A sophisticated Chinese cyber threat, identified as UAT-7810, is actively upgrading its unique malware to broaden its Operational Relay Box (ORB) network. This advancement is achieved by targeting internet-exposed networking devices, as revealed by Cisco Talos researchers.
UAT-7810’s Expansion of ORB Network
UAT-7810, an advanced persistent threat (APT) group, is known for managing the LapDogs ORB network that emerged in June 2025. This network is reportedly utilized by related threat actors for launching malicious attacks on high-value targets. According to researchers Jungsoo An, Asheer Malhotra, Vanja Svajcer, and Brandon White, UAT-7810’s efforts are pivotal in establishing ORB networks that facilitate secondary threat actors’ operations.
In particular, the infrastructure has been exploited by UAT-5918, another China-affiliated threat actor, to target critical infrastructure in Taiwan since 2023, aiming to maintain long-term access within these systems.
LONGLEASH and Additional Tools
Recent developments indicate that UAT-7810 has been refining its custom malware, ShortLeash, with an updated version named LONGLEASH. Additionally, the threat actor employs two newly uncovered tools: DOGLEASH, a passive backdoor for executing shellcode on compromised Linux devices, and LEASHTEST, an ELF binary designed to test functions on MIPS-based devices like creating threads and processes.
Researchers noted the use of at least four new servers by UAT-7810 to host varied versions of DOGLEASH for deployment against compromised systems. Moreover, a Java-based backdoor, JARLEASH, was identified on one of the servers, facilitating administrative tasks such as file management and network protocols like FTP and SFTP.
Exploiting Known Vulnerabilities
The attack strategies employed by this group leverage known vulnerabilities in unpatched Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. Campaigns earlier this year also targeted ASUS AiCloud Routers vulnerable to CVE-2025-2492, suggesting an effort to further expand the ORB network’s reach.
LONGLEASH enhances the capabilities of its predecessor, ShortLeash, by providing features such as proxying functions across various protocols, managing network connections, and acting as an intermediary command-and-control (C2) server. These enhancements indicate ongoing development and testing, particularly on MIPS platforms, as evidenced by the use of LEASHTEST.
Future Implications
The continued development of LONGLEASH and associated tools by UAT-7810 underscores the persistent and evolving threat posed by this APT group. As cybersecurity experts keep a close watch on these advancements, organizations are urged to bolster defenses against such sophisticated threats to protect critical infrastructure and sensitive data.
