China’s Expanding ORB Network: How UAT-7810 Is Quietly Turning Vulnerable Routers into a Global Cyber Weapon + Video

Listen to this Post

Featured Image

Introduction

Cyber warfare is no longer limited to attacking high-profile organizations or government agencies. Modern threat actors increasingly rely on compromising everyday networking devices that often sit forgotten in homes, offices, and enterprises. Unpatched routers, gateways, and IoT equipment have become valuable assets for espionage operations because they provide persistent access, anonymous communication channels, and reliable infrastructure for future attacks.

A newly uncovered campaign by Cisco Talos reveals that the Chinese threat group tracked as UAT-7810 has significantly evolved its malware ecosystem while aggressively expanding its Operational Relay Box (ORB) infrastructure. Rather than simply infecting devices, the attackers are building an invisible global network that allows multiple advanced persistent threat (APT) groups to hide their operations behind legitimate internet connections. This latest discovery demonstrates how cyber espionage continues to evolve toward stealth, persistence, and large-scale infrastructure abuse.

Campaign Overview

Cisco Talos researchers have identified an active cyber campaign in which the Chinese hacking group UAT-7810 compromises internet-facing networking devices, with a primary focus on vulnerable and unpatched Ruckus routers. The attackers exploit previously disclosed vulnerabilities instead of relying on expensive zero-day exploits, proving once again that delayed patching remains one of the biggest cybersecurity risks worldwide.

The compromised devices are added to an Operational Relay Box (ORB) network, which functions as a sophisticated relay infrastructure for multiple China-aligned advanced persistent threat groups, including UAT-5918.

Instead of launching attacks directly from their own servers, threat actors route their malicious traffic through these infected routers. As a result, investigations become significantly more difficult because the traffic appears to originate from legitimate regional infrastructure rather than from foreign attacker-controlled servers.

This approach dramatically reduces attribution accuracy while increasing operational security for the attackers.

The Growing ORB Infrastructure

Operational Relay Box infrastructure has become one of the most effective techniques for nation-state cyber operations.

Rather than maintaining centralized command servers that can be quickly blocked or seized, attackers distribute their infrastructure across thousands of compromised devices around the world.

Each infected router acts as a relay point that forwards commands, malware, or stolen information between victims and the operators.

This decentralized architecture offers several major advantages:

Hides the real attacker location.

Blends malicious traffic with legitimate internet activity.

Improves infrastructure resilience.

Makes takedowns significantly more difficult.

Allows multiple APT groups to share infrastructure.

Cisco Talos reports that UAT-7810 continues expanding this network while replacing older malware with significantly more capable tools.

LONGLEASH: A Major Evolution of SHORTLEASH

The most significant discovery is LONGLEASH, an upgraded version of the previously documented SHORTLEASH backdoor.

While SHORTLEASH already supported command-and-control communication, tunnel management, web hosting, and server functionality, LONGLEASH introduces a far more advanced feature set designed for long-term covert operations.

Its capabilities now include:

Reverse shell access

HTTP proxying

DNS proxying

SOCKS proxy support

TCP forwarding

UDP forwarding

ICMP tunneling

SMTP client/server functionality

TLS encryption support

Public Key Infrastructure (PKI) integration

Traffic redirection

Self-removal mechanisms

Intermediate command-and-control forwarding

Perhaps the most dangerous enhancement is its ability to function as an intermediate command server, allowing attackers to create multiple hidden communication layers between themselves and compromised systems.

This significantly complicates digital forensics and incident response.

DOGLEASH: A Lightweight but Dangerous Linux Backdoor

Researchers also uncovered DOGLEASH, a lightweight Linux backdoor deployed through web shell scripts.

Although smaller than LONGLEASH, it remains extremely powerful.

Once installed, it opens a listening TCP port secured by a hardcoded password.

After authentication, attackers can:

Execute shell commands

Read system files

Modify existing files

Upload malicious content

Retrieve operating system information

Execute arbitrary code directly in memory

Running malicious code directly in memory helps avoid traditional file-based antivirus detection, making the malware considerably stealthier.

JARLEASH: Administrative Control Made Easy

Another newly discovered component is JARLEASH, a Java-based administrative utility.

Unlike traditional malware, JARLEASH focuses on managing compromised devices through a convenient web interface.

Its features include:

Web-based file management

FTP server support

SFTP functionality

Netcat server capabilities

This administrative toolkit allows operators to efficiently control thousands of compromised devices without requiring direct command-line interaction.

LEASHTEST: Preparing for Larger IoT Operations

Cisco Talos also identified LEASHTEST, a testing utility that appears to verify whether vulnerable MIPS-based IoT devices are compatible with future malware deployment.

Rather than serving as an attack tool itself, LEASHTEST functions as a validation utility, ensuring that targeted hardware can properly support LONGLEASH before full deployment.

This demonstrates careful planning and professional malware development practices rather than opportunistic attacks.

Vulnerabilities Being Exploited

Instead of relying on undisclosed vulnerabilities, UAT-7810 mainly abuses publicly known security flaws that remain unpatched on countless internet-facing devices.

The campaign exploits:

CVE-2020-22653

CVE-2020-22658

CVE-2023-25717

CVE-2025-2492

Affected products primarily include vulnerable Ruckus routers and ASUS AiCloud devices.

