VYPR
researchPublished Jul 7, 2026· 1 source

China-Nexus APT UAT-7810 Expands ORB Network with New Malware and Exploits

Cisco Talos reports on APT actor UAT-7810, which continues to develop and deploy custom malware, including new backdoors LONGLEASH, DOGLEASH, and JARLEASH, exploiting n-day vulnerabilities to build Operational Relay Box (ORB) networks.

Cisco Talos is tracking the activities of UAT-7810, an advanced persistent threat (APT) actor known for establishing and maintaining the LapDogs Operational Relay Box (ORB) network. First disclosed in 2025, this network is believed to be leveraged by secondary threat actors for conducting malicious attacks against high-value targets. Talos's latest analysis reveals that UAT-7810 is actively developing its custom malware, with a new version of its SHORTLEASH backdoor, now tracked as LONGLEASH, already deployed on attacker-controlled infrastructure. Furthermore, the actor has expanded its arsenal with two new malware families: DOGLEASH, a C-based backdoor for Linux, and JARLEASH, a Java-based backdoor.

Talos assesses with high confidence that UAT-7810 is a China-nexus threat actor, evidenced by the infrastructure it provides to other China-nexus APTs such as UAT-5918. While open-source reporting indicates overlapping tooling between these two groups, Talos considers them separate entities with distinct objectives. The continuous development of malware like LONGLEASH, which builds upon the capabilities of SHORTLEASH, demonstrates UAT-7810's commitment to evolving its toolkit for persistent access and control.

Among the newly discovered tools is DOGLEASH, a backdoor capable of executing arbitrary shellcode on compromised Linux devices. Another utility, LEASHTEST, is a Linux binary designed for testing basic functionality on MIPS-based embedded devices. UAT-7810 has also been observed using multiple new servers to host variations of DOGLEASH, deploying them against compromised targets. The actor has also deployed JARLEASH, a Java-based backdoor, for administrative tasks including file management, FTP, SFTP, and Netcat operations.

A significant aspect of UAT-7810's operations involves exploiting known, unpatched vulnerabilities, particularly in Ruckus wireless routers. This tactic has been employed since 2025, with recent exploitation attempts targeting CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. The actor has also been observed exploiting CVE-2025-2492 in ASUS AiCloud Routers, indicating an effort to broaden the reach of their ORB network to different hardware platforms.

Talos identified four new servers used by UAT-7810 to host malicious payloads for various hardware architectures, including MIPS, ARM, and x64. These servers primarily hosted DOGLEASH, with accompanying shell scripts facilitating its execution on compromised systems. The IP addresses associated with these servers include 194.233.92[.]26, 217.15.160[.]247, and 217.15.164[.]147. Notably, one of these IPs was also used for exploiting ASUS AiCloud Routers, suggesting a potential expansion of the ORB network.

The LONGLEASH backdoor, an evolution of SHORTLEASH, offers enhanced capabilities. Both tools share the internal name "ff-agent." The MIPS-compiled variant of LONGLEASH utilizes the asynchronous Boost.Asio library for improved network performance. Its internal project name is "nz1.0," and it comprises several key components: Base (logging, encoding/decoding utilities), Executor (proxying functions, reverse shells, various proxy server types, packet redirection, SMTP server/client, network connection management, client authorization, and implant removal), and Core (authorization, node identification, HTTP encoding, and protobuf processing).

The expanded capabilities of LONGLEASH, coupled with the introduction of DOGLEASH and JARLEASH, highlight UAT-7810's ongoing efforts to refine its toolkit for sophisticated cyber operations. By exploiting n-day vulnerabilities in widely used network devices, the actor continues to build and expand its ORB infrastructure, posing a persistent threat to organizations globally.

Synthesized by Vypr AI