Gonzo threat hunting: LapDogs & ShortLeash

MDR · 7 MIN READ · MALACHI WOODLEE · SEP 24, 2025 · TAGS: Threat hunting

TL;DR

• In a recent threat hunt, we used publicly disclosed threat intelligence to find evidence of similar activity in several of our customers’ logs.
• The threat actors in question are compromising SOHO devices for use as part of an ORB network.
• Want to get straight to a quick summary and the IOCs associated with the activity discovered? Jump to our Appendix.

[EDITOR’S NOTE: A few months ago, we started encouraging our team to break away from boring security writing. “Be authentic,” we said. “Let your personality shine through,” we said.

Malachi Woodlee, a Senior Detection & Response Engineer—who claims to occasionally work as a Hunter S. Thompson impersonator on Fremont Avenue in Las Vegas, as well as a Gonzo journalist covering the intersection of pop-culture, politics, and cybersecurity—took this as a personal challenge.

The result? An unhinged treatise that somehow still contains actionable threat intelligence. We’re not even mad—we’re impressed. Buckle up.]

I was somewhere around the middle of the daily threat feed when the title grabbed my attention. It promised and delivered: Typhoon-like gang, TLS certs, and spoofing none other than the Los Angeles Police Department (LAPD). It piqued my interest. This was during the summer of 2025, when the City of Angels topped headlines because of a new federal interest in the way the Angeleno government was doing its business. The audacity of spoofing the LAPD on self-signed TLS certs as part of an ORB network. And suddenly there was a flurry of browser tabs. My mind was racing: “Holy firewall! What are these ORB networks?!” 

Operational Relay Box (ORB) networks are a network of proxies consisting of virtual private servers (VPS), internet of things (IoT) devices, smart devices, and routers, used by advanced persistent threat actors (APT). ORB networks offer attackers a shield to hide traffic between their command and control (C2) infrastructure and their victims. Typical ORB networks are built from both rented VPS nodes as well as compromised devices infected with malware. Check out Mandiant’s excellent article.

It was almost noon when I found SecurityScorecard’s STRIKE research team’s report on LapDogs. (I highly recommend reading the report.) The STRIKE team identified evidence that this ORB network was independent of previously tracked networks, targeting mostly small office/home office (SOHO) devices. Additionally, they found a custom piece of malware deployed on the compromised devices, a backdoor they called ShortLeash, which generates the self-signed TLS certificates with spoofed metadata attributed to the LAPD. 

Based on documentation for scripts and tools written in Mandarin and victim analysis pointing to locations in the US and southeast Asia, SecurityScorecard researchers noted with moderate confidence that this ORB network is used by the Chinese threat actors. Nevermind, I was now at the heart of things. ShortLeash. LAPD. These compromised devices were LapDogs brought to heel by their humans waiting to attack unwitting, unprotected SOHO devices.

The STRIKE team traced certificates to 1,000+ nodes in the unforgiving wild. And, given that this feral ORB network was targeting the US, I had an ominous thought: LapDogs sniffing around our customer’s networks. So I did what you would do—I went hunting.

I started with my hypothesis: Threat actors are hiding activity using devices with self-signed certificates spoofing the LAPD. Knowing as any hot-blooded scientist knows, that any worthwhile experiment must be replicated, I needed to replicate SecurityScorecard’s device finding. Pointing my browser toward Censys, and getting an assist with the query syntax, I obtained a list of devices presenting self-signed certificates all pretending the organization that signed them was the LAPD. 

As of today’s writing, this incantation returns over 12K results.

Having successfully replicated the result, I now had a list containing more than 1,000 devices. But the list was too long to feed to the IP Scoper General, an internally developed query that can canvas all our cloud customers’ data in a single go. So, honing in on the SOHO thing, I filtered the list by hosts tagged in Censys as having login pages as well. Login pages are interesting because they usually give you an idea of the software used on the service. Sometimes they even include a version number.

I filtered the list and handed it off to the IP Scoper General, who dutifully marched off to scour through the long list of logs; Office 365, Okta, GitHub, et al, for any indication of LapDogs. It didn’t take long before I had what I feared and loathed: results within our customer data. Third-party devices infected with ShortLeash were used to log into our customers’ networks.

Business as unusual…in Hong Kong

International hospitality is a very heavy business–and it requires its own massive infrastructure to support it. It was inside a Hong Kong-based server where the first signs of the hounds appeared. A neon sign indicating the presence of ShortLeash is HTTP biting down on an ephemeral port. This box was serving HTTP on port 61625. A quick check of the TLS Cert confirmed we had the hound in our sights. 

A review of the customer’s logs identified what appeared to be normal traffic for this customer’s network. A user checking their email via virtual private network (VPN) had the misfortune of getting connected through a possible node in the LapDog network. With no indications that an attacker had taken actions on the objective, we contacted the customer to alert them of a possible passive data leak.

