Chinese APT UAT-7810 Expands Stealthy ORB Malware Network by Hijacking Internet-Facing Routers + Video

Listen to this Post

Featured Image

Introduction

China-linked cyber espionage groups continue to evolve their offensive capabilities, and recent research highlights another major step forward. Security researchers have uncovered significant updates to the malware arsenal used by the advanced persistent threat (APT) group known as UAT-7810, revealing a campaign focused on silently compromising internet-facing networking devices to build a massive Operational Relay Box (ORB) infrastructure.

Rather than directly stealing information from every victim, the group’s strategy revolves around transforming vulnerable routers and embedded devices into hidden relay nodes. These compromised systems become part of a distributed infrastructure that can later support cyber espionage, persistence, and future attacks carried out by multiple threat actors. The latest discoveries show that the attackers are actively improving their malware framework, introducing new backdoors, testing tools, and communication methods that make the ORB network more resilient and difficult to detect.

the Report

Cisco Talos Identifies Continued Activity

Cisco Talos researchers have attributed the latest campaign to the Chinese threat actor UAT-7810, an advanced persistent threat specializing in creating Operational Relay Box (ORB) infrastructures.

Instead of conducting every cyberattack themselves, the group appears responsible for building and maintaining attack infrastructure that can later be used by other affiliated Chinese cyber operators.

LapDogs ORB Network Continues Growing

The

Since then, researchers have observed continuous expansion of the network through newly compromised internet-facing devices.

Every newly infected router effectively becomes another anonymous relay point for future cyber operations.

Support for Other Chinese Threat Groups

Researchers believe UAT-7810 works closely with other China-linked hacking teams.

One notable customer of the infrastructure appears to be UAT-5918, another Chinese threat actor previously linked to attacks against Taiwanese critical infrastructure dating back to at least 2023.

This separation of responsibilities allows one team to focus entirely on infrastructure while another conducts espionage operations.

New Malware: LONGLEASH

Researchers discovered that the previously known malware ShortLeash has now evolved into a more advanced platform called LONGLEASH.

The new malware includes expanded networking features, stronger command-and-control capabilities, and more sophisticated operational controls.

Its development suggests that the malware framework remains under active improvement.

Additional Malware Components

Cisco Talos also identified several previously undocumented tools deployed by UAT-7810.

DOGLEASH

A passive Linux backdoor capable of executing arbitrary shellcode on compromised devices.

Unlike traditional malware that constantly communicates outward, DOGLEASH quietly waits for instructions, making detection significantly more difficult.

LEASHTEST

An ELF binary developed specifically for testing malware functionality on MIPS-based embedded devices.

Researchers observed it validating features such as:

Thread creation

Child process execution

Asynchronous timers

This indicates ongoing malware development rather than a finished toolkit.

JARLEASH

Researchers also identified a Java-based administration backdoor deployed on several attacker-controlled servers.

Its functions include:

File management

FTP support

SFTP operations

Netcat functionality

The tool appears to assist attackers in managing compromised infrastructure.

Targeting Vulnerable Routers

The campaign primarily abuses known vulnerabilities in internet-connected networking devices.

Observed targets include vulnerable Ruckus wireless routers, exploiting:

CVE-2020-22653

CVE-2020-22658

CVE-2023-25717

Earlier campaigns also targeted vulnerable ASUS AiCloud routers affected by CVE-2025-2492, suggesting the attackers continue expanding the pool of exploitable devices.

LONGLEASH Brings Major Improvements

Compared to ShortLeash, LONGLEASH introduces substantial new capabilities.

Advanced Proxy Services

The malware can proxy traffic using:

HTTP

DNS

SOCKS

TCP

ICMP

UDP

This flexibility allows compromised devices to relay many different kinds of malicious traffic.

Intermediate Command-and-Control

LONGLEASH can function as an intermediate C2 server.

Instead of every infected device communicating directly with a primary command server, infected nodes can relay commands through one another.

This architecture makes takedowns significantly harder.

Self-Protection Features

Researchers found built-in anti-forensics capabilities.

If tampering or investigation is detected, the malware can remove itself and erase traces of infection, reducing opportunities for forensic analysis.

Active Development Continues

Despite LONGLEASH already being a sophisticated malware framework, researchers found evidence that developers continue testing new functionality on embedded MIPS platforms.

This suggests future malware versions may become even more stable, portable, and feature-rich.

Deep Analysis

What Undercode Say:

The ORB Model Reflects a Strategic Shift

Rather than launching loud, destructive attacks, Chinese cyber operators continue investing in long-term infrastructure. Operational Relay Boxes provide anonymity, resilience, and flexibility that benefit multiple offensive campaigns over several years.

