Chinese APT UAT-7810 Expands Router Hacking Efforts with New Malware 'LONGLEASH'
A sophisticated Chinese state-sponsored threat actor, **UAT-7810**, is actively enhancing its custom malware toolkit to broaden its Operational Relay Box (ORB) network. By exploiting vulnerabilities in internet-facing networking devices, the group aims to establish persistent access for subsequent malicious campaigns, as detailed in recent findings from **Cisco Talos**.
A Chinese threat actor tracked as **UAT-7810** is actively refining its bespoke malware to expand its Operational Relay Box (ORB) network by breaking into internet-facing networking devices.
According to findings from **Cisco Talos**, **UAT-7810** is an advanced persistent threat (APT) actor responsible for maintaining and proliferating **LapDogs**, an ORB network that first came to light in June 2025.
"**UAT-7810** is most likely tasked with establishing Operational Relay Box (ORB) networks that can then be leveraged by associated secondary threat actors to conduct their own malicious attacks against high value targets," researchers Jungsoo An, Asheer Malhotra, Vanja Svajcer, and Brandon White said.
One such China-nexus threat actor that has leveraged the infrastructure in its own attacks is **UAT-5918**, which has been linked to cyber attacks targeting critical infrastructure entities in Taiwan since at least 2023 with an aim to establish persistent access within victim environments.
## Evolving Malware Arsenal
The latest findings indicate that **UAT-7810** has continued to develop their custom malware dubbed **ShortLeash** with a newer version that's codenamed **LONGLEASH**. Also put to use by the threat actor are two other previously unreported tools:
* **DOGLEASH**, a passive backdoor that can execute arbitrary shellcode on a compromised Linux device
* **LEASHTEST**, an ELF binary that's used for testing certain functionality, like creating a thread, a child process, or an async timer, on MIPS-based embedded devices
"**UAT-7810** used at least four new servers to host a variety of minor variations of **DOGLEASH** to deploy against compromised targets," the researchers added. "An additional Java-based (JAR package) backdoor that we track as 'JARLEASH' was also deployed by **UAT-7810** on at least one of the three servers for administration purposes, including file management, FTP, SFTP, and Netcat."
## Targeting Unpatched Routers
Attack chains mounted by the hacking crew are known to weaponize known vulnerabilities in unpatched **Ruckus** wireless routers, such as **CVE-2020-22653**, **CVE-2020-22658**, and **CVE-2023-25717**. Campaigns observed earlier this year have also singled out **ASUS AiCloud** Routers susceptible to **CVE-2025-2492**, indicating potential attempts to broaden the ORB network.

**ShortLeash** incorporates a backdoor capable of contacting an external server, hosting a web server, and acting as both a command-and-control (C2) server and client. Its successor, **LONGLEASH**, packs in additional functionality, pointing to an active development cycle. Some of the newer features are listed below:
* An executor component that enables proxying functions using HTTP, DNS, SOCKS, TCP, ICMP, and UDP protocols, manages network connections to other servers, authorizes clients, and removes the implant and all traces from the server if any tampering attempts are detected
* Act as an intermediate C2 server to relay commands and data from the primary C2 and forward it to its peers
"The development and use of **LEASHTEST** signifies that even though they have developed **LONGLEASH**, a full-fledged backdoor framework, **UAT-7810** is still actively testing functionality on MIPS platforms and may not be completely confident of its behavior on MIPS devices," **Talos** said.