Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

UAT-7810: A Sophisticated Chinese Threat Actor Expands Its Operational Relay Box (ORB) Network With New LONGLEASH Malware


UAT-7810, a sophisticated China-linked threat actor, has expanded its Operational Relay Box (ORB) network with new LONGLEASH malware, posing significant concerns for critical infrastructure sectors. This article delves into the details of UAT-7810's tactics, techniques, and procedures (TTPs), highlighting the importance of continuous monitoring and proactive defense strategies in the face of evolving cyber threats.

  • UAT-7810, a China-linked threat actor, has refined its bespoke malware to expand its Operational Relay Box (ORB) network.
  • The actor's modus operandi involves breaking into internet-facing networking devices and using them as part of its ORB network.
  • UAT-7810 has developed custom malware dubbed ShortLeash, with a newer version codenamed LONGLEASH.
  • The threat actor uses previously unreported tools like DOGLEASH and LEASHTEST to deploy against compromised targets.
  • Attack chains target known vulnerabilities in unpatched Ruckus wireless routers and ASUS AiCloud Routers.
  • The expansion of the ORB network poses significant concerns for critical infrastructure sectors, which must implement robust security measures.



  • The cybersecurity landscape has been abuzz with the recent revelation of a China-linked threat actor, identified as UAT-7810, that is actively refining its bespoke malware to expand its Operational Relay Box (ORB) network. This advanced persistent threat (APT) actor has been found to be responsible for maintaining and proliferating LapDogs, an ORB network that first came to light in June 2025.

    According to findings from Cisco Talos, UAT-7810 is most likely tasked with establishing Operational Relay Box (ORB) networks that can then be leveraged by associated secondary threat actors to conduct their own malicious attacks against high-value targets. The actor's modus operandi involves breaking into internet-facing networking devices and using them as part of its ORB network.

    One such China-nexus threat actor that has leveraged the infrastructure in its own attacks is UAT-5918, which has been linked to cyberattacks targeting critical infrastructure entities in Taiwan since at least 2023 with an aim to establish persistent access within victim environments. The latest findings indicate that UAT-7810 has continued to develop its custom malware dubbed ShortLeash with a newer version that's codenamed LONGLEASH.

    Furthermore, the threat actor is also utilizing two other previously unreported tools - DOGLEASH, a passive backdoor that can execute arbitrary shellcode on a compromised Linux device, and LEASHTEST, an ELF binary that's used for testing certain functionality, like creating a thread, a child process, or an async timer, on MIPS-based embedded devices. UAT-7810 has also been found to use at least four new servers to host minor variations of DOGLEASH to deploy against compromised targets.

    The attack chains mounted by the hacking crew are known to weaponize known vulnerabilities in unpatched Ruckus wireless routers, such as CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. Campaigns observed earlier this year have also singled out ASUS AiCloud Routers susceptible to CVE-2025-2492, indicating potential attempts to broaden the ORB network.

    ShortLeash incorporates a backdoor capable of contacting an external server, hosting a web server, and acting as both a command-and-control (C2) server and client. Its successor, LONGLEASH, packs in additional functionality, pointing to an active development cycle. Some of the newer features include an executor component that enables proxying functions using HTTP, DNS, SOCKS, TCP, ICMP, and UDP protocols, manages network connections to other servers, authorizes clients, and removes the implant and all traces from the server if any tampering attempts are detected.

    Act as an intermediate C2 server to relay commands and data from the primary C2 and forward it to its peers. The development and use of LEASHTEST signifies that even though they have developed LONGLEASH, a full-fledged backdoor framework, UAT-7810 is still actively testing functionality on MIPS platforms and may not be completely confident of its behavior on MIPS devices.

    The threat actor has also been linked to cyber attacks targeting critical infrastructure entities in Taiwan since at least 2023. One such China-nexus threat actor that has leveraged the infrastructure in its own attacks is UAT-5918, which has been linked to these attacks as well. The latest findings indicate that UAT-7810 has continued to develop its custom malware dubbed ShortLeash with a newer version that's codenamed LONGLEASH.

    The expansion of the ORB network by UAT-7810 poses significant concerns for organizations operating in critical infrastructure sectors, as it can be leveraged by associated secondary threat actors to conduct their own malicious attacks against high-value targets. It is imperative for these organizations to implement robust security measures and stay vigilant about potential vulnerabilities.

    In conclusion, the recent revelations surrounding UAT-7810 highlight the importance of continuous monitoring and proactive defense strategies in the face of evolving cyber threats. As the threat landscape continues to evolve, it is crucial for organizations to remain informed and take all necessary precautions to protect their networks and systems from such malicious actors.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/UAT-7810-A-Sophisticated-Chinese-Threat-Actor-Expands-Its-Operational-Relay-Box-ORB-Network-With-New-LONGLEASH-Malware-ehn.shtml

  • https://thehackernews.com/2026/07/china-linked-uat-7810-expands-orb.html


  • Published: Wed Jul 8 05:53:42 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us