Chinese Hacking Group Adds Three New Backdoors to Its Router Attack Kit

The group behind a long-running campaign targeting small office routers has quietly expanded its toolbox, giving it more ways to hide inside a victim's network.

ThreatVectr Newsdesk· 3 min read
A close-up, editorial-style photograph of a small black wireless router sitting on a plain wooden desk in a modest office, indicator lights glowing faintly gree
Share

Key points

  • Cisco has linked the LapDogs campaign, a long-running series of attacks on small office and home office routers, to a China-linked hacking group.
  • Three new backdoors, named LongLeash, DogLeash, and JarLeash, have been added to the group's toolkit, according to Cisco's research.
  • Small office and home office routers are the primary targets, meaning the risk extends to small businesses and remote workers, not just large corporations.
  • No public CVE, meaning no official flaw identifier, has been attached to this disclosure at time of writing.

A Chinese-linked hacking group has added three new backdoors to the set of tools it uses to break into small office and home office routers. A backdoor, in plain terms, is a hidden program secretly installed on a device that lets the attacker return whenever they want, without a password.

Cisco, the networking company whose researchers track this activity, says the group is the same one behind a campaign it calls LapDogs. That campaign has focused on routers of the kind you might find in a dentist's waiting room, a small accountancy firm, or a spare bedroom used as a home office.

The three new programs are called LongLeash, DogLeash, and JarLeash. Each is a different flavour of backdoor, likely written to work on different devices or to survive the removal of one of the others. Attackers routinely deploy multiple tools so that cleaning one off a device does not cut their access entirely.

Why should a small business owner care?

Because routers in small offices are the front door to everything behind them. A compromised router, one the attackers have secretly taken control of, can let criminals watch all the traffic flowing through it, redirect users to fake websites, or tunnel deeper into connected computers and servers. The user sitting at a desk inside that office would likely see nothing unusual at all.

Campaigns like LapDogs often serve a broader strategic goal. Smaller organisations become stepping stones. Attackers use them to reach the larger companies, government agencies, or supply chains those small firms connect to.

SecurityWeek first reported on the expanded toolkit.

If you run a small business or work from home, the immediate practical step is straightforward: check whether your router's manufacturer has issued a firmware update, which is a software patch that fixes known weaknesses in the device, and install it. Most routers allow automatic updates in their settings menu. Enable that if yours does.

Change the router's default administrator password if you have not already. Default passwords are publicly known and are among the first things attackers try.

For organisations with IT teams, Cisco's disclosure is a prompt to audit which routers sit at the edges of the network, confirm they are running current firmware, and check whether any unexpected outbound connections are visible in traffic logs.

© 2026 Threat Vectr