- Cardleash gives hackers root level stealth and mixes malicious activity in everyday network traffic
- Lapdogs use fake LAPD certificates to hide malware and bypass even the best endpoint protection systems
- Malware Capsed Quiet Routers and Units that often go unattended for several months
A newly revealed cyber espionage operation, called lapdogs, has drawn control after revelations from SecurityScorecard’s strike team.
The operation believed to be performed by China-adjusted threat players has quietly infiltrated over 1,000 units across the United States, Japan, South Korea, Taiwan and Hong Kong.
What makes this campaign characteristic is its use of hijacked Soho routers and IoT hardware that transforms them into operational relay fields (bullets) into sustained surveillance.
Stealth, persistence and false identities
Lapdogs is an ongoing campaign, active since September 2023, which is aimed at real estate, media, municipal and sectors.
Devices from well -known suppliers such as Buffalo Technology and Ruckus Wireless have reportedly been compromised.
The attackers use a custom back door named Shortleash, which provides extensive privileges and stealth, allowing them to interfere with legitimate traffic.
According to the report, when a device is infected, it can go undetected for months, and in the worst case, some are used as gateways to infiltrate internal networks.
Unlike typical botnets that prioritize disturbance or spam, lapdogs reveal a more surgical approach.
“Lapdogs reflect a strategic shift in how cyber threat lactors utilize distributed units with low visibility to gain sustained access,” said Ryan Sherstobitoff, Chief Threat Intelligence Officer at Securityscorecard.
“These are not opportunistic smash-and-grab-attack-dee’s conscious, geo-targeted campaigns that erode the value of traditional IOCs (compromise indicators).”
With 162 distinct penetration kits that have already been mapped, the structure of the operation suggests clear intention and segmentation.
What is particularly disturbing is the forgery of legitimate security information.
Malware manufactures TLS certificates that appear to be signed by the Los Angeles Police Department.
This forgery combined with geolocation-noticeable certificate issuing and awarded gates make it extremely difficult for conventional detection systems to mark malicious behavior.
Even the best tools for the protection of the endpoint will be challenged to detect such well -equipped intrusions, especially when activity is directed through compromised homemakers rather than business assets.
SecurityScorecard compares lapdogs with Polaredge, another China Federation Orb system, but emphasizes that the two are different in infrastructure and execution.
The broader concern raised is the growing vulnerability landscape. As companies are more dependent on decentralized devices and fail to update embedded firmware increases the risk of sustained espionage.
The report encourages network defenders and ISPs to review devices across their supply chains.
SecurityScorecard compares lapdogs with Polaredge, another China Federation Orb system, but emphasizes that the two are different in infrastructure and execution.
The broader concern raised is the growing vulnerability landscape. As companies are more dependent on decentralized devices and fail to update embedded firmware increases the risk of sustained espionage.
The report encourages network defenders and ISPs to review devices across their supply chains.
This means that there is a need to reconsider reactive solutions and focus on more proactive measures at the infrastructure level, such as the best FWAAs and best ZTNA solution installations.
