China-Linked UAT-7810 Seen Growing ORB Infrastructure With New LONGLEASH Malware

Cisco Talos says a China-aligned threat group tracked as UAT-7810 is continuing to build out an Operational Relay Box (ORB) network by compromising internet-facing networking gear and deploying update...

Cisco Talos says a China-aligned threat group tracked as UAT-7810 is continuing to build out an Operational Relay Box (ORB) network by compromising internet-facing networking gear and deploying updated custom malware. The activity appears aimed at expanding the group’s relay infrastructure, which can be reused by other threat actors for stealthy operations.

Talos previously linked UAT-7810 to the maintenance of LapDogs, an ORB network first identified in 2025. The latest reporting suggests the group has moved beyond earlier tooling and is now using a newer backdoor family called LONGLEASH, along with several additional implants that had not been publicly documented before.

New tools in the campaign

Researchers say UAT-7810 has been observed using at least four related tools:

  • LONGLEASH, a more capable successor to the earlier ShortLeash malware
  • DOGLEASH, a passive backdoor for Linux devices that can run attacker-supplied shellcode
  • LEASHTEST, an ELF sample used to test functions on MIPS-based embedded systems
  • JARLEASH, a Java backdoor used for administration tasks such as file handling and remote command access

According to Talos, LONGLEASH adds proxying and relay functions across several protocols, including HTTP, DNS, SOCKS, TCP, ICMP and UDP. It can also act as a middleman between command-and-control infrastructure and other nodes in the network, helping traffic blend into normal internet activity. The malware is also designed to erase itself if it detects tampering.

Focus on routers and embedded devices

The intrusion chains rely on known vulnerabilities in exposed networking equipment, including flaws in Ruckus wireless routers and, more recently, ASUS AiCloud routers. That pattern suggests the group is trying to widen its relay network by targeting devices that are often poorly monitored and rarely patched.

Talos said the use of LEASHTEST indicates UAT-7810 is still validating behavior on MIPS platforms, even while it develops a fuller backdoor framework. The findings point to an active development cycle and an ORB ecosystem that is still being expanded for use by associated operators.