LIVE · cybersecurity feed
threat actor

UAT-7810 continues building ORB networks using new malware

zeroday.news·1d ago

Cisco Talos is tracking an advanced persistent threat (APT) actor known as UAT-7810, which is actively developing and deploying new malware to expand its "Operational Relay Box" (ORB) networks. These networks are believed to be used by secondary threat actors to conduct attacks against high-value targets. UAT-7810 was previously identified as the entity responsible for the LapDogs ORB network.

The latest intelligence indicates that UAT-7810 continues to evolve its custom malware. A newer version of their previously known "SHORTLEASH" backdoor, now tracked as "LONGLEASH," has been observed. In addition to this, Talos has identified two new malware families in UAT-7810's toolkit: a C-based backdoor named "DOGLEASH" and a Java-based backdoor referred to as "JARLEASH."

Talos assesses with high confidence that UAT-7810 is a China-nexus threat actor. This assessment is based on the infrastructure UAT-7810 provides to other China-nexus APT groups, such as UAT-5918. While there are overlaps in tooling between UAT-5918 and UAT-7810, Talos currently considers them separate APT actors with distinct objectives.

UAT-7810 has demonstrated a consistent pattern of exploiting known, unpatched vulnerabilities in Ruckus wireless routers. Exploited vulnerabilities include CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. In one instance, UAT-7810 also appeared to target ASUS AiCloud Routers in early 2026 by exploiting CVE-2025-2492, suggesting an effort to broaden their ORB network's reach.

Talos has identified four new servers used by UAT-7810 to host malicious payloads for various hardware architectures, including MIPS, ARM, and x64. The primary malware hosted on these servers is DOGLEASH, with accompanying shell scripts used to download and execute it on compromised systems. Three of these servers, with IP addresses 194.233.92[.]26, 217.15.160[.]247, and 217.15.164[.]147, were used as download locations. The IP address 217.15.164[.]147 was also implicated in the exploitation of ASUS AiCloud Routers. A fourth IP address, 95.182.100[.]231, located in Hong Kong, was also used to host malicious payloads.

LONGLEASH, the new version of SHORTLEASH, builds upon the original backdoor's capabilities, which included contacting command and control (C2) servers, hosting a web server, managing tunnels, and functioning as both a C2 server and client. LONGLEASH introduces additional features, indicating ongoing development. It is built on the same codebase as SHORTLEASH, internally referred to as "ff-agent." The MIPS-compiled version of LONGLEASH utilizes the asynchronous Boost.Asio library for improved network performance. Its major components include a "Base" for logging and utilities, an "Executor" for proxying functions, reverse shells, and network connection management, and a "Core" for authorization and task management. The implant uses a User-Agent string that mimics Google Chrome to potentially blend in with legitimate traffic. LONGLEASH also incorporates code from open-source libraries like Nanopb and MbedTLS and uses a musl libc instead of a standard libc library. Importantly, LONGLEASH can act as an intermediate C2 server, relaying commands and data.

DOGLEASH is a newly discovered backdoor that UAT-7810 deploys after compromising a device. It involves a shell script that downloads DOGLEASH, configures iptables rules to allow traffic on a specific port, and then executes the backdoor. DOGLEASH listens for incoming TCP requests on a hardcoded local port, decodes received data using a password, and executes specific actions based on command codes. These actions include executing shell commands, reading files, renaming files, closing socket listeners, and retrieving OS information.

JARLEASH is a Java-based backdoor deployed by UAT-7810 on its own infrastructure and on compromised systems with Java installed. It facilitates system access and includes capabilities for hosting a web-based file management interface, FTP and SFTP servers, and running a Netcat server. The configuration file for JARLEASH contains comments in Simplified Chinese, suggesting Chinese-speaking operators.

Talos also identified "LEASHTEST," a testing binary developed by UAT-7810. While not malicious in itself, its presence on a device suggests a potential compromise. LEASHTEST is used to test basic functionality on MIPS-based embedded devices.

threat actormalwarecybercrimenetwork infrastructurecustom malware
← Back to latest

More News

view all →
zeroday.news · 3h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 3h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 3h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 4h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 4h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.

zeroday.news · 4h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.