Full Report
SecurityScorecard has discovered a covert cyber-espionage botnet dubbed “LapDogs” linked to China
Analysis Summary
# Threat Actor: LapDogs (Associated with China-nexus actors)
## Attribution & Identity
The threat actor is associated with China-nexus actors and utilizes a network of Operational Relay Boxes (ORBs). The activity is observed under the collective name "LapDogs" by SecurityScorecard.
## Activity Summary
The threat actors are engaged in a cyber-espionage campaign targeting victims in the US and Asia. This methodical campaign has been active since at least September 2023, slowly incorporating more devices and victims. The actors utilize a botnet, reportedly comprised of 1000+ compromised Small Office/Home Office (SOHO) devices (routers, IoT endpoints), combined with Virtual Private Servers (VPSs) to create ORB networks for obfuscation and plausible deniability.
## Tactics, Techniques & Procedures
- **Persistence:** Use of a custom backdoor named "ShortLeash" to maintain persistence on infected devices.
- **Command and Control (C2):** Infected devices connect to the established ORB network.
- **Evasion/Deception:** ShortLeash generates TLS certificates spoofed as being signed by the LA Police Department (LAPD) to mislead investigators.
- **Initial Access/Network Expansion:** Compromised SOHO devices can be used as initial access vectors to breach local networks or host the cyber-espionage platform directly.
- **Botnet/Infrastructure Creation:** Leveraging a large collection of compromised SOHO devices to form an Operational Relay Box (ORB) network.
## Targeting
- **Sectors:** Real estate, IT, networking, and media sectors.
- **Geography:** United States (US), Japan, South Korea, Hong Kong, and Taiwan (Asia).
- **Victims:** Organizations within the targeted sectors in the listed geographic regions.
## Tools & Infrastructure
- **Malware Families Used:** Custom backdoor named "ShortLeash."
- **Infrastructure (C2, domains, IPs):** Operational Relay Boxes (ORBs) built from 1000+ compromised SOHO devices (routers, IoT endpoints) combined with Virtual Private Servers (VPSs).
## Implications
This highly persistent and distributed campaign focuses on cyber-espionage, leveraging common household/small business equipment (SOHO devices) as resilient infrastructure. The use of LAPD-spoofed TLS certificates suggests an attempt to specifically evade law enforcement or security analysis focused on certificate provenance. The scale (1000+ devices in the botnet) allows for significant operational reach and anonymity.
## Mitigations
- Increased monitoring and segmentation of SOHO/IoT devices on corporate or organizational networks.
- Scrutiny of network traffic originating from or passing through SOHO devices used for remote work/access.
- Deep packet inspection to detect anomalous TLS certificate usage, particularly self-signed or unusual issuer names like the LAPD example.
- Inventory and hardening of all SOHO network equipment (routers, endpoints) to prevent initial infection and inclusion in ORB networks.