Executive Summary:
- Cisco Talos has confirmed that the LapDogs Operational Relay Box (ORB) network remains active, showing that UAT-7810 is expanding infrastructure first disclosed by SecurityScorecard research in 2025.
- Building on Talos’ findings in 2026, SecurityScorecard’s STRIKE team identified three previously undisclosed servers tied to the same campaign.
- Together, the research shows that LapDogs continues to evolve through new malware, new infrastructure, and continued targeting of internet-facing routers.
The latest Cisco Talos research shows these operators did not abandon the LapDogs ORB network after exposure. Instead, they appear to be continuing development through new tooling designed to manage, expand, and sustain compromised routers and other internet-facing devices.
Cisco Talos published new research this week on UAT-7810, the threat actor behind LapDogs, a China-Nexus Operational Relay Box (ORB) network. An Operational Relay Box (ORB) network is a mesh of compromised routers, IoT devices, and rented virtual private servers that threat actors use to relay traffic and hide malicious activity. Talos’ report builds directly on SecurityScorecard’s original LapDogs research, which first exposed the network in 2025.
Talos confirms UAT-7810 has kept developing its toolkit since that exposure, releasing a new backdoor called LONGLEASH along with two additional tools, DOGLEASH and JARLEASH. Pivoting off indicators in Talos’ report, SecurityScorecard’s STRIKE team used our Driftnet internet-scanning engine to identify three more servers tied to this infrastructure that have not been previously disclosed. These findings give defenders new indicators to hunt for and confirm that this ORB network remains an active, evolving threat.
Read the original research here.
What Is LapDogs, and Why Does It Matter?
SecurityScorecard’s STRIKE team first identified LapDogs in 2025 after tracing a distinctive, self-signed TLS certificate spoofed to look like it belonged to the Los Angeles Police Department. That certificate led our STRIKE researchers to a custom backdoor named ShortLeash, which was running on more than 1,000 infected nodes worldwide.
Most of those devices were Linux-based small office and home office (SOHO) routers, with Ruckus Wireless access points and Buffalo AirStation routers making up the majority. STRIKE assessed that China-Nexus threat actors operate LapDogs, based on Mandarin developer notes, victimology, and tactics shared with other China-linked campaigns. The network showed clear signs of deliberate, methodical growth rather than opportunistic, botnet-style spreading, expanding in small, targeted waves since at least September 2023.
Targets were localized in the United States as well as in Southeast Asia, particularly in Japan, South Korea, Hong Kong, and Taiwan.
SecurityScorecard’s New Findings
Talos’ latest research on UAT-7810 references a TLS certificate with the subject “CN=exploit, OU=exploit, O=exploit, L=exploit, ST=exploit, C=exploit.”
Pivoting off of the “CN=exploit,OU=exploit,O=exploit,L=exploit,ST=exploit,C=exploit” certificate, Driftnet found three additional, undisclosed servers tied to this activity. The IPs are:
- 93.113.99[.]48 – ran the certificate on port 93 from at least January 9, 2026, until February 26, 2026.
- 95.182.100[.]21 – ran it on port 11111 between February 26, 2026, and April 1, 2026.
- 83.172.159[.]10 – ran it on port 93 between March 10, 2026, and April 6, 2026.
Any contact with these IPs during these periods, especially over these ports, is a possible sign of compromise and should be thoroughly investigated.
What This Continued Activity Tells Us
The latest Talos research shows these operators did not abandon the LapDogs ORB network after exposure. Instead, they appear to be continuing development through new tooling designed to manage, expand, and sustain compromised routers and other internet-facing devices. That continued reliance on edge devices tells us the operators still value stealth, persistence, and geographic distribution.
By routing activity through compromised devices that blend into normal internet traffic, attackers can make attribution harder and give themselves more flexibility for future operations. What appears new is not a total shift toward faster scaling, but a more mature approach to control and resilience. LONGLEASH, DOGLEASH, and JARLEASH suggest the operators are improving how they manage and extend the network while keeping it useful for long-term operations.
The fact that this activity continues after public exposure last year is important. Well-resourced threat actors do not always walk away when they are named. If the infrastructure still serves a purpose, they adapt, rebuild, and keep moving. The bigger risk is not one infected router, but the broader network of compromised devices that can help attackers hide future espionage, intrusion, or pre-positioning activity.
Where This Leaves Defenders
Home routers remain one of the most exposed, least-monitored device categories, and this activity shows why. In practice, home router owners are rarely aware of these attacks or empowered to do anything about them if they are. Home routers are some of the most targeted internet-facing objects because of that. Even after publications and disclosures, threat actors may dust off their clothes and carry on. This raises open questions about remediation guidance for compromised consumer devices.
Read Cisco Talos’ report on UAT-7810 for more IOCs, and revisit SecurityScorecard’s original LapDogs research and blog for the full history of this ORB network.
If you believe your organization may be affected by LapDogs or UAT-7810 infrastructure, contact SecurityScorecard’s STRIKE team for investigation and remediation support.
Discover how SecurityScorecard and its STRIKE Team can strengthen your enterprise’s security.
For STRIKE media inquiries, contact us here.