UAT-7810 continues building ORB networks using new malware

Cisco Talos is tracking an advanced persistent threat (APT) actor known as UAT-7810, which is actively developing and deploying new malware to expand its "Operational Relay Box" (ORB) networks. These networks are believed to be used by secondary threat actors to conduct attacks against high-value targets. UAT-7810 was previously identified as the entity responsible for the LapDogs ORB network.
The latest intelligence indicates that UAT-7810 continues to evolve its custom malware. A newer version of their previously known "SHORTLEASH" backdoor, now tracked as "LONGLEASH," has been observed. In addition to this, Talos has identified two new malware families in UAT-7810's toolkit: a C-based backdoor named "DOGLEASH" and a Java-based backdoor referred to as "JARLEASH."
Talos assesses with high confidence that UAT-7810 is a China-nexus threat actor. This assessment is based on the infrastructure UAT-7810 provides to other China-nexus APT groups, such as UAT-5918. While there are overlaps in tooling between UAT-5918 and UAT-7810, Talos currently considers them separate APT actors with distinct objectives.
UAT-7810 has demonstrated a consistent pattern of exploiting known, unpatched vulnerabilities in Ruckus wireless routers. Exploited vulnerabilities include CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. In one instance, UAT-7810 also appeared to target ASUS AiCloud Routers in early 2026 by exploiting CVE-2025-2492, suggesting an effort to broaden their ORB network's reach.
Talos has identified four new servers used by UAT-7810 to host malicious payloads for various hardware architectures, including MIPS, ARM, and x64. The primary malware hosted on these servers is DOGLEASH, with accompanying shell scripts used to download and execute it on compromised systems. Three of these servers, with IP addresses 194.233.92[.]26, 217.15.160[.]247, and 217.15.164[.]147, were used as download locations. The IP address 217.15.164[.]147 was also implicated in the exploitation of ASUS AiCloud Routers. A fourth IP address, 95.182.100[.]231, located in Hong Kong, was also used to host malicious payloads.
LONGLEASH, the new version of SHORTLEASH, builds upon the original backdoor's capabilities, which included contacting command and control (C2) servers, hosting a web server, managing tunnels, and functioning as both a C2 server and client. LONGLEASH introduces additional features, indicating ongoing development. It is built on the same codebase as SHORTLEASH, internally referred to as "ff-agent." The MIPS-compiled version of LONGLEASH utilizes the asynchronous Boost.Asio library for improved network performance. Its major components include a "Base" for logging and utilities, an "Executor" for proxying functions, reverse shells, and network connection management, and a "Core" for authorization and task management. The implant uses a User-Agent string that mimics Google Chrome to potentially blend in with legitimate traffic. LONGLEASH also incorporates code from open-source libraries like Nanopb and MbedTLS and uses a musl libc instead of a standard libc library. Importantly, LONGLEASH can act as an intermediate C2 server, relaying commands and data.
DOGLEASH is a newly discovered backdoor that UAT-7810 deploys after compromising a device. It involves a shell script that downloads DOGLEASH, configures iptables rules to allow traffic on a specific port, and then executes the backdoor. DOGLEASH listens for incoming TCP requests on a hardcoded local port, decodes received data using a password, and executes specific actions based on command codes. These actions include executing shell commands, reading files, renaming files, closing socket listeners, and retrieving OS information.
JARLEASH is a Java-based backdoor deployed by UAT-7810 on its own infrastructure and on compromised systems with Java installed. It facilitates system access and includes capabilities for hosting a web-based file management interface, FTP and SFTP servers, and running a Netcat server. The configuration file for JARLEASH contains comments in Simplified Chinese, suggesting Chinese-speaking operators.
Talos also identified "LEASHTEST," a testing binary developed by UAT-7810. While not malicious in itself, its presence on a device suggests a potential compromise. LEASHTEST is used to test basic functionality on MIPS-based embedded devices.





