Key Takeaways
- Cisco Talos reports that UAT-7810 is expanding an Operational Relay Box network using LONGLEASH and related tooling
- The campaign relies on compromised routers and IoT devices to hide command paths for China-nexus APT operations
- New malware capabilities reflect a trend highlighted by multiple research groups toward proxy-based espionage infrastructure
Chinese threat actors tracked as UAT-7810 are steadily advancing their malware ecosystem to enlarge an Operational Relay Box (ORB) network built on compromised routers and IoT devices. Cisco Talos published new findings on July 7, 2026, describing how this group is shifting from the previously observed SHORTLEASH backdoor to a more capable LONGLEASH variant, while supplementing their toolkit with DOGLEASH, JARLEASH, and a testing utility named LEASHTEST.
ORB networks, sometimes described as a hybrid of traditional VPN structures and botnets, have been documented extensively by groups like Team Cymru and threat intelligence providers such as Mandiant. This type of infrastructure allows attackers to route their traffic through seemingly benign devices in regional networks, creating confusion about the true origin of activity. If defenders analyze logs and see commands originating from what looks like a home router in Oregon or a small office in Seoul, attribution becomes much harder.
According to Mandiant research, China-nexus APT actors have increasingly turned to these distributed proxy networks since at least 2024, using compromised virtual private servers, IoT equipment, and SOHO routers to obscure their command and control paths. UAT-7810 fits squarely within this pattern. Cisco Talos points to a range of exploited vulnerabilities, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 in Ruckus routers, along with CVE-2025-2492 in ASUS AiCloud devices. These are all known weaknesses rather than zero-days, which underscores how many internet-facing devices remain unpatched for extended periods.
LONGLEASH, the newly identified backdoor, significantly expands on the original SHORTLEASH capabilities documented by SecurityScorecard in 2025. The malware now supports reverse shells, multi-protocol proxying across HTTP, DNS, SOCKS, TCP, ICMP, and UDP, along with SMTP client and server functionality, and TLS and PKI support. It features self-removal capabilities if tampering or suspicious activity is detected, manages tunnels, and can act as an intermediary command and control node by forwarding instructions and data between infected devices. That kind of flexibility is exactly what makes ORB networks difficult to dismantle.
This tooling functions specifically inside a broader espionage ecosystem. These infections help create a mesh that other China-aligned APTs, including UAT-5918, can route through. In a sense, UAT-7810 is building secure relay infrastructure for other threat groups.
DOGLEASH and JARLEASH illustrate how UAT-7810 has adopted a modular approach. DOGLEASH is a lightweight Linux backdoor deployed via web shell scripts that opens a listening TCP port and authenticates incoming requests with a hardcoded password. It supports shell command execution, file access, and in-memory arbitrary code execution. JARLEASH, meanwhile, is a Java administrative utility providing web-based file management along with FTP, SFTP, and Netcat server features. LEASHTEST focuses on validating whether MIPS IoT devices can perform functions related to malware operations, a reminder that attackers routinely test hardware constraints before refining and rolling out new tooling at scale.
Industry analysts have been watching this shift in tactics for several years. The IEEE community has published multiple discussions on the risks associated with unmanaged edge devices, especially as inexpensive routers and IP cameras continue to ship with outdated firmware. These devices are often deployed in environments where IT teams have limited visibility, which creates an ideal entry point for proxy-style operations.
Others frame the issue through the lens of risk management. Gartner has noted in its security operations coverage that distributed command infrastructure often requires organizations to rethink how they monitor east-west traffic in their environments. Traditional perimeter controls rarely catch activity that originates from a compromised home router in the same metro region as the enterprise.
Public sector security assessments echo some of these concerns. The GAO, in its ongoing reviews of federal cybersecurity readiness, has pointed out that agencies sometimes struggle to maintain accurate inventories of connected devices, which can lead to blind spots when edge equipment is misconfigured or unpatched. While GAO reporting focuses on government networks, the lessons map directly to enterprise environments that depend on sprawling remote access infrastructures.
Cisco Talos ties its analysis into this broader industry understanding, highlighting that UAT-7810 relies heavily on known vulnerabilities. Patch timelines and asset inventories shape exposure in very practical ways. Organizations with large fleets of unmanaged or lightly managed routers, cameras, or remote appliances may unknowingly participate in proxy networks that support foreign espionage campaigns.
The reported capabilities align with frameworks like the NIST Cybersecurity Framework and the MITRE ATT&CK matrix. ORB networks fall into a mix of ATT&CK techniques relating to command and control, proxying, and use of compromised infrastructure. For organizations tracking adversary behavior, mapping UAT-7810 activity to familiar security models can help clarify which controls might reduce risk.
Defenders often focus on endpoint detection and response or cloud audit logs because those are visible and widely integrated. Yet the events described by Cisco Talos highlight risks on edge devices that lack centralized logging, explaining the continued expansion of ORB networks. Unpatched routers and IoT devices deployed years ago remain active, undetected liabilities.
Cisco Talos concludes that UAT-7810 is actively replacing or extending its older SHORTLEASH deployments with LONGLEASH while expanding overall coverage through devices compromised via n-day vulnerabilities. The group’s assessment reflects an emerging norm where espionage operators invest not only in intrusion tools but also in durable infrastructure designed to survive takedowns. For enterprises and public sector networks, the trend serves as a stark reminder that visibility at the edge is mandatory for modern security postures.
⬇️