Listen to this Post

Introduction
China-linked cyber espionage groups continue to evolve their offensive capabilities, and recent research highlights another major step forward. Security researchers have uncovered significant updates to the malware arsenal used by the advanced persistent threat (APT) group known as UAT-7810, revealing a campaign focused on silently compromising internet-facing networking devices to build a massive Operational Relay Box (ORB) infrastructure.
Rather than directly stealing information from every victim, the group’s strategy revolves around transforming vulnerable routers and embedded devices into hidden relay nodes. These compromised systems become part of a distributed infrastructure that can later support cyber espionage, persistence, and future attacks carried out by multiple threat actors. The latest discoveries show that the attackers are actively improving their malware framework, introducing new backdoors, testing tools, and communication methods that make the ORB network more resilient and difficult to detect.
the Report
Cisco Talos Identifies Continued Activity
Cisco Talos researchers have attributed the latest campaign to the Chinese threat actor UAT-7810, an advanced persistent threat specializing in creating Operational Relay Box (ORB) infrastructures.
Instead of conducting every cyberattack themselves, the group appears responsible for building and maintaining attack infrastructure that can later be used by other affiliated Chinese cyber operators.
LapDogs ORB Network Continues Growing
The
Since then, researchers have observed continuous expansion of the network through newly compromised internet-facing devices.
Every newly infected router effectively becomes another anonymous relay point for future cyber operations.
Support for Other Chinese Threat Groups
Researchers believe UAT-7810 works closely with other China-linked hacking teams.
One notable customer of the infrastructure appears to be UAT-5918, another Chinese threat actor previously linked to attacks against Taiwanese critical infrastructure dating back to at least 2023.
This separation of responsibilities allows one team to focus entirely on infrastructure while another conducts espionage operations.
New Malware: LONGLEASH
Researchers discovered that the previously known malware ShortLeash has now evolved into a more advanced platform called LONGLEASH.
The new malware includes expanded networking features, stronger command-and-control capabilities, and more sophisticated operational controls.
Its development suggests that the malware framework remains under active improvement.
Additional Malware Components
Cisco Talos also identified several previously undocumented tools deployed by UAT-7810.
DOGLEASH
A passive Linux backdoor capable of executing arbitrary shellcode on compromised devices.
Unlike traditional malware that constantly communicates outward, DOGLEASH quietly waits for instructions, making detection significantly more difficult.
LEASHTEST
An ELF binary developed specifically for testing malware functionality on MIPS-based embedded devices.
Researchers observed it validating features such as:
Thread creation
Child process execution
Asynchronous timers
This indicates ongoing malware development rather than a finished toolkit.
JARLEASH
Researchers also identified a Java-based administration backdoor deployed on several attacker-controlled servers.
Its functions include:
File management
FTP support
SFTP operations
Netcat functionality
The tool appears to assist attackers in managing compromised infrastructure.
Targeting Vulnerable Routers
The campaign primarily abuses known vulnerabilities in internet-connected networking devices.
Observed targets include vulnerable Ruckus wireless routers, exploiting:
CVE-2020-22653
CVE-2020-22658
CVE-2023-25717
Earlier campaigns also targeted vulnerable ASUS AiCloud routers affected by CVE-2025-2492, suggesting the attackers continue expanding the pool of exploitable devices.
LONGLEASH Brings Major Improvements
Compared to ShortLeash, LONGLEASH introduces substantial new capabilities.
Advanced Proxy Services
The malware can proxy traffic using:
HTTP
DNS
SOCKS
TCP
ICMP
UDP
This flexibility allows compromised devices to relay many different kinds of malicious traffic.
Intermediate Command-and-Control
LONGLEASH can function as an intermediate C2 server.
Instead of every infected device communicating directly with a primary command server, infected nodes can relay commands through one another.
This architecture makes takedowns significantly harder.
Self-Protection Features
Researchers found built-in anti-forensics capabilities.
If tampering or investigation is detected, the malware can remove itself and erase traces of infection, reducing opportunities for forensic analysis.
Active Development Continues
Despite LONGLEASH already being a sophisticated malware framework, researchers found evidence that developers continue testing new functionality on embedded MIPS platforms.
This suggests future malware versions may become even more stable, portable, and feature-rich.
Deep Analysis
What Undercode Say:
The ORB Model Reflects a Strategic Shift
Rather than launching loud, destructive attacks, Chinese cyber operators continue investing in long-term infrastructure. Operational Relay Boxes provide anonymity, resilience, and flexibility that benefit multiple offensive campaigns over several years.