These vulnerabilities have been publicly available for years, highlighting how poor patch management continues to fuel sophisticated cyber espionage campaigns.

Why Routers Have Become Prime Targets

Enterprise routers occupy an ideal position inside modern networks.

Unlike workstations or servers, networking equipment often operates continuously without frequent security monitoring.

Many organizations neglect firmware updates because router maintenance can interrupt business operations.

Attackers understand this weakness.

Once compromised, routers provide:

Persistent access

Stable communication channels

Network visibility

Traffic manipulation opportunities

Anonymous relay infrastructure

Long operational lifespans

As organizations increasingly secure endpoints with advanced EDR solutions, attackers are shifting toward infrastructure devices that receive far less attention.

Deep Analysis

Command: Analyze the Attack Strategy

UAT-7810 demonstrates a clear transition from traditional malware deployment toward infrastructure engineering. Rather than focusing solely on stealing data, the group is investing heavily in creating a reusable cyber ecosystem that can support future espionage campaigns for years.

Command: Examine Malware Evolution

The progression from SHORTLEASH to LONGLEASH mirrors the evolution of enterprise software. Features are being expanded systematically, communication methods diversified, encryption strengthened, and operational resilience improved. This indicates mature software development practices rather than isolated malware creation.

Command: Evaluate Operational Security

The integration of relay servers, encrypted communications, proxy protocols, and self-removal mechanisms reveals an exceptional emphasis on stealth. These capabilities dramatically reduce forensic evidence while making attribution increasingly difficult.

Command: Assess Defender Challenges

Traditional perimeter defenses are unlikely to detect router-based relay infrastructure because the malicious traffic often resembles legitimate network communication. Organizations focusing exclusively on endpoint protection may overlook compromised networking hardware entirely.

Command: Review Strategic Impact

The expanding ORB ecosystem represents more than another malware campaign. It signals a long-term investment in cyber infrastructure capable of supporting intelligence collection, future attacks, and coordinated operations across multiple threat groups. Such infrastructure becomes exponentially more valuable as its size increases.

Command: Security Recommendations

Organizations should prioritize firmware updates, continuously inventory networking devices, disable unnecessary internet exposure, monitor unusual outbound traffic, enable secure administrative access, and include routers within routine security assessments. Infrastructure devices should no longer be treated as “set-and-forget” hardware.

What Undercode Say:

The latest Cisco Talos findings reinforce an uncomfortable reality: attackers no longer need revolutionary zero-day exploits to conduct sophisticated espionage. Instead, they capitalize on organizations that delay routine maintenance and firmware updates. UAT-7810’s campaign is a textbook example of how operational discipline can be just as important as technical sophistication.

What stands out most is the professional engineering behind the malware family. LONGLEASH is not simply an upgraded backdoor—it is a modular platform capable of adapting to different environments while providing resilient communications and advanced routing capabilities. This reflects an investment in long-term infrastructure rather than one-off attacks.

The use of Operational Relay Boxes also illustrates a broader strategic trend in nation-state cyber operations. By routing malicious traffic through legitimate regional devices, attackers create layers of plausible deniability that frustrate investigators and complicate international attribution efforts.

Another noteworthy aspect is the targeting of routers instead of conventional endpoints. Networking devices remain under-monitored in many organizations despite controlling nearly all internal traffic. This imbalance gives attackers an ideal foothold for persistence and surveillance.

The inclusion of LEASHTEST highlights a mature development lifecycle rarely seen in ordinary cybercrime. Testing tools are typically associated with organized software engineering, suggesting dedicated development teams continuously refining malware compatibility across multiple hardware architectures.

Defenders should also recognize that infrastructure attacks have cascading effects. A compromised router can support espionage campaigns against numerous victims simultaneously, effectively multiplying the attacker’s operational capacity.

This campaign further emphasizes that cybersecurity is no longer solely about protecting computers. Every internet-connected device—including routers, switches, gateways, and IoT equipment—must be treated as critical infrastructure deserving continuous monitoring and timely patch management.

Organizations that continue overlooking networking equipment risk becoming unwilling participants in global cyber espionage operations without realizing their infrastructure is actively assisting sophisticated threat actors.

✅ Confirmed: Cisco Talos documented UAT-7810’s expanded malware toolkit, including LONGLEASH, DOGLEASH, JARLEASH, and LEASHTEST, as well as the group’s continued expansion of its Operational Relay Box infrastructure.

✅ Confirmed: The campaign primarily exploits publicly known vulnerabilities in Ruckus routers and ASUS AiCloud devices rather than relying on undisclosed zero-day exploits, highlighting the importance of timely patching.

✅ Verified Analysis: The assessment that compromised routers can function as relay infrastructure to conceal attacker origins aligns with established threat intelligence regarding Operational Relay Box (ORB) techniques and modern nation-state cyber operations.

Prediction

(+1) Router security will become a much higher priority for enterprises, leading vendors to improve automated firmware management, stronger authentication, and continuous monitoring for networking equipment.

(-1) Nation-state threat groups are likely to continue expanding decentralized ORB infrastructures across vulnerable IoT devices, making attribution, disruption, and incident response significantly more challenging for defenders worldwide.

▶️ Related Video (76% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube