LapDogs Hackers Exploit 1,000 SOHO Devices with Custom Backdoor for Covert Operations

A sophisticated cyber espionage campaign linked to China has emerged, targeting over 1,000 Small Office/Home Office (SOHO) devices worldwide through an advanced network known as the Operational Relay Box (ORB), dubbed “LapDogs.”

Active since September 2023, this covert operation marks a significant shift in nation-state cyber warfare tactics, utilizing compromised devices not for disruptive attacks but as stealthy, long-term operational infrastructure.

The campaign exhibits remarkable geographical precision, with targets primarily concentrated in the United States and Southeast Asia, particularly in Japan, South Korea, Hong Kong, and Taiwan.

Unlike traditional botnets that execute loud, attention-grabbing attacks, the LapDogs network operates with surgical precision, maintaining infected devices that function normally while serving as covert relay points for malicious activities. This approach complicates detection and attribution for cybersecurity professionals.

a lapdog hacker working on laptopa lapdog hacker working on laptop

Discovery and Analysis
SecurityScorecard analysts uncovered this previously unreported threat through extensive forensic analysis, revealing distinct operational patterns indicative of highly focused, goal-oriented attackers. Evidence suggests a deliberate campaign growth, with attackers launching waves of intrusions targeting specific regions through well-planned sets over time.

Forensic evidence, including Mandarin coder notes and victimology patterns, led STRIKE team analysts to conclude that the LapDogs infrastructure is utilized by the Advanced Persistent Threat group known as UAT-5918.

a lapdog hackers working on laptopa lapdog hackers working on laptop

Discovery and Analysis
SecurityScorecard analysts uncovered this previously unreported threat through extensive forensic analysis, revealing distinct operational patterns indicative of highly focused, goal-oriented attackers. Evidence suggests a deliberate campaign growth, with attackers launching waves of intrusions targeting specific regions through well-planned sets over time.

Forensic evidence, including Mandarin coder notes and victimology patterns, led STRIKE team analysts to conclude that the LapDogs infrastructure is utilized by the Advanced Persistent Threat group known as UAT-5918.