HackMyIP
← Back to News
2026-07-08 The Hacker News

UAT-7810 APT Expands ORB Network with New LONGLEASH Malware

APTMalwareThreat Intel

Cisco Talos researchers have uncovered that a China-linked advanced persistent threat actor tracked as UAT-7810 is actively evolving its toolkit to grow its Operational Relay Box (ORB) network by compromising internet-facing networking devices. UAT-7810 is responsible for maintaining LapDogs, an ORB network first disclosed in June 2025 that uses hijacked SOHO routers and IoT hardware as covert relay infrastructure. Once established, these ORB networks are handed off to associated threat actors, including UAT-5918, a China-nexus group that has targeted critical infrastructure entities in Taiwan since at least 2023 to maintain persistent footholds inside victim environments.

The latest campaign reveals continued development of UAT-7810's custom malware family. A successor to the ShortLeash backdoor, codenamed LONGLEASH, introduces an executor component capable of proxying traffic over HTTP, DNS, SOCKS, TCP, ICMP, and UDP, while also functioning as an intermediate C2 relay. Operators deployed LONGLEASH alongside two previously undocumented tools: DOGLEASH, a passive Linux backdoor for executing arbitrary shellcode, and LEASHTEST, an ELF binary used to validate thread creation, child processes, and async timers on MIPS-based embedded devices. At least four servers hosted minor DOGLEASH variants, with a Java-based JARLEASH backdoor used for file management, FTP, SFTP, and Netcat administration. Defenders investigating suspicious network traffic can use a port scanner to check for unauthorized listeners and a DNS leak test to detect exfiltration channels similar to LONGLEASH's DNS tunneling capability.

Initial access relies on weaponizing known vulnerabilities in unpatched edge devices, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 in Ruckus wireless routers, as well as CVE-2025-2492 in ASUS AiCloud routers, suggesting UAT-7810 is actively broadening the range of hardware it can compromise. The use of LEASHTEST on MIPS architectures points to a deliberate effort to expand reach into embedded networking gear. Security teams tracking the four C2 servers linked to this activity can run a WHOIS lookup to map associated infrastructure and pivot to related assets. Talos attributes the ongoing development cycle to a well-resourced team likely tasked with sustaining ORB capacity for downstream state-aligned operations.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Port Scanner →Security Headers Check →Privacy Checkup →

Related Guides

Learn the background behind this story:

Open ports explained →What is port forwarding? →