Over 1,000 SOHO Devices Compromised in China-Linked LapDogs Cyber Espionage Operation

Jun 27, 2025
Threat Hunting / Vulnerability

Cybersecurity experts have uncovered a network of over 1,000 compromised small office/home office (SOHO) devices actively supporting an extensive cyber espionage campaign linked to China-based hacking groups. This operation, dubbed LapDogs by SecurityScorecard’s STRIKE team, reveals that victims are primarily located in the United States and Southeast Asia, with the network steadily expanding. Infections are also reported in Japan, South Korea, Hong Kong, and Taiwan, affecting sectors such as IT, networking, real estate, and media. The compromised devices include those from manufacturers like Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology. At the core of the LapDogs operation is a custom backdoor known as ShortLeash, specifically designed to facilitate these attacks.

Over 1,000 SOHO Devices Compromised in Cyber Espionage Campaign Linked to China

On June 27, 2025, cybersecurity experts reported the discovery of a significant network of more than 1,000 small office and home office (SOHO) devices that have been compromised for cyber espionage activities attributed to hacking groups with links to China. This extensive cyber infrastructure, named the Operational Relay Box (ORB) network, has been dubbed “LapDogs” by the STRIKE team at SecurityScorecard.

The report highlights a concerning trend: the LapDogs network has shown a marked concentration of victims primarily located in the United States and Southeast Asia, while its footprint continues to expand steadily. Other regions affected include Japan, South Korea, Hong Kong, and Taiwan, with victims spanning several industries such as information technology, networking, real estate, and media.

The compromised devices include well-known brands like Ruckus Wireless, ASUS, Buffalo Technology, Cisco-Linksys, Cross DVR, D-Link, Microsoft, Panasonic, and Synology. Such a diverse array of hardware underscores the far-reaching implications of this cyber threat. Central to the operation is a custom backdoor referred to as ShortLeash, designed to maintain persistent access to the infected systems.

In terms of the tactics employed in this attack, a framework such as the MITRE ATT&CK Matrix offers valuable insights. Potential strategies could include initial access through exploiting unpatched vulnerabilities in the targeted devices, followed by establishing persistence via the ShortLeash backdoor. The attackers may have also engaged in privilege escalation to gain higher levels of access, thereby enabling broader control over the systems.

Security professionals advise business owners to remain vigilant in light of these findings. The widespread nature of the infection highlights an urgent need for enhanced cybersecurity measures, including regular updates and monitoring of SOHO devices, which often lack the level of protection afforded to larger enterprise networks.

As this campaign continues to unfold, it is crucial for organizations to educate themselves on the signs of compromise and to implement robust security protocols. The LapDogs network exemplifies the persistent and evolving threats faced by businesses today, making it imperative to stay informed and proactive in safeguarding against such cyber risks.

Source link

Related Posts

Severe RCE Vulnerabilities in Cisco ISE and ISE-PIC Enable Unauthenticated Attackers to Obtain Root Access

Jun 26, 2025
Vulnerability, Network Security

Cisco has issued updates to resolve two critical security vulnerabilities in the Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that may allow unauthenticated attackers to execute arbitrary commands with root privileges. These vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, both carry a maximum CVSS score of 10.0. Here’s a detailed overview of the vulnerabilities:

  • CVE-2025-20281: A remote code execution flaw impacting Cisco ISE and ISE-PIC versions 3.3 and later, enabling an unauthenticated attacker to execute arbitrary code on the system as root.

  • CVE-2025-20282: A remote code execution vulnerability in Cisco ISE and ISE-PIC version 3.4 that allows an unauthenticated attacker to upload arbitrary files to the device and execute them as root.

Cisco has indicated that CVE-2025-20281 stems from inadequate…

Major Vulnerability in Open VSX Registry Poses Supply Chain Risks for Millions of Developers

On June 26, 2025, cybersecurity analysts revealed a serious flaw in the Open VSX Registry (“open-vsx[.]org”), which, if exploited, could allow attackers to seize control of the entire Visual Studio Code extensions marketplace. This represents a significant supply chain threat. “This vulnerability gives attackers total authority over the extensions marketplace and, consequently, over millions of developer machines,” stated Oren Yomtov, a researcher at Koi Security. “By leveraging a CI issue, a malicious actor could release harmful updates to every extension available on Open VSX.” After responsibly disclosing the issue on May 4, 2025, the maintainers proposed several fixes, culminating in a final patch on June 25. The Open VSX Registry, an open-source alternative to the Visual Studio Marketplace, is maintained by the Eclipse Foundation and is used by various code editors, including Cursor, Windsurf, Google Cloud Shell Editor, and Gitpod.

MOVEit Transfer Under Heightened Threat as Scanning Activity Surges and CVE Vulnerabilities Come Under Fire

Network security firm GreyNoise has reported a “notable surge” in scanning activity targeting Progress MOVEit Transfer systems since May 27, 2025, indicating that cybercriminals may be gearing up for a new mass exploitation campaign or probing for unpatched vulnerabilities. MOVEit Transfer, widely utilized by businesses and government agencies for secure file sharing, is a prime target due to its handling of sensitive data.

“Prior to this date, scanning was minimal—typically fewer than 10 IP addresses were observed daily,” the firm stated. “However, on May 27, that number skyrocketed to over 100 unique IPs, followed by 319 on May 28.” Since then, the volume of scanning IPs has remained intermittently elevated, fluctuating between 200 and 300 daily, marking a “significant deviation” from normal patterns. GreyNoise reports that as many as 682 unique IPs have been flagged in connection with this increased activity.

Mustang Panda’s Tibet-Focused Cyber Espionage Campaign Utilizes PUBLOAD and Pubshell Malware

Jun 27, 2025
Vulnerability / Cyber Espionage

A China-linked threat group known as Mustang Panda has been identified in a new cyber espionage operation targeting the Tibetan community. The spear-phishing attacks capitalize on Tibet-related themes, including the 9th World Parliamentarians’ Convention on Tibet (WPCT), China’s education policy in the Tibet Autonomous Region (TAR), and recent publications by the 14th Dalai Lama, as reported by IBM X-Force. Their cybersecurity division noted the campaign earlier this month, which involved the deployment of PUBLOAD, a known malware associated with Mustang Panda. They track this threat actor under the alias Hive0154. The attack vectors utilize Tibet-themed enticements to deliver a harmful archive containing a seemingly harmless Microsoft Word file, alongside articles from Tibetan websites and images from WPCT, ultimately tricking users into executing a disguised executable. This executable has been observed in previous Mustang Panda attacks…