Chinese-linked UAT-7810 expands ORB network with new LONGLEASH malware

Cisco Talos says a China-linked threat group identified as UAT-7810 is continuing to grow its Operational Relay Box (ORB) infrastructure by compromising internet-facing networking gear, with unpatched...

Cisco Talos says a China-linked threat group identified as UAT-7810 is continuing to grow its Operational Relay Box (ORB) infrastructure by compromising internet-facing networking gear, with unpatched Ruckus routers appearing to be a frequent target. The group uses this relay network to route malicious traffic through geographically distributed devices, helping obscure the real source of its operations and making attribution more difficult.

According to the researchers, the campaign relies on known vulnerabilities to gain access, including flaws affecting Ruckus and ASUS routers. Once inside, the operators deploy a set of custom tools designed to maintain access, manage traffic, and support broader infrastructure used by other China-aligned advanced persistent threat groups.

LONGLEASH replaces and extends earlier tooling

The most notable development is LONGLEASH, a newly identified malware strain that appears to build on SHORTLEASH, a backdoor previously documented in related activity. Talos says the new version adds substantial functionality beyond the earlier toolset.

In addition to command-and-control communication and web server hosting, LONGLEASH can open reverse shells, proxy traffic across multiple protocols, and act as both a server and a client in the control chain. It also includes support for SMTP operations, TLS and PKI features, and self-deletion logic intended to remove itself if tampering is detected.

Other tools in the campaign

  • DOGLEASH is a lightweight Linux backdoor delivered through web shell scripts. It listens on a TCP port, checks incoming requests against a built-in password, and can execute commands, access files, gather system details, and run code directly in memory.
  • JARLEASH is a Java-based administration utility that offers web file management and can function as an FTP, SFTP, or Netcat server.
  • LEASHTEST appears to be a validation tool used to check whether MIPS-based IoT devices can support functions needed by the malware, suggesting continued development of LONGLEASH for that environment.

Cisco Talos says the findings show UAT-7810 is not only maintaining its ORB network but also replacing older components with more capable malware. The activity underscores how compromised edge devices continue to be attractive building blocks for covert infrastructure used in espionage and other advanced operations.