Full Report
ShortLeash backdoor, used in the China-linked LapDogs campaign since 2023, enables stealth access, persistence, and data theft via compromised SOHO routers and fake certs.
Analysis Summary
# Threat Actor: LapDogs
## Attribution & Identity
Attributed as a China-linked threat actor. No specific alias outside of the campaign name "LapDogs" is detailed, though the malware used is the "ShortLeash" backdoor.
## Activity Summary
The actor has been active since at least 2023, conducting operations characterized by deploying the ShortLeash backdoor to achieve stealth access, persistence, and data exfiltration. The campaign leverages compromised Small Office/Home Office (SOHO) routers as part of its operations.
## Tactics, Techniques & Procedures
- **Initial Access/Persistence:** Utilizing compromised SOHO routers.
- **Evasion/Authenticity:** Employing fake digital certificates for malicious files.
- **Capability:** Deploying the ShortLeash backdoor for stealth access, persistence, and data theft.
## Targeting
- **Sectors:** Not explicitly listed, but the use of SOHO routers suggests potential targeting of networks leveraging these devices.
- **Geography:** Not specified in the summary.
- **Victims:** Not specifically named, though SOHO routers are the vector of compromise.
## Tools & Infrastructure
- **Malware families used:** ShortLeash backdoor.
- **Infrastructure (C2, domains, IPs - defang URLs):** The use of compromised SOHO routers is mentioned as part of the infrastructure supporting the campaign. Fake digital certificates were used to sign artifacts.
## Implications
The use of compromised SOHO routers suggests a focus on establishing resilient, wide-reaching access points that can be difficult to detect or attribute back to the primary attacker. The use of pre-compromised infrastructure combined with digital certificate spoofing indicates a mature threat actor seeking stealth and operational security.
## Mitigations
- Focus on monitoring and securing SOHO/SMB router environments for anomalies indicative of compromise or tunneling.
- Implement rigorous verification processes for digital certificates used by software attempting to execute on the network.