Infrastructure Is Becoming More Valuable Than Malware

Modern espionage increasingly depends on hidden infrastructure instead of individual malware families. Malware can be replaced quickly, but a global network of compromised routers provides a reusable strategic asset.

Routers Remain the Weakest Enterprise Asset

Networking equipment frequently receives fewer security updates than servers or workstations. Many organizations deploy routers and leave them unpatched for years, creating attractive long-term targets.

Known Vulnerabilities Continue to Cause New Breaches

Every vulnerability exploited in this campaign was publicly documented before being weaponized. This reinforces an uncomfortable reality: attackers often succeed because organizations delay patching rather than because they discover unknown vulnerabilities.

Embedded Devices Offer Exceptional Persistence

Unlike traditional computers, embedded devices are rarely monitored by endpoint detection platforms. Attackers understand this and increasingly prioritize routers, gateways, firewalls, and IoT devices.

LONGLEASH Shows Professional Software Engineering

The malware demonstrates modular architecture, multiple communication protocols, authentication mechanisms, and cleanup routines. This reflects mature development practices rather than experimental malware coding.

Proxy Networks Increase Attribution Challenges

When attacks originate through hundreds of compromised routers worldwide, tracing operations back to their true operators becomes substantially more difficult.

Shared Infrastructure Indicates Operational Specialization

Evidence suggests UAT-7810 specializes in building infrastructure while affiliated groups conduct espionage. This mirrors organizational specialization observed in sophisticated intelligence operations.

Testing Tools Reveal Continuous Improvement

The existence of LEASHTEST indicates developers are validating code reliability before widespread deployment. Mature testing processes generally lead to more stable and stealthier malware.

Linux Continues to Be a High-Value Target

Because networking appliances commonly run Linux-based firmware, attackers increasingly invest in Linux malware instead of focusing exclusively on Windows environments.

Passive Backdoors Reduce Detection

DOGLEASH minimizes suspicious activity by waiting silently for instructions. Passive implants often evade behavioral monitoring longer than malware maintaining constant outbound communications.

Self-Deletion Features Complicate Investigations

Automatic removal after tampering significantly reduces forensic evidence, slowing incident response teams attempting to understand attack timelines.

Multi-Protocol Communication Improves Resilience

Supporting HTTP, DNS, SOCKS, ICMP, TCP, and UDP enables malware to survive restrictive firewall environments and adapt to different network configurations.

Router Security Must Become a Priority

Organizations frequently focus security investments on endpoints while overlooking networking infrastructure. Campaigns like this demonstrate why routers deserve equal attention.

Critical Infrastructure Faces Elevated Risk

Because relay infrastructure supports multiple espionage campaigns, sectors including energy, telecommunications, healthcare, and government remain attractive future targets.

Supply Chains May Also Be Impacted

Compromised networking devices inside suppliers or managed service providers can provide indirect access to larger enterprise environments.

Detection Requires Network Visibility

Traditional antivirus products offer limited visibility into embedded networking equipment. Organizations need dedicated monitoring for routers, switches, and edge devices.

Operational Relay Boxes Are Likely Here to Stay

As law enforcement disrupts traditional command-and-control infrastructure, distributed ORB architectures provide attackers with greater resilience against takedown efforts.

International Cooperation Will Be Essential

Since compromised devices are distributed globally, mitigating ORB networks requires coordinated action among vendors, internet providers, cybersecurity firms, and governments.

The Campaign Highlights Long-Term Planning

Everything observed—from modular malware to testing utilities and distributed infrastructure—indicates deliberate long-term planning rather than opportunistic cybercrime.

✅ Claim: UAT-7810 is actively expanding the LapDogs Operational Relay Box network.

Current security research supports this conclusion, with Cisco Talos documenting continued infrastructure growth and ongoing malware development targeting internet-facing networking devices.

✅ Claim: LONGLEASH introduces new capabilities beyond ShortLeash.

Available technical analysis confirms that LONGLEASH expands command-and-control functionality, proxy services, relay capabilities, and anti-forensic features compared to earlier versions.

✅ Claim: Vulnerable Ruckus and ASUS routers are being exploited.

Researchers documented exploitation of multiple known vulnerabilities affecting Ruckus wireless routers and ASUS AiCloud devices, reinforcing the importance of timely firmware updates.

Prediction

(+1) Defensive technologies for networking equipment will continue improving as vendors introduce faster firmware updates, stronger default security settings, and better detection capabilities to counter sophisticated ORB campaigns.
(-1) Chinese state-linked threat actors are likely to continue expanding Operational Relay Box infrastructures, targeting additional router brands, embedded Linux devices, and unpatched edge systems to strengthen anonymous global attack networks and support future espionage operations.

▶️ Related Video (84% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube