A Chinese threat actor tracked as UAT-7810 is actively expanding an Operational Relay Box (ORB) network by compromising internet-facing networking devices, primarily unpatched Ruckus routers. Cisco Talos researchers have identified a new malware family central to this campaign: LONGLEASH, an upgraded successor to the previously documented SHORTLEASH backdoor.
What Is an ORB Network?
ORB networks function as relay infrastructure that allows threat actors to route malicious traffic through regional devices, making connections appear to originate from legitimate local systems. This complicates attribution and evades detection. UAT-7810’s ORB network is reported to serve as shared infrastructure for other China-aligned advanced persistent threats, including UAT-5918.
Initial Access and Exploited Vulnerabilities
UAT-7810 relies on known, unpatched vulnerabilities to gain initial footholds. Cisco Talos identified the following CVEs being actively exploited in this campaign:
- CVE-2020-22653 and CVE-2020-22658 in Ruckus routers
- CVE-2023-25717 in Ruckus routers
- CVE-2025-2492 in ASUS AiCloud routers
LONGLEASH: A Substantially Upgraded Backdoor
LONGLEASH builds on SHORTLEASH, which was first documented by SecurityScorecard in 2025 and already supported C2 communications, web server hosting, and network tunnel management. The newer variant adds significant capabilities, including:
- Reverse shell functionality
- HTTP, DNS, SOCKS, TCP, ICMP, and UDP proxying with traffic redirection
- SMTP client and server functionality
- TLS and PKI support
- Self-removal triggered by detected tampering or suspicious activity
- Ability to act as an intermediate C2 server, forwarding commands between infected nodes
Supporting Toolset
Three additional tools were identified alongside LONGLEASH:
- DOGLEASH is a lightweight Linux backdoor deployed via web shell scripts. It opens a listening TCP port, authenticates with a hardcoded password, and supports shell command execution, file operations, OS information retrieval, and in-memory code execution.
- JARLEASH is a Java-based administrative tool offering web-based file management and FTP, SFTP, and Netcat server capabilities.
- LEASHTEST is a utility designed to verify whether a target MIPS IoT device can support malware functions, likely used to refine LONGLEASH’s MIPS compatibility.
Ongoing Threat
Cisco Talos assesses that UAT-7810 is actively replacing or augmenting SHORTLEASH with the more capable LONGLEASH while continuing to broaden its toolkit. Organizations running Ruckus or ASUS AiCloud devices should prioritize patching the identified vulnerabilities. A full list of indicators of compromise is available in the Cisco Talos report.
