A sophisticated Chinese threat actor, identified as UAT-7810, is actively enhancing its custom malware toolkit to expand its Operational Relay Box (ORB) network by compromising internet-facing networking devices. This ongoing operation, detailed by Cisco Talos, reveals a sustained effort by UAT-7810 to build and maintain the LapDogs ORB network, first identified in June 2025.
Researchers from Cisco Talos, including Jungsoo An, Asheer Malhotra, Vanja Svajcer, and Brandon White, suggest that UAT-7810’s primary objective is the creation of these ORB networks. These networks then serve as a crucial infrastructure for secondary threat actors, enabling them to conduct malicious cyberattacks against high-value targets. Notably, another China-nexus threat actor, UAT-5918, has previously utilized this infrastructure in its own campaigns, which have targeted critical infrastructure entities in Taiwan since at least 2023, aiming to establish persistent access.
UAT-7810’s Evolving Malware Arsenal
The latest intelligence indicates that UAT-7810 continues to refine its custom malware, with a newer version of its ShortLeash backdoor now codenamed LONGLEASH. In addition to LONGLEASH, the threat actor is employing two previously undocumented tools. These are DOGLEASH, a passive backdoor designed to execute arbitrary shellcode on compromised Linux devices, and LEASHTEST, an ELF binary used to test specific functionalities on MIPS-based embedded devices, such as the creation of threads, child processes, or asynchronous timers.
Cisco Talos researchers observed UAT-7810 deploying various minor variations of DOGLEASH across at least four new servers, targeting compromised devices. Furthermore, a Java-based backdoor, tracked as JARLEASH, was also deployed by UAT-7810 on at least one of these three servers. This JARLEASH backdoor appears to be used for administrative purposes, including file management, FTP, SFTP, and Netcat capabilities.
Exploiting Network Device Vulnerabilities
The attack methodologies employed by UAT-7810 frequently involve weaponizing known vulnerabilities within unpatched Ruckus wireless routers. Specific examples cited include CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. Recent campaigns have also targeted ASUS AiCloud Routers that are susceptible to CVE-2025-2492, suggesting a strategic effort to broaden the reach and exploitability of their ORB network.
The ShortLeash backdoor, a foundational component of UAT-7810’s toolkit, can establish contact with external servers, host its own web server, and function as both a command-and-control (C2) server and client. Its successor, LONGLEASH, demonstrates ongoing development with enhanced functionalities. Key improvements in LONGLEASH include an executor component that facilitates proxying functions across various protocols such as HTTP, DNS, SOCKS, TCP, ICMP, and UDP. This component also manages network connections to other servers, authorizes clients, and is capable of removing the implant and all traces from a server if tampering is detected. It can also act as an intermediate C2 server, relaying commands and data between the primary C2 and its peers.
Implications and Future Outlook
The continued development and deployment of LEASHTEST, even with the existence of the more advanced LONGLEASH framework, suggests that UAT-7810 is actively testing and validating its malware’s behavior on MIPS platforms. This may indicate a degree of uncertainty regarding the stability or predictability of LONGLEASH’s operations on these specific embedded devices. The ongoing evolution of UAT-7810’s malware and their persistent efforts to expand their ORB network highlight a significant and evolving threat to internet-facing devices and critical infrastructure. Organizations should prioritize patching known vulnerabilities in their networking equipment and bolstering their network security monitoring to detect and mitigate potential compromise.

