TZUTC: -0500
MSGID: 1210.consprcy@1:2320/105 2cc68681
PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0
TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
China-backed "LapDogs" hackers hijacked hundreds of devices in an outlandish
intel campaign aimed at US and Asian targets

Date:
Sun, 29 Jun 2025 09:23:00 +0000

Description:
LapDogs is a China-linked espionage operation exploiting SOHO devices to gain
stealthy access across the US and Asia, using spoofed credentials and
persistent malware.

FULL STORY

A recently disclosed cyber espionage operation, dubbed LapDogs, has drawn
scrutiny following revelations from SecurityScorecards Strike Team. 

The operation, believed to be conducted by China-aligned threat actors, has
quietly infiltrated over 1,000 devices across the United States, Japan, South
Korea, Taiwan, and Hong Kong. 

What makes this campaign distinctive is its use of hijacked SOHO routers and
IoT hardware, transforming them into Operational Relay Boxes (ORBs) for
sustained surveillance.

Stealth, persistence, and false identities 

LapDogs is an ongoing campaign, active since September 2023, targeting real
estate, media, municipal, and IT sectors. 

Devices from known vendors such as Buffalo Technology and Ruckus Wireless 
have reportedly been compromised. 

The attackers use a custom backdoor named ShortLeash, which grants extensive
privileges and stealth, allowing them to blend in with legitimate traffic. 

According to the report, once a device is infected, it may go undetected for
months, and in worst-case scenarios, some are used as gateways to infiltrate
internal networks. 

Unlike typical botnets that prioritize disruption or spam, LapDogs reveals a
more surgical approach. 

LapDogs reflects a strategic shift in how cyber threat actors are leveraging
distributed, low-visibility devices to gain persistent access, said Ryan
Sherstobitoff, Chief Threat Intelligence Officer at SecurityScorecard. 

These arent opportunistic smash-and-grab attacksthese are deliberate,
geo-targeted campaigns that erode the value of traditional IOCs (Indicators 
of Compromise). 

With 162 distinct intrusion sets already mapped, the structure of the
operation suggests clear intent and segmentation. 

What is especially unsettling is the spoofing of legitimate security
credentials. 

The malware fabricates TLS certificates appearing to be signed by the Los
Angeles Police Department. 

This forgery, combined with geolocation-aware certificate issuance and
assigned ports, makes it extremely difficult for conventional detection
systems to flag malicious behavior. 

Even the best endpoint protection tools would be challenged in spotting such
well-disguised intrusions, especially when activity is routed through
compromised home routers rather than enterprise assets. 

 SecurityScorecard compares LapDogs with PolarEdge, another China-linked ORB
system, but emphasizes that the two are distinct in infrastructure and
execution. 

The broader concern raised is the expanding vulnerability landscape. As
businesses rely more on decentralized devices and fail to update embedded
firmware, the risk of persistent espionage increases. 

The report calls on network defenders and ISPs to review devices across their
supply chains. 

SecurityScorecard compares LapDogs with PolarEdge, another China-linked ORB
system, but emphasizes that the two are distinct in infrastructure and
execution. 

The broader concern raised is the expanding vulnerability landscape. As
businesses rely more on decentralized devices and fail to update embedded
firmware, the risk of persistent espionage increases. 

The report calls on network defenders and ISPs to review devices across their
supply chains. 

This means there is a need to reconsider reactive solutions and focus on more
proactive infrastructure-level measures, such as the best FWAAS and best ZTNA
solution deployments.

======================================================================
Link to news story:
https://www.techradar.com/pro/security/china-backed-lapdogs-hackers-hijacked-h
undreds-of-devices-in-an-outlandish-intel-campaign-aimed-at-us-and-asian-targe
ts

$$
--- SBBSecho 3.20-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428
SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200
SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426