A Chinese hacking group is turning everyday internet routers into silent tools for spying. Their campaign targets the U.S. and several Asian countries, building a stealth network that’s hard to trace.
SecurityScorecard uncovered this ongoing cyber-espionage operation. It’s been named LapDogs, and it already includes over 1,000 compromised routers. The hackers use a backdoor called ShortLeash, which gives them long-term access to infected devices.
They’re not causing chaos. Instead, they quietly collect data and keep their activities hidden.
The group infects small office and home routers, known as SOHO devices. Many of these are older models—mostly Ruckus Wireless and Buffalo AirStation routers. These devices still run outdated software with known bugs. Hackers exploit flaws like CVE-2015-1548 and CVE-2017-17663 to break in.
Once inside, they install ShortLeash. This backdoor allows them to stay hidden for months. It even creates fake security certificates that say “LAPD,” a clear attempt to confuse anyone checking for suspicious activity.
The hackers move slowly. Each wave hits no more than 60 routers at a time. That careful pace helps them avoid setting off alarms.
This campaign likely started in September 2023, based on the first fake certificate spotted. It has grown gradually since then. The operation shows signs of being linked to a bigger network called PolarEdge. That one includes over 2,000 compromised routers and smart devices.
Still, analysts believe LapDogs and PolarEdge are separate projects. They might be run by the same people, or different groups sharing similar tools.
Instead of launching attacks from these routers, the hackers use them as Operational Relay Boxes (ORBs). These act like quiet middlemen—passing along stolen data or commands without drawing attention. The routers keep working as normal, which makes the intrusion hard to detect.
The group has been tracked as UAT-5918, believed to be tied to China. Cisco Talos has linked them to other well-known hacking teams like Volt Typhoon and Earth Estries.
In past attacks, this group has used public tools, known bugs, and stolen passwords to move deeper into networks. They also plant web shells to stay inside for longer. Once they gain access, they can spy, steal data, or prepare for future attacks.
Their focus seems regional. They’ve targeted industries like media, tech, real estate, and telecoms—mainly in the U.S., Japan, South Korea, Hong Kong, Taiwan, and Southeast Asia.
