Cisco Talos said it with "high confidence": a China-nexus advanced persistent threat tracked as UAT-7810 has built and is expanding an Operational Relay Box (ORB) network — a long-running infrastructure the firm first exposed in 2025 under the name LapDogs.
UAT-7810 and the LapDogs relay network
Researchers at Cisco Talos report that UAT-7810's activity centers on building what are known as ORB networks: meshes of compromised routers and other edge devices that other attackers can rent to route their traffic and hide their origin. Talos described LapDogs as a long-running ORB network whose role is essentially to provide infrastructure for others. The firm assessed with high confidence that UAT-7810 is a China-nexus group and said separate, China-nexus APTs could use the relay network to mask espionage against high-value targets.
How UAT-7810 expands: exploited Ruckus and ASUS routers
Talos traced the network's growth to opportunistic exploitation of known, unpatched flaws in edge hardware. The researchers said UAT-7810 had targeted flaws in Ruckus wireless routers since 2025 and, earlier in 2026, began exploiting a bug in ASUS routers to fold those devices into the network as well. Talos described the approach as a low-effort tactic that depends on organizations failing to apply available fixes, allowing the group to quietly take over large numbers of devices.
Tools in the field: LONGLEASH, DOGLEASH and JARLEASH
The analysis documents a small but developing toolkit of custom malware that UAT-7810 is using to operate and expand LapDogs. Talos said the group is developing an upgraded backdoor called LONGLEASH, described as an evolution of an earlier tool that adds proxying features and can relay commands to other infected machines. In addition, Talos uncovered two previously unknown backdoors: DOGLEASH, which runs commands on compromised Linux devices, and JARLEASH, a Java-based tool used to manage the group's servers.
A configuration file for JARLEASH contained comments written in Simplified Chinese, which Talos said indicated Chinese-speaking operators. The researchers also found a test program aimed at MIPS-based devices, a detail the firm described as a sign the group is still refining its tools to work across varied hardware in its relay mesh.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Talos’s findings underscore that ORB networks can be built from a wide range of edge devices; the group’s use of LONGLEASH proxying and MIPS-targeted tests shows active refinement. Teams responsible for routers and other edge hardware will need to prioritize applying vendor fixes and monitoring for unusual outbound proxying behavior.
- Policymakers and regulators: Talos’s high-confidence assessment that UAT-7810 is China-nexus, and its finding that other China-nexus APTs can rent the relay infrastructure to mask operations, highlights how compromise of commodity devices can be repurposed beyond a single actor’s direct operations.
- Affected enterprises and procurement leaders: The group’s success leveraging unpatched Ruckus and ASUS flaws illustrates a repeated pattern: procurement and asset managers should track device patch status and the presence of unsupported or hard-to-patch hardware that could be absorbed into a relay mesh.
Talos based its account on tracking of the group's malware and servers, and the firm said those servers remain active. Taken together — long-running relay infrastructure, newly evolved proxy-capable backdoors, Simplified Chinese comments in configuration files, and test code for MIPS devices — the record Talos published points to an active, evolving operation that supplies proxying infrastructure other actors can rent and reuse.
Original story: https://www.infosecurity-magazine.com/news/uat-7810-china-apt-orb-proxy/




