Recently, SecurityScorecard’s STRIKE team has uncovered a stealthy network of compromised small office and home office devices they call LapDogs. This campaign specifically targets Linux-based SOHO hardware and uses a custom implant named ShortLeash to maintain uninterrupted access and conceal its activities.
Once ShortLeash is installed, attackers gain root-level control and persistence. The implant launches a counterfeit Nginx web server and issues a self-signed TLS certificate that impersonates the LAPD. That unique certificate fingerprint allowed researchers to identify over a thousand infected nodes around the world.
Rather than relying on a noisy botnet, LapDogs operates as an Operational Relay Box network. Everyday devices such as routers, IP cameras, and other smart gadgets are repurposed to relay command-and-control traffic and mask intrusion activity. Campaigns unfold in short bursts, with infections appearing in single countries on some days and multiple regions on others, all using the same port number. These timing and port patterns enable defenders to correlate related intrusions more rapidly.
Analysis shows that about fifty-five percent of the infected hardware came from outdated Ruckus Wireless devices, with Buffalo AirStation routers also frequently targeted, particularly in Japan. Many of these devices run legacy web servers like mini_httpd or exposed SSH services such as DropBear, which often go unpatched or unmonitored. This combination of outdated firmware and default configurations makes them easy prey for LapDogs.
Ryan Sherstobitoff, Field Chief Threat Intelligence Officer at SecurityScorecard, recommends that organizations retire legacy SOHO gear in favor of devices with secure defaults, built-in telemetry, and easy patch management. He also advises strict network segmentation to isolate edge devices, and procurement policies that require vendors and managed service providers to include breach-notification clauses for any compromised hardware under their control.
While STRIKE did not assign a specific actor, code comments in Mandarin and the focused targeting of the United States, Japan, South Korea, Taiwan, and Hong Kong point to a China-Nexus threat group. Previous Cisco Talos research on a group known as UAT-5918 revealed similar infrastructure, though it remains unclear whether they operate LapDogs or simply leverage its components. Organizations should urgently audit SOHO devices, update firmware, and monitor for unusual self-signed certificates to guard against this covert backdoor.
