Chinese APT 'UAT-7810' Expands ORB Network with Evolving Malware Targeting Unpatched Routers
A Chinese state-sponsored hacking group, tracked as **UAT-7810**, is actively enhancing its malware arsenal to broaden its Operational Relay Box (ORB) network. This sophisticated infrastructure, primarily built by compromising unpatched **Ruckus** and **ASUS** routers, provides a covert relay system for other China-aligned Advanced Persistent Threats (APTs) to evade detection and complicate attribution.
Cybersecurity researchers at **Cisco Talos** have issued a warning regarding the evolving tactics of **UAT-7810**. This threat actor group is known for its focus on expanding its ORB network, a critical component for obfuscating the true origin of cyberattacks.
### The Operational Relay Box (ORB) Network
The ORB network acts as a secure proxy infrastructure, allowing threat actors to route their network traffic through compromised regional devices. This technique, previously documented by **Google Mandiant**, makes it appear as though malicious activity originates from legitimate local infrastructure, significantly hindering detection and attribution efforts.
### Evolving Malware Toolkit
**Cisco Talos** analysts have identified several new malware strains in **UAT-7810**'s campaign, indicating a significant evolution in their operational capabilities. These include:
* **LONGLEASH**: An upgraded version of the previously documented **SHORTLEASH** backdoor.
* **DOGLEASH**: A lightweight Linux backdoor.
* **JARLEASH**: A Java-based administrative tool.
* **LEASHTEST**: A utility for testing malware functionality on MIPS IoT devices.
### Exploiting N-Day Vulnerabilities
**UAT-7810** primarily gains initial access by exploiting known, or n-day, vulnerabilities in internet-facing networking devices. Key vulnerabilities being actively exploited include:
* **CVE-2020-22653**
* **CVE-2020-22658**
* **CVE-2023-25717** (in **Ruckus** routers)
* **CVE-2025-2492** (in **ASUS AiCloud** routers)
### Deep Dive into LONGLEASH
**LONGLEASH** represents a significant upgrade from its predecessor, **SHORTLEASH**, which was first analyzed by **SecurityScorecard** in 2025. While **SHORTLEASH** supported C2 communications, web server hosting, and network tunnel management, **LONGLEASH** expands these capabilities to include:
* Reverse shell functionality.
* HTTP, DNS, SOCKS, TCP, ICMP, and UDP proxying with traffic redirection.
* SMTP client/server functionality.
* TLS and PKI support.
* Self-removal mechanisms to evade detection upon tampering.
* Ability to act as an intermediate C2 server, forwarding commands and data between infected nodes.
### Other Noteworthy Malware
* **DOGLEASH**: This Linux backdoor is deployed via web shell scripts. It establishes a listening TCP port, authenticates requests with a hardcoded password, and supports shell command execution, file management, OS information retrieval, and in-memory arbitrary code execution.
* **JARLEASH**: A Java-based administrative tool offering web-based file management, along with FTP, SFTP, and Netcat server functionalities.
* **LEASHTEST**: Developed to verify the operational capabilities of MIPS IoT devices for malware functions, likely to refine **LONGLEASH**'s MIPS support.
**Cisco Talos** concludes that **UAT-7810**'s persistent efforts to expand its ORB infrastructure, coupled with the continuous development of its malware toolkit, pose a significant threat. Organizations are urged to patch their internet-facing networking devices promptly and consult **Cisco Talos**'s report for a comprehensive list of Indicators of Compromise (IoCs).