).”
With 162 distinct intrusion sets already mapped, the structure of the operation suggests clear intent and segmentation.
What is especially unsettling is the spoofing of legitimate security credentials.
The malware fabricates TLS certificates appearing to be signed by the Los Angeles Police Department.
This forgery, combined with geolocation-aware certificate issuance and assigned ports, makes it extremely difficult for conventional detection systems to flag malicious behavior.
Even the best endpoint protection tools would be challenged in spotting such well-disguised intrusions, especially when activity is routed through compromised home routers rather than enterprise assets.
SecurityScorecard compares LapDogs with PolarEdge, another China-linked ORB system, but emphasizes that the two are distinct in infrastructure and execution.
The broader concern raised is the expanding vulnerability landscape. As businesses rely more on decentralized devices and fail to update embedded firmware, the risk of persistent espionage increases.
The report calls on network defenders and ISPs to review devices across their supply chains.
SecurityScorecard compares LapDogs with PolarEdge, another China-linked ORB system, but emphasizes that the two are distinct in infrastructure and execution.
The broader concern raised is the expanding vulnerability landscape. As businesses rely more on decentralized devices and fail to update embedded firmware, the risk of persistent espionage increases.
The report calls on network defenders and ISPs to review devices across their supply chains.
This means there is a need to reconsider reactive solutions and focus on more proactive infrastructure-level measures, such as the best FWAAS and best ZTNA solution deployments.