Chinese hackers tracked as "UAT-7810" are actively evolving their malware to expand their Operational Relay Box (ORB) network by compromising internet-facing networking devices, primarily unpatched Ruckus routers.
LONGLEASH: a significant upgrade to SHORTLEASH
Cisco Talos researchers report that the campaign now includes LONGLEASH, a substantially upgraded successor to SHORTLEASH first documented by SecurityScorecard in 2025. Talos says LONGLEASH retains the previous tool's ability to support command-and-control (C2) communications, web server hosting, network tunnel management, and functioning as both a C2 server and a client, and adds multiple new capabilities.
- Reverse shell access;
- Proxying over HTTP, DNS, SOCKS, TCP, ICMP, and UDP with traffic redirection;
- SMTP client and server functionality;
- TLS and PKI support;
- Self-removal when tampering or suspicious activity is detected;
- Ability to act as an intermediate C2 server, forwarding commands and data between infected nodes.
Talos concludes that UAT-7810 is actively replacing or extending SHORTLEASH with the more capable LONGLEASH while broadening its toolkit with new malware.
ORB relay infrastructure and its role for China-aligned APTs
According to Cisco Talos, the ORB network functions as a secure relay infrastructure used by multiple China-aligned advanced persistent threats, including UAT-5918. Talos and earlier reporting from Google Mandiant describe this infrastructure as a way for threat actors to proxy network traffic through regional devices so it appears to originate from legitimate local infrastructure — a tactic designed to evade detection and complicate attribution.
DOGLEASH, JARLEASH, and LEASHTEST: the expanding toolkit
Talos identified additional tools in UAT-7810's arsenal. DOGLEASH is a lightweight Linux backdoor deployed via web shell scripts; when launched it opens a listening TCP port, authenticates incoming requests using a hardcoded password, and supports shell command execution, file access and modification, OS information retrieval, and arbitrary code execution directly in host memory.
JARLEASH is described as a Java-based administrative tool providing web-based file management and including FTP, SFTP, and Netcat server functionality. LEASHTEST is a testing utility intended to verify whether an MIPS IoT device can perform functions related to malware operations, likely to assist in refining LONGLEASH’s MIPS support.
Vulnerabilities exploited: Ruckus and ASUS CVEs used for initial access
Talos reports that UAT-7810 primarily gains initial access by exploiting known (n-day) vulnerabilities in internet-facing networking devices. The researchers explicitly identify CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 in Ruckus routers, and CVE-2025-2492 in ASUS AiCloud routers, as vulnerabilities used in the campaign. Talos emphasizes that unpatched Ruckus routers have been a primary target in this effort to expand ORB reach.
What this means for technologists, procurement leaders, and other China-aligned APTs
- Technologists and security teams: Talos points security teams to a complete list of indicators of compromise (IoCs) and the latest toolset available at the bottom of its report; those teams will be focused on hunting for LONGLEASH, DOGLEASH, JARLEASH, and LEASHTEST artifacts and on correlating activity with the Ruckus and ASUS CVEs named by Talos.
- Procurement leaders and affected enterprises: The campaign highlights that internet-facing networking devices—specifically Ruckus routers and ASUS AiCloud devices cited by Talos—are primary attack surfaces in UAT-7810 operations, with n-day vulnerabilities used for initial access; procurement and asset-inventory owners will be watching device patch status and firmware management tied to those CVEs.
- Other China-aligned APTs: Talos reports the ORB network is used by multiple China-aligned APTs, including UAT-5918; the expanded LONGLEASH capability to proxy and forward traffic increases the utility of ORB infrastructure for those groups that rely on regional relay devices to mask origin and complicate attribution.
Cisco Talos’ assessment is clear: UAT-7810 is not standing still. By replacing or extending SHORTLEASH with LONGLEASH, adding specialized backdoors and administrative tools, and testing MIPS devices with LEASHTEST, the campaign appears designed to broaden the geographic and functional reach of the ORB network through a mix of known vulnerability exploitation and new malware capabilities.
Talos provides a full set of IoCs and technical details at the end of its report for defenders who need to map activity in their environments. The facts Talos lays out leave a pointed, specific question in their wake: how rapidly will UAT-7810 scale LONGLEASH across its ORB estate, and how widely will that expanded relay capability be used by other China-aligned APTs?
