Listen to this Post

Introduction
Cyber warfare is no longer limited to attacking high-profile organizations or government agencies. Modern threat actors increasingly rely on compromising everyday networking devices that often sit forgotten in homes, offices, and enterprises. Unpatched routers, gateways, and IoT equipment have become valuable assets for espionage operations because they provide persistent access, anonymous communication channels, and reliable infrastructure for future attacks.
A newly uncovered campaign by Cisco Talos reveals that the Chinese threat group tracked as UAT-7810 has significantly evolved its malware ecosystem while aggressively expanding its Operational Relay Box (ORB) infrastructure. Rather than simply infecting devices, the attackers are building an invisible global network that allows multiple advanced persistent threat (APT) groups to hide their operations behind legitimate internet connections. This latest discovery demonstrates how cyber espionage continues to evolve toward stealth, persistence, and large-scale infrastructure abuse.
Campaign Overview
Cisco Talos researchers have identified an active cyber campaign in which the Chinese hacking group UAT-7810 compromises internet-facing networking devices, with a primary focus on vulnerable and unpatched Ruckus routers. The attackers exploit previously disclosed vulnerabilities instead of relying on expensive zero-day exploits, proving once again that delayed patching remains one of the biggest cybersecurity risks worldwide.
The compromised devices are added to an Operational Relay Box (ORB) network, which functions as a sophisticated relay infrastructure for multiple China-aligned advanced persistent threat groups, including UAT-5918.
Instead of launching attacks directly from their own servers, threat actors route their malicious traffic through these infected routers. As a result, investigations become significantly more difficult because the traffic appears to originate from legitimate regional infrastructure rather than from foreign attacker-controlled servers.
This approach dramatically reduces attribution accuracy while increasing operational security for the attackers.
The Growing ORB Infrastructure
Operational Relay Box infrastructure has become one of the most effective techniques for nation-state cyber operations.
Rather than maintaining centralized command servers that can be quickly blocked or seized, attackers distribute their infrastructure across thousands of compromised devices around the world.
Each infected router acts as a relay point that forwards commands, malware, or stolen information between victims and the operators.
This decentralized architecture offers several major advantages:
Hides the real attacker location.
Blends malicious traffic with legitimate internet activity.
Improves infrastructure resilience.
Makes takedowns significantly more difficult.
Allows multiple APT groups to share infrastructure.
Cisco Talos reports that UAT-7810 continues expanding this network while replacing older malware with significantly more capable tools.
LONGLEASH: A Major Evolution of SHORTLEASH
The most significant discovery is LONGLEASH, an upgraded version of the previously documented SHORTLEASH backdoor.
While SHORTLEASH already supported command-and-control communication, tunnel management, web hosting, and server functionality, LONGLEASH introduces a far more advanced feature set designed for long-term covert operations.
Its capabilities now include:
Reverse shell access
HTTP proxying
DNS proxying
SOCKS proxy support
TCP forwarding
UDP forwarding
ICMP tunneling
SMTP client/server functionality
TLS encryption support
Public Key Infrastructure (PKI) integration
Traffic redirection
Self-removal mechanisms
Intermediate command-and-control forwarding
Perhaps the most dangerous enhancement is its ability to function as an intermediate command server, allowing attackers to create multiple hidden communication layers between themselves and compromised systems.
This significantly complicates digital forensics and incident response.
DOGLEASH: A Lightweight but Dangerous Linux Backdoor
Researchers also uncovered DOGLEASH, a lightweight Linux backdoor deployed through web shell scripts.
Although smaller than LONGLEASH, it remains extremely powerful.
Once installed, it opens a listening TCP port secured by a hardcoded password.
After authentication, attackers can:
Execute shell commands
Read system files
Modify existing files
Upload malicious content
Retrieve operating system information
Execute arbitrary code directly in memory
Running malicious code directly in memory helps avoid traditional file-based antivirus detection, making the malware considerably stealthier.
JARLEASH: Administrative Control Made Easy
Another newly discovered component is JARLEASH, a Java-based administrative utility.
Unlike traditional malware, JARLEASH focuses on managing compromised devices through a convenient web interface.
Its features include:
Web-based file management
FTP server support
SFTP functionality
Netcat server capabilities
This administrative toolkit allows operators to efficiently control thousands of compromised devices without requiring direct command-line interaction.
LEASHTEST: Preparing for Larger IoT Operations
Cisco Talos also identified LEASHTEST, a testing utility that appears to verify whether vulnerable MIPS-based IoT devices are compatible with future malware deployment.
Rather than serving as an attack tool itself, LEASHTEST functions as a validation utility, ensuring that targeted hardware can properly support LONGLEASH before full deployment.
This demonstrates careful planning and professional malware development practices rather than opportunistic attacks.
Vulnerabilities Being Exploited
Instead of relying on undisclosed vulnerabilities, UAT-7810 mainly abuses publicly known security flaws that remain unpatched on countless internet-facing devices.
The campaign exploits:
CVE-2020-22653
CVE-2020-22658
CVE-2023-25717
CVE-2025-2492
Affected products primarily include vulnerable Ruckus routers and ASUS AiCloud devices.
