Chinese “LapDogs” ORB Network Targets US and Asia – Source: www.infosecurity-magazine.com

China-nexus actors are using a network of Operational Relay Boxes (ORBs) including compromised connected devices to target victims in the US and Asia with a cyber-espionage campaign, SecurityScorecard has warned.

The security vendor claimed that the “LapDogs” botnet is already comprised of 1000+ small office/home office (SOHO) devices like routers and IoT endpoints around the world. They’re typically combined with virtual private servers (VPSs) to create ORB networks for obfuscation and plausible deniability, it said.

In this campaign, the threat actors are using a custom backdoor, “ShortLeash,” which maintains persistence on an infected device and connects it to an ORB network. ShortLeash apparently generates TLS certificates spoofed as being signed by the LA Police Department (LAPD) to throw investigators off the scent.

Traced back to September 2023, the methodical campaign has slowly added devices and victims, with many of the latter in real estate, IT, networking and media sectors – usually across the US, Japan, South Korea, Hong Kong and Taiwan.

Read more on ORB networks: SentinelOne Warns Cybersecurity Vendors of Chinese Attacks

The report claimed that victims could own compromised SOHO devices, be targeted for cyber-espionage by the threat group via those devices or have their local network breached via a compromised SOHO device – used in that case as an initial access vector.

SecurityScorecard said it was able to pinpoint 162 distinct intrusion sets, highlighting the careful operational planning that has gone into the campaign.

“Forensic evidence, including Mandarin developer notes within the startup script, tools, techniques, and procedures (TTPs), and victimology supports attribution to China-nexus Advanced Persistent Threats (APTs) and similar ORBs,” the report noted.

“The research further identifies targeted operations based on certificate issuance dates and port assignments, which enables us to pinpoint distinct intrusion sets with geographical clusters.”

ORBs are an increasingly popular TTP for Chinese actors – used by the infamous Volt Typhoon and other groups to hide command-and-control (C2) communications, evade detection and complicate attribution.

In February, Check Point revealed one such network targeting manufacturing suppliers in “sensitive” domains globally.

A month later, Sygnia discovered a similar network attributed to the China-linked Weaver Ant group targeting telecommunications providers.

SecurityScorecard said a similar ORB network to LapDogs, “PolarEdge,” shares some of the same infrastructure, but differs in TTPs and certificate management.

“LapDogs reflects a strategic shift in how cyber threat actors are leveraging distributed, low-visibility devices to gain persistent access,” said Ryan Sherstobitoff, chief threat intelligence officer at SecurityScorecard.

“These aren’t opportunistic smash-and-grab attacks – these are deliberate, geo-targeted campaigns that erode the value of traditional IOCs.”