China-Linked Hackers: UAT-7810 Expands ORB Network with LONGLEASH Malware Targeting Routers
China-linked hackers expand ORB network with new LONGLEASH malware targeting routers
A Chinese threat actor known as UAT-7810 is actively upgrading its custom malware arsenal to grow a covert network of compromised devices used to launch attacks on high-value global targets.
The campaign represents a significant escalation in China-linked cyber espionage operations. UAT-7810 is building infrastructure that other threat actors can weaponize — making it a force multiplier for state-sponsored attacks against critical systems worldwide.
What is UAT-7810 and Why Does It Matter
According to findings published July 8, 2026 by Cisco Talos researchers Jungsoo An, Asheer Malhotra, Vanja Svajcer, and Brandon White, UAT-7810 is an advanced persistent threat actor responsible for sustained, covert intrusion campaigns — specifically tasked with maintaining and expanding a sprawling Operational Relay Box (ORB) network known as LapDogs. The network first came to public attention in June 2025.
An ORB network functions as a shadowy relay system — a web of compromised devices that obscures the origin of attacks and gives threat actors a launchpad for targeting sensitive infrastructure. The digital equivalent of a money-laundering operation applied to malicious network traffic, these networks are deliberately designed to make attribution difficult and defenders' jobs significantly harder.
"UAT-7810 is most likely tasked with establishing Operational Relay Box (ORB) networks that can then be leveraged by associated secondary threat actors to conduct their own malicious attacks against high value targets," the Cisco Talos researchers said.
One confirmed beneficiary of this infrastructure is UAT-5918, a separate China-nexus threat actor linked to cyberattacks targeting critical infrastructure entities in Taiwan since at least 2023. That group's goal is to establish persistent access within victim environments — and UAT-7810's network gives them the cover to do it. The relationship between these two actors illustrates a broader operational model increasingly observed in state-sponsored cyber espionage: a division of labor where one group builds and maintains infrastructure while another exploits it for intelligence collection or disruption.
Why ORB Networks Are a Force Multiplier
The strategic value of ORB infrastructure cannot be overstated. By routing malicious traffic through layers of compromised legitimate devices — routers, embedded systems, and edge hardware — attackers effectively launder their digital footprints. Security teams attempting to trace an intrusion are confronted with a chain of innocent-looking relay nodes rather than a direct line back to the attacker. This makes incident response slower, threat attribution harder, and coordinated takedowns far more complex.
The LapDogs network operated by UAT-7810 follows this model at scale, with evidence suggesting the infrastructure is made available to multiple downstream threat actors — broadening its impact well beyond any single campaign.
The LONGLEASH Malware and Its Growing Toolkit
A Maturing and Well-Resourced Development Cycle
At the center of this campaign is a suite of custom-built malware tools that continue to evolve at an alarming pace. UAT-7810's earlier tool, ShortLeash, has now been succeeded by a more capable framework called LONGLEASH. The upgrade signals an active and well-resourced development cycle — one characteristic of a threat actor operating with institutional backing and long-term objectives.
Understanding the full scope of what UAT-7810 has built requires examining each component in detail. For broader context on how malicious software of this nature is classified and deployed, a working knowledge of the different types of malware used in modern cyberattacks is essential for security teams assessing their exposure.
LONGLEASH introduces an executor component capable of proxying functions across multiple protocols including HTTP, DNS, SOCKS, TCP, ICMP, and UDP. It can manage network connections to other servers, authorize clients, and — critically — remove the implant and erase all traces from a server if any tampering is detected. It can also act as an intermediate command-and-control (C2) server to relay instructions from a primary C2 server to connected peers.
Additional Previously Unreported Tools
Alongside LONGLEASH, two additional previously unreported tools have been identified:
- DOGLEASH — a passive backdoor capable of executing arbitrary shellcode on compromised Linux devices
- LEASHTEST — an ELF binary used to test specific functionality such as creating threads, child processes, or async timers on MIPS-based embedded devices
Researchers also identified a Java-based backdoor called JARLEASH deployed on at least one of the group's servers. It supports administrative functions including file management, FTP, SFTP, and Netcat — giving operators broad remote control over compromised systems.
"UAT-7810 used at least four new servers to host a variety of minor variations of DOGLEASH to deploy against compromised targets," the Talos researchers noted.
The breadth of this toolkit — spanning passive backdoors, protocol-agnostic proxying, anti-forensic self-removal, and embedded device testing — reflects a threat actor that has moved well beyond opportunistic exploitation. This is a deliberate, layered capability built for persistence and operational security.
Router Vulnerabilities Are the Entry Point
Known Flaws, Unpatched Systems
UAT-7810 is gaining its foothold by exploiting known but unpatched vulnerabilities in widely used networking hardware. The group has been observed weaponizing flaws in Ruckus wireless routers including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. More recently, campaigns have targeted ASUS AiCloud routers vulnerable to CVE-2025-2492 — a move researchers say may reflect efforts to expand the ORB network further.
The continued targeting of MIPS-based embedded devices is particularly notable. Talos researchers pointed out that the existence of LEASHTEST suggests UAT-7810 has not yet fully validated LONGLEASH's behavior on MIPS platforms. "The development and use of LEASHTEST signifies that even though they have developed LONGLEASH, a full-fledged backdoor framework, UAT-7810 is still actively testing functionality on MIPS platforms and may not be completely confident of its behavior on MIPS devices," Talos said.
This incremental testing approach signals a disciplined, methodical threat actor — one that is not rushing deployment and is carefully stress-testing tools before wider use. It also suggests the group's targeting ambitions extend further into the embedded device ecosystem, with MIPS-based hardware representing a likely next frontier for ORB node recruitment.
The Chronic Problem of Under-Patched Edge Devices
The pattern mirrors a recurring theme in high-stakes cyber operations: routers and edge devices remain chronically under-patched and over-trusted. Network perimeter hardware that rarely receives security updates is an attacker's ideal entry point — invisible to endpoint detection tools and often running for years without scrutiny.
This is not a new observation, but the UAT-7810 campaign demonstrates how systematically state-linked actors are exploiting this gap. Unlike endpoint devices that typically sit within a managed security perimeter, routers and embedded networking hardware frequently operate outside the scope of traditional vulnerability management programs. Organizations that invest heavily in endpoint detection and response often have near-zero visibility into what is traversing or compromising their edge infrastructure. Effective cyber threat intelligence programs focused on emerging attack vectors can help bridge this gap by providing early warning of campaigns targeting specific hardware classes before they reach an organization's own environment.
The Cisco Talos findings underscore how quickly state-linked threat actors are maturing their capabilities. What began as a network maintenance operation has evolved into a sophisticated multi-tool espionage platform with global reach. For the latest technical detail from Cisco Talos directly, the Cisco Talos Intelligence Blog remains the authoritative source for ongoing updates on this and related campaigns.
How to Respond: Guidance for Security and Network Teams
- Network administrators should immediately audit and patch all internet-facing routers — particularly Ruckus and ASUS AiCloud devices — against the CVEs identified in this report. CVE-2025-2492 in particular represents an active exploitation target and should be treated as a priority remediation item.
- Security teams should implement network traffic monitoring for anomalous use of proxying protocols including ICMP and DNS, which LONGLEASH is known to exploit. Baseline traffic profiling on edge devices can surface unexpected protocol usage that endpoint tools would never catch.
- Organizations operating in sectors targeted by UAT-5918 — particularly critical infrastructure — should treat edge device compromise as a primary threat vector and adopt zero-trust principles for lateral network access. Assuming that internal network traffic originating from a router is inherently trustworthy is no longer a defensible posture.