"UAT-7810 is most likely tasked with establishing Operational Relay Box (ORB) networks that can then be leveraged by associated secondary threat actors to conduct their own malicious attacks against high value targets," researchers Jungsoo An, Asheer Malhotra, Vanja Svajcer, and Brandon White wrote.
Who UAT-7810 is and what an ORB network does
Cisco Talos researchers describe UAT-7810 as a Chinese threat actor focused on building and expanding Operational Relay Box (ORB) networks. The group is credited with maintaining and proliferating LapDogs, an ORB network that first came to light in June 2025. Talos warns that the ORB infrastructure is intended to be reused by other, secondary threat actors to mount attacks against high-value targets.
New and evolving malware: LONGLEASH, DOGLEASH, LEASHTEST, and JARLEASH
Talos reports that UAT-7810 has moved beyond its earlier ShortLeash implant and developed a successor called LONGLEASH. ShortLeash provided a backdoor that could contact an external server, host a web server, and function as both a command-and-control (C2) server and client. LONGLEASH adds broader capabilities.
- LONGLEASH incorporates an executor component that enables proxying across multiple protocols — HTTP, DNS, SOCKS, TCP, ICMP, and UDP — manages network connections to other servers, authorizes clients, and can remove the implant and all traces if tampering is detected.
- LONGLEASH can act as an intermediate C2 server, relaying commands and data from a primary C2 to peer nodes.
- DOGLEASH is a passive backdoor that can execute arbitrary shellcode on compromised Linux devices; Talos observed at least four new servers hosting minor variants of DOGLEASH for deployment.
- LEASHTEST is an ELF binary used to test functionality on MIPS-based embedded devices — creating threads, spawning child processes, and running asynchronous timers — indicating active validation on MIPS platforms.
- Talos also observed a Java-based backdoor tracked as JARLEASH deployed on at least one administration server; JARLEASH was used for file management and for FTP, SFTP, and Netcat operations.
Attack vectors and targeted devices: Ruckus and ASUS routers
Observed UAT-7810 attack chains have exploited known vulnerabilities in internet-facing networking equipment to seed ORB nodes. Talos named specific vulnerabilities in Ruckus wireless routers — CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 — that have been weaponized in past operations. More recent campaigns this year also targeted ASUS AiCloud routers susceptible to CVE-2025-2492, suggesting an effort to broaden the ORB footprint across diverse router families.
Operational footprint and testing posture
Talos documented UAT-7810 using at least four new servers to host variants of DOGLEASH and reported additional infrastructure activity: an administrative Java backdoor (JARLEASH) was deployed on at least one of three servers for management tasks. The presence of LEASHTEST — a utility specifically compiled for MIPS devices — led Talos to conclude that, despite developing LONGLEASH, UAT-7810 continues to validate functionality on MIPS-based hardware and "may not be completely confident of its behavior on MIPS devices."
What this means for technologists, critical infrastructure operators in Taiwan, and procurement leaders
- Technologists and security teams should monitor for lateral proxying behavior and intermediary C2 activity consistent with LONGLEASH — notably multi-protocol proxying (HTTP, DNS, SOCKS, TCP, ICMP, UDP) and implants that self-delete upon tamper detection — and review exposure of internet-facing routers for the named CVEs.
- Critical infrastructure operators in Taiwan should note Talos's link between UAT-5918 and the reuse of ORB infrastructure: UAT-5918 has leveraged the LapDogs infrastructure in attacks against critical infrastructure entities in Taiwan since at least 2023 with the goal of establishing persistent access.
- Procurement and network architecture leaders should prioritize patching and replacement for devices flagged by Talos — including affected Ruckus and ASUS AiCloud routers — where CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, or CVE-2025-2492 apply, and re-evaluate exposure of management interfaces to the public internet.
Talos's findings paint a picture of an actor iterating a modular toolkit while testing behavior across embedded platforms and expanding the ability to conceal and relay malicious traffic. The combination of targeted router exploits, bespoke MIPS testing binaries, and multi-protocol proxying functionality in LONGLEASH raises a concrete operational question left by the record: can defenders detect and disrupt ORB nodes before they are repurposed by secondary actors to strike the high-value targets UAT-7810 appears designed to enable?




