China‑Linked UAT‑7810 Enhances ORB Network with New LONGLEASH Malware

0
4

Key Takeaways

  • The Chinese APT group UAT‑7810 maintains and expands an Operational Relay Box (ORB) network called LapDogs, which serves as a relay infrastructure for other threat actors.
  • Its custom malware framework has evolved from ShortLeash to a more capable version dubbed LONGLEASH, adding proxying, client‑authorization, and self‑clean‑up features.
  • Supporting tools include DOGLEASH (a passive Linux backdoor), LEASHTEST (an ELF binary for MIPS‑device functionality testing), and JARLEASH (a Java‑based administration backdoor).
  • The group exploits known, unpatched vulnerabilities in Ruckus wireless routers (CVE‑2020‑22653, CVE‑2020‑22658, CVE‑2023‑25717) and ASUS AiCloud routers (CVE‑2025‑2492) to gain initial footholds.
  • UAT‑7810 uses multiple servers to host variants of its tools, indicating a distributed and resilient command‑and‑control (C2) architecture.
  • The continued use of LEASHTEST shows the actor is still validating its implants on MIPS‑based embedded devices before full‑scale deployment.
  • Secondary actors such as UAT‑5918 have leveraged the LapDogs ORB to conduct persistent attacks against critical infrastructure in Taiwan, highlighting the network’s role as a force‑multiplier.
  • Defenders should prioritize patching the cited router vulnerabilities, monitor for anomalous outbound traffic to unfamiliar servers, and employ behavior‑based detection for the described backdoor families.

Actor Background and Objectives
UAT‑7810 is identified by Cisco Talos as a Chinese‑nexus advanced persistent threat (APT) that focuses on building and sustaining Operational Relay Box (ORB) networks. Rather than conducting direct data‑theft or sabotage campaigns itself, the group’s primary mission appears to be the creation of a flexible, resilient relay infrastructure that can be rented or otherwise leveraged by other malicious actors. This “infrastructure‑as‑a‑service” model enables UAT‑7810 to support a broad spectrum of downstream attacks while maintaining a low profile. The group’s activity has been tracked since at least mid‑2025, when the LapDogs ORB first surfaced in public reporting.

ORB Network and LapDogs
LapDogs is the codename for the ORB network maintained by UAT‑7810. An ORB consists of compromised devices that act as intermediate hops, obscuring the true origin of malicious traffic and providing redundant pathways for command‑and‑control communications. By controlling a geographically dispersed set of relay boxes, UAT‑7810 can offer secondary threat actors reliable, low‑latency channels to reach high‑value targets without exposing their own infrastructure. The LapDogs network has been observed in use by UAT‑5918, a China‑linked actor that has targeted Taiwan’s critical‑infrastructure sector since 2023, underscoring the strategic value of the ORB as a force‑multiplier.

Toolchain Evolution: ShortLeash to LONGLEASH
The core of UAT‑7810’s capability lies in a custom malware family initially named ShortLeash. ShortLeash functions as a multi‑purpose backdoor capable of contacting external C2 servers, hosting a web server, and operating as both a client and a server within the ORB. Researchers noted that the actor has been actively iterating on this framework, releasing a newer version codenamed LONGLEASH. LONGLEASH retains all baseline ShortLeash functions while adding several advanced modules: an executor component that can proxy traffic over HTTP, DNS, SOCKS, TCP, ICMP, and UDP; the ability to manage connections to other ORB nodes; client‑authorization logic; and a self‑removal routine that wipes the implant and associated artifacts if tampering is detected. These enhancements point to a deliberate effort to increase robustness, stealth, and flexibility of the ORB infrastructure.

New Tools: DOGLEASH, LEASHTEST, and JARLEASH
Beyond the primary backdoor framework, UAT‑7810 deploys a suite of specialized tools tailored toolbox designed for different stages of compromise and device architecture. DOGLEASH is a passive Linux backdoor that lies dormant until triggered, at which point it can execute arbitrary shellcode on the infected host. Its stealthy nature makes it suitable for long‑term persistence on compromised networking gear. LEASHTEST is an ELF binary