Gonzo threat hunting: LapDogs & ShortLeash

Using Censys and internal log hunts, analysts identified an ORB (Operational Relay Box) campaign called 'LapDogs' that deploys a ShortLeash backdoor to compromise SOHO devices (notably routers) and proxy traffic through nodes presenting spoofed self-signed TLS certificates claiming the LAPD; the report includes IOCs (specific cert DN, C2 HTTP GET patterns on ephemeral ports with short hex responses, and a long list of IPs/ASNs), notes suspected Chinese attribution, documents customer exposures (passive data leakage), and recommends patching SOHO devices and monitoring/blocking the provided indicators.