Infrastructure Is Becoming More Valuable Than Malware
Modern espionage increasingly depends on hidden infrastructure instead of individual malware families. Malware can be replaced quickly, but a global network of compromised routers provides a reusable strategic asset.
Routers Remain the Weakest Enterprise Asset
Networking equipment frequently receives fewer security updates than servers or workstations. Many organizations deploy routers and leave them unpatched for years, creating attractive long-term targets.
Known Vulnerabilities Continue to Cause New Breaches
Every vulnerability exploited in this campaign was publicly documented before being weaponized. This reinforces an uncomfortable reality: attackers often succeed because organizations delay patching rather than because they discover unknown vulnerabilities.
Embedded Devices Offer Exceptional Persistence
Unlike traditional computers, embedded devices are rarely monitored by endpoint detection platforms. Attackers understand this and increasingly prioritize routers, gateways, firewalls, and IoT devices.
LONGLEASH Shows Professional Software Engineering
The malware demonstrates modular architecture, multiple communication protocols, authentication mechanisms, and cleanup routines. This reflects mature development practices rather than experimental malware coding.
Proxy Networks Increase Attribution Challenges
When attacks originate through hundreds of compromised routers worldwide, tracing operations back to their true operators becomes substantially more difficult.
Shared Infrastructure Indicates Operational Specialization
Evidence suggests UAT-7810 specializes in building infrastructure while affiliated groups conduct espionage. This mirrors organizational specialization observed in sophisticated intelligence operations.
Testing Tools Reveal Continuous Improvement
The existence of LEASHTEST indicates developers are validating code reliability before widespread deployment. Mature testing processes generally lead to more stable and stealthier malware.
Linux Continues to Be a High-Value Target
Because networking appliances commonly run Linux-based firmware, attackers increasingly invest in Linux malware instead of focusing exclusively on Windows environments.
Passive Backdoors Reduce Detection
DOGLEASH minimizes suspicious activity by waiting silently for instructions. Passive implants often evade behavioral monitoring longer than malware maintaining constant outbound communications.
Self-Deletion Features Complicate Investigations
Automatic removal after tampering significantly reduces forensic evidence, slowing incident response teams attempting to understand attack timelines.
Multi-Protocol Communication Improves Resilience
Supporting HTTP, DNS, SOCKS, ICMP, TCP, and UDP enables malware to survive restrictive firewall environments and adapt to different network configurations.
Router Security Must Become a Priority
Organizations frequently focus security investments on endpoints while overlooking networking infrastructure. Campaigns like this demonstrate why routers deserve equal attention.
Critical Infrastructure Faces Elevated Risk
Because relay infrastructure supports multiple espionage campaigns, sectors including energy, telecommunications, healthcare, and government remain attractive future targets.
Supply Chains May Also Be Impacted
Compromised networking devices inside suppliers or managed service providers can provide indirect access to larger enterprise environments.
Detection Requires Network Visibility
Traditional antivirus products offer limited visibility into embedded networking equipment. Organizations need dedicated monitoring for routers, switches, and edge devices.
Operational Relay Boxes Are Likely Here to Stay
As law enforcement disrupts traditional command-and-control infrastructure, distributed ORB architectures provide attackers with greater resilience against takedown efforts.
International Cooperation Will Be Essential
Since compromised devices are distributed globally, mitigating ORB networks requires coordinated action among vendors, internet providers, cybersecurity firms, and governments.
The Campaign Highlights Long-Term Planning
Everything observed—from modular malware to testing utilities and distributed infrastructure—indicates deliberate long-term planning rather than opportunistic cybercrime.
✅ Claim: UAT-7810 is actively expanding the LapDogs Operational Relay Box network.
Current security research supports this conclusion, with Cisco Talos documenting continued infrastructure growth and ongoing malware development targeting internet-facing networking devices.
✅ Claim: LONGLEASH introduces new capabilities beyond ShortLeash.
Available technical analysis confirms that LONGLEASH expands command-and-control functionality, proxy services, relay capabilities, and anti-forensic features compared to earlier versions.
✅ Claim: Vulnerable Ruckus and ASUS routers are being exploited.
Researchers documented exploitation of multiple known vulnerabilities affecting Ruckus wireless routers and ASUS AiCloud devices, reinforcing the importance of timely firmware updates.
Prediction
(+1) Defensive technologies for networking equipment will continue improving as vendors introduce faster firmware updates, stronger default security settings, and better detection capabilities to counter sophisticated ORB campaigns.
(-1) Chinese state-linked threat actors are likely to continue expanding Operational Relay Box infrastructures, targeting additional router brands, embedded Linux devices, and unpatched edge systems to strengthen anonymous global attack networks and support future espionage operations.
▶️ Related Video (84% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




