Introduction
A sophisticated hacking group linked to China, known as UAT-7810, is expanding its global network of compromised internet devices by exploiting vulnerabilities in Ruckus wireless routers. This operation is part of what researchers have termed an Operational Relay Box (ORB) network, which disguises the source of cyberattacks by routing malicious traffic through everyday home and business networks.
Such networks have been under scrutiny since 2025 when security experts first identified the LapDogs infrastructure. Despite ongoing efforts to curb its expansion, UAT-7810 continues to enhance its network, making it increasingly challenging for cybersecurity specialists to trace back the origins of these attacks.
Exploitation of Ruckus Routers
UAT-7810’s primary method involves exploiting known vulnerabilities in unpatched Ruckus routers. This strategy highlights the risks associated with outdated firmware, which remains an easy target for cyber intrusions. Once a router is compromised, the hackers deploy custom malware to maintain long-term control over the device.
The core of their current campaign involves a backdoor called SHORTLEASH, which is being phased out in favor of a more advanced variant named LONGLEASH. This upgraded tool not only operates as a proxy but also manages encrypted tunnels and functions as a command server, effectively masking its activities as standard web traffic.
New Tools and Techniques
In addition to LONGLEASH, researchers from Cisco Talos have identified two new tools used by the hackers: DOGLEASH and JARLEASH. DOGLEASH is a lightweight backdoor that listens for specific instructions on infected devices, while JARLEASH provides a file management interface and transfer capabilities, coded with comments in Simplified Chinese.
These tools are part of a larger toolkit designed to enhance the group’s ability to maintain their ORB network. By sharing certain tools with another China-linked group, UAT-5918, UAT-7810 demonstrates a collaborative approach to sustaining and expanding their cyber capabilities.
Implications and Preventive Measures
Ruckus routers are a favored entry point due to their widespread use and the presence of unaddressed vulnerabilities. Since 2025, UAT-7810 has exploited at least three known flaws to infiltrate these devices, which are then integrated into the ORB network for extended periods without owner detection.
To mitigate these threats, both organizations and individual users are urged to ensure their routers receive the latest security updates and consider replacing outdated hardware. Network segmentation can also help limit the impact of a compromised router by isolating it from other devices.
Conclusion
The ongoing activities of UAT-7810 underscore the importance of maintaining robust cybersecurity practices. Regular monitoring of network traffic for anomalies and adopting proactive defense measures are critical steps in protecting against such persistent threats. As this group continues to refine its techniques, staying informed and vigilant remains essential for safeguarding critical infrastructure.
