A China-linked advanced persistent threat group known as LapDogs has been targeting small office and home office routers (SOHO) to build a covert espionage network. Over the course of the operation, they embedded a custom backdoor named ShortLeash into these devices, transforming them into relay nodes—over 1,000 compromised routers now serve as stealthy gateways into targeted networks.

This campaign has primarily focused on sectors like IT, media, real estate, and telecommunications across the U.S. and several Southeast Asian countries, including Japan, South Korea, Hong Kong, and Taiwan. The goal is long-term, persistent access rather than immediate disruption—these router-based relays allow attackers to spy and move laterally with minimal detection.

Security analysts describe the setup as an "operational relay box" infrastructure: once the router is infected, it serves as a hidden pathway that connects internal systems to the attackers’ command-and-control servers. Such covert channels are hard to spot because routers typically lack the security monitoring applied to servers or desktop devices.

In previous campaigns, similar tactics—hijacking of SOHO routers—were used by other Chinese state-aligned actors, indicating a growing trend in targeting network edge devices to establish espionage footholds.

‍

Source: https://www.securityweek.com/chinese-apt-hacking-routers-to-build-espionage-infrastructure/