These vulnerabilities have been publicly available for years, highlighting how poor patch management continues to fuel sophisticated cyber espionage campaigns.
Why Routers Have Become Prime Targets
Enterprise routers occupy an ideal position inside modern networks.
Unlike workstations or servers, networking equipment often operates continuously without frequent security monitoring.
Many organizations neglect firmware updates because router maintenance can interrupt business operations.
Attackers understand this weakness.
Once compromised, routers provide:
Persistent access
Stable communication channels
Network visibility
Traffic manipulation opportunities
Anonymous relay infrastructure
Long operational lifespans
As organizations increasingly secure endpoints with advanced EDR solutions, attackers are shifting toward infrastructure devices that receive far less attention.
Deep Analysis
Command: Analyze the Attack Strategy
UAT-7810 demonstrates a clear transition from traditional malware deployment toward infrastructure engineering. Rather than focusing solely on stealing data, the group is investing heavily in creating a reusable cyber ecosystem that can support future espionage campaigns for years.
Command: Examine Malware Evolution
The progression from SHORTLEASH to LONGLEASH mirrors the evolution of enterprise software. Features are being expanded systematically, communication methods diversified, encryption strengthened, and operational resilience improved. This indicates mature software development practices rather than isolated malware creation.
Command: Evaluate Operational Security
The integration of relay servers, encrypted communications, proxy protocols, and self-removal mechanisms reveals an exceptional emphasis on stealth. These capabilities dramatically reduce forensic evidence while making attribution increasingly difficult.
Command: Assess Defender Challenges
Traditional perimeter defenses are unlikely to detect router-based relay infrastructure because the malicious traffic often resembles legitimate network communication. Organizations focusing exclusively on endpoint protection may overlook compromised networking hardware entirely.
Command: Review Strategic Impact
The expanding ORB ecosystem represents more than another malware campaign. It signals a long-term investment in cyber infrastructure capable of supporting intelligence collection, future attacks, and coordinated operations across multiple threat groups. Such infrastructure becomes exponentially more valuable as its size increases.
Command: Security Recommendations
Organizations should prioritize firmware updates, continuously inventory networking devices, disable unnecessary internet exposure, monitor unusual outbound traffic, enable secure administrative access, and include routers within routine security assessments. Infrastructure devices should no longer be treated as “set-and-forget” hardware.
What Undercode Say:
The latest Cisco Talos findings reinforce an uncomfortable reality: attackers no longer need revolutionary zero-day exploits to conduct sophisticated espionage. Instead, they capitalize on organizations that delay routine maintenance and firmware updates. UAT-7810’s campaign is a textbook example of how operational discipline can be just as important as technical sophistication.
What stands out most is the professional engineering behind the malware family. LONGLEASH is not simply an upgraded backdoor—it is a modular platform capable of adapting to different environments while providing resilient communications and advanced routing capabilities. This reflects an investment in long-term infrastructure rather than one-off attacks.
The use of Operational Relay Boxes also illustrates a broader strategic trend in nation-state cyber operations. By routing malicious traffic through legitimate regional devices, attackers create layers of plausible deniability that frustrate investigators and complicate international attribution efforts.
Another noteworthy aspect is the targeting of routers instead of conventional endpoints. Networking devices remain under-monitored in many organizations despite controlling nearly all internal traffic. This imbalance gives attackers an ideal foothold for persistence and surveillance.
The inclusion of LEASHTEST highlights a mature development lifecycle rarely seen in ordinary cybercrime. Testing tools are typically associated with organized software engineering, suggesting dedicated development teams continuously refining malware compatibility across multiple hardware architectures.
Defenders should also recognize that infrastructure attacks have cascading effects. A compromised router can support espionage campaigns against numerous victims simultaneously, effectively multiplying the attacker’s operational capacity.
This campaign further emphasizes that cybersecurity is no longer solely about protecting computers. Every internet-connected device—including routers, switches, gateways, and IoT equipment—must be treated as critical infrastructure deserving continuous monitoring and timely patch management.
Organizations that continue overlooking networking equipment risk becoming unwilling participants in global cyber espionage operations without realizing their infrastructure is actively assisting sophisticated threat actors.
✅ Confirmed: Cisco Talos documented UAT-7810’s expanded malware toolkit, including LONGLEASH, DOGLEASH, JARLEASH, and LEASHTEST, as well as the group’s continued expansion of its Operational Relay Box infrastructure.
✅ Confirmed: The campaign primarily exploits publicly known vulnerabilities in Ruckus routers and ASUS AiCloud devices rather than relying on undisclosed zero-day exploits, highlighting the importance of timely patching.
✅ Verified Analysis: The assessment that compromised routers can function as relay infrastructure to conceal attacker origins aligns with established threat intelligence regarding Operational Relay Box (ORB) techniques and modern nation-state cyber operations.
Prediction
(+1) Router security will become a much higher priority for enterprises, leading vendors to improve automated firmware management, stronger authentication, and continuous monitoring for networking equipment.
(-1) Nation-state threat groups are likely to continue expanding decentralized ORB infrastructures across vulnerable IoT devices, making attribution, disruption, and incident response significantly more challenging for defenders worldwide.
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