Transformers…dodgy routers? 

The Okta login events were clustered, tracing the authentication activities of two different users, connecting to two different customer environments. The first user, a seasonal employee, logged in to take advantage of the great benefits offered by their employer. The second user did not appear to be an employee of our customer, but had authenticated to the customer’s network, bringing along their infected device for the ride. A review of the open ports and services on devices where the users originated from showed a similar pattern…public access to a service with a known critical vulnerability.

Of course. ASUS routers! The users were both connecting from devices hosting a publicly accessible AiCloud login. ASUS routers were a prime target of threat actors in early 2025. A critical vulnerability with a CVSS score of 9.2 dropped in April (CVE-2025-2492). This vulnerability affected routers that had AiCloud enabled and potentially granted remote attackers the ability to execute functions. In May, researchers at Sekoia and Greynoise had identified a campaign against ASUS using older vulnerabilities (CVE-2021-32030 and CVE-2023-39780, respectively). It had been reported by the STRIKE team that LapDogs were vendor specialists, focusing on Ruckus and Buffalo Technology AirStation devices. Could they have an interest in a new vendor?

“Well, why not,” I thought. Although, I didn’t have access to the devices or the logs. And couldn’t confirm that LapDogs had used one of the reported ASUS vulnerabilities to sneak under the fence and into the customer’s yards. Here was evidence that they were not snobbish about SOHO routers, however they exploited them. The access also granted a certain vantage point. 

The user, who authed from their infected router to our customer’s network, was an employee of a company that produced components for use in the critical infrastructure of our very own United States. That’s something LapDogs might have an interest in. Or maybe they’re just opportunists exploiting vulnerabilities in ASUS routers when they find them. Either way, this company sells products that are used in the energy sector, making them part of a uniquely critical ecosystem that performs an enabling function across all infrastructure sectors, according to the Cybersecurity & Infrastructure Security Agency (CISA). Critical infrastructure…CISA. This was heavy. 

From inside of this SOHO router, the LapDogs would be able to sniff at the traffic coming and going through this company. They could snatch data from this vantage point easily. Time to alert the Feds.

With no other actions on objectives observed, the users authenticated and continued to behave in a way that was in line with their typical baselines. We alerted the customers of the potential data leakage, then reported the LapDog presence in the SOHO router to the Department of Energy. 

Implications? Reflections on a defensive strategy

In each of the cases we discovered, LapDogs were making themselves at home in someone else’s dog house. It’s possible that a LapDog-rented VPS was used in Hong Kong by an unsuspecting user. We saw evidence of the actor using ASUS routers located in the United States and owned by private individuals or companies.

In each case we informed our customers of the results of the hunt and made recommendations on how to defend against these attacks.

We observed and recommend looking for the following characteristics of ShortLeash infections:

• Look for HTTP connections to endpoints on ephemeral ports with short, hex-only responses: 
  • /
  • /sitemap.xml
  • /wiki
  • /security.txt
  • /robots.txt
  • /login
  • /.well-known/security.txt

• Heavily scrutinize any traffic from devices that present a self-signed certificate using C=US, ST=California, L=LA, O=LAPD, OU=Police department, CN=ROOT as the Subject DN or Issuer DN.
• Encourage teams working remotely or from home offices to keep SOHO devices up-to-date with security patches, and confirm that they have disabled external access to any services (such as AiCloud on ASUS routers) on these devices.

Appendix: Summary and IOCs

Just here for the IOCs? Don’t know Hunter S. Thompson? We don’t judge. 

Inspired by some great research by Mandiant and SecurityScorecard on ORB networks, we decided to check to see if any of our customers were being impacted by these attacks. We started our research by searching for devices presenting the spoofed TLS Certs in Censys. Next, we collected the IPs from these devices and used an internally developed search to identify interactions between our customers and those IPs.

In a nutshell, LAPDogs has been spoofing TLS certs to give the appearance that the signing organization is the LAPD, while adding SOHO devices as nodes to their ORB network. We used this info to hunt through customer logs looking for signs of their activity and uncovered several incidents where third-party SOHO devices—containing the ShortLeash malware with certs supposedly issued by the LAPD—were connecting to their networks.

Indicators of compromise (IOCs):

• Spoofed TLS certificate subject/issuer DN: C=US, ST=California, L=LA, O=LAPD, OU=Police department, CN=ROOT (Scrutinize any traffic from devices presenting self-signed certificates with this specific subject or issuer DN.)
• ShortLeash C2 communication pattern: HTTP GET requests on ephemeral ports (e.g., >49151) to URIs masquerading as benign web paths (e.g., /sitemap.xml, /wiki/security.txt, /robots.txt, /login, /.well-known/security.txt). Look for server responses that are unexpectedly short, non-standard (for example, not typical HTML), and primarily composed of hex characters.

The following table contains the IP addresses and related ASNs returned by our Censys query presenting LAPD certs.