By Ethan 
In 2025, a stealthy SOHO device hack campaign dubbed LapDogs turned over 1,000 small office and home office routers into a spying network for Chinese hackers. SecurityScorecard’s STRIKE team uncovered this Operational Relay Box (ORB) network, targeting industries from IT to real estate across the US, Southeast Asia, and Taiwan. Here’s how this attack works, why it’s a growing threat, and what you can do to protect your devices.
The LapDogs campaign, active since September 2023, exploits unpatched vulnerabilities in SOHO devices from brands like Ruckus Wireless, ASUS, and D-Link. Using a custom backdoor called ShortLeash, hackers infiltrate Linux-based routers, turning them into relays for espionage. SecurityScorecard reports over 1,000 compromised devices, with 162 distinct attack waves, each hitting up to 60 targets. The network spans the US, Japan, South Korea, Hong Kong, and Taiwan, with heavy focus on IT, networking, and media sectors The Hacker News.
Attackers exploit flaws like CVE-2015-1548 and CVE-2017-17663 to gain access, often impersonating LAPD TLS certificates to blend in. A compromised ASUS router in a California small business, for instance, relayed sensitive data for months before detection. The structured ORB network lets hackers hide their tracks, routing commands through infected devices to obscure their origins. This isn’t a one-off hit; the network’s growing steadily, signaling a long-term espionage play.
The campaign shares traits with PolarEdge, another Chinese-linked ORB network targeting IoT devices since 2023. Both use similar tools, suggesting shared infrastructure among China-nexus groups. Posts on X highlight the campaign’s stealth, noting its ability to dodge traditional defenses by leveraging trusted devices. For small businesses or home offices, a single outdated router can become a gateway to global cybercrime.
A SOHO device hack like LapDogs isn’t just a tech nuisance—it’s a strategic threat. Compromised routers relay sensitive data, from corporate emails to client records, straight to attackers. In one case, a hacked Buffalo router in a Taiwanese media firm leaked unpublished articles, costing the company credibility and revenue. Industries like real estate and IT, common targets, face risks of data theft, ransomware, or even supply chain attacks when devices connect to larger networks.
The broader impact is chilling. These ORBs enable espionage at scale, letting hackers spy on critical infrastructure or government entities without leaving a clear trail. The 2024 AT&T breach showed how recycled data fuels fraud; here, live data from SOHO devices powers real-time surveillance. This steady stream of stolen credentials is part of a wider dark web breach crisis that continues to grow in 2025. For small businesses, the fallout includes lost trust and hefty recovery costs. Why let an old router sink your operation when the stakes are this high?
Cybersecurity pros can stop SOHO device hack risks with practical steps. First, patch devices regularly—vendors like D-Link and ASUS release firmware updates for vulnerabilities like CVE-2015-1548. Check router admin panels or manufacturer sites for the latest versions. If a device is end-of-life, replace it; unsupported hardware is a hacker’s dream. Tools like Nessus can scan for weak spots in your network.
Enable strong passwords and disable remote admin access to block brute-force attacks. For businesses, deploy intrusion detection systems to spot odd traffic, like ShortLeash’s encrypted relays. Home users should reboot routers weekly to disrupt persistent connections and use VPNs for sensitive tasks. Training staff to recognize phishing—often an entry point for these attacks—cuts risks further. A 2023 Verizon breach showed how quick patches stopped a similar IoT attack; act fast to avoid being the next target.
The LapDogs SOHO device hack reveals a broader trend: Chinese hacking groups, like those tied to the 2025 SAP NetWeaver attacks, share tools and tactics to target global networks The Hacker News. Groups like UNC5221 and UnsolicitedBooker use ORBs to stay under the radar, exploiting devices most assume are safe. Governments and businesses need to share threat intel to counter these campaigns. Small fixes, like updating a router, can disrupt a spy network. Isn’t it worth a few minutes to check your firmware?
Dana 
Jessica Marlowe 
Alan Vega