LapDogs: China-Linked ORB Network Revealed in Global Espionage Campaign

SecurityScorecard’s STRIKE team has identified a previously unreported Operational Relay Box (ORB) Network—LapDogs—a novel and prolonged espionage infrastructure campaign that marks yet another instance of China-Nexus cyber actors leveraging ORB Networks.

Key Takeaways

• Over 1,000 actively infected nodes
• Targets are highly localized in the United States and Southeast Asia, particularly Japan, South Korea, Hong Kong, and Taiwan
• Victims in real estate, IT, networking, media and more
• LapDogs leverages a custom backdoor named “ShortLeash,” which establishes a foothold on compromised devices and enables the hackers to act covertly
• Small Office/Home Office (SOHO) devices are mainly targeted
• Campaign growth is deliberate, beginning September 2023 and expanding with methodical tasking
• LapDogs shares commonalities with some prolific China-Nexus ORB networks, most notably PolarEdge, while conclusively standing out as an independent ORB

Read the full report here.

Background

In recent years, ORB Networks have quietly emerged as one of the most effective covert infrastructure tools used by nation-state threat actors. Unlike botnets, ORBs use compromised devices to maintain stealthy, long-term infrastructure—not to launch noisy, disruptive attacks. They function as flexible infrastructure and can provide operational cover for malicious activity. The compromised devices in the network continue functioning as usual during campaigns, which can make detection and attribution elusive.

The LapDogs ORB Network began operating as of September 2023 at the latest and has been expanding its operations ever since around the globe. The attackers leverage ShortLeash, a custom backdoor malware, to compromise devices and maintain an interconnected network. The backdoor generates self-signed, TLS certificates presenting as “LAPD” (which appears to be an attempt to spoof the Los Angeles Police Department for plausible obfuscation).

Our analysis traces these certificates to over 1,000 actively infected nodes globally, revealing geographical targeting patterns indicative of structured tasking. Our analysis of certificate generation revealed distinct spikes tied to micro-intrusion campaigns, some of which are geographically tied. We observed spikes in activity when the actor apparently became interested in targeting Japan on one date, and Taiwan on a different date, for instance. The operators launched their campaign in waves, targeting specific regions through well-planned intrusion sets over time. The patterns we observed in the threat actor’s behavior suggests the operators are highly focused on several specific geographic targets, further distinguishing LapDogs as a goal-oriented actor.

Based on forensic evidence—including Mandarin coder notes and victimology—STRIKE assesses that LapDogs has been used by the APT known as UAT-5918 at least once.

LapDogs is a vast, prolonged intrusion operation with clear intent and planning, emphasizing the need for vigilance in securing embedded devices. This campaign shows a surging interest from China-Nexus threat actors in using ORB Networks to conduct covert intrusion campaigns both around the globe and tailored to specific victims of interest. With an increasing interest in this approach, security teams should be on alert that China-linked threat actors are disrupting traditional playbooks for IOC tracking, response, and remediation.

Read the full report here.

Contact STRIKE for Incident Response

SecurityScorecard’s STRIKE Team has access to one of the world’s largest databases of cybersecurity signals, dedicated to identifying threats that evade conventional defenses. With proactive risk management and a rapid response approach, SecurityScorecard offers companies protection against third-party risks and the ability to counter active threats like LapDogs.

Discover how SecurityScorecard and its STRIKE Team can strengthen your enterprise’s security. 

For STRIKE media inquiries, contact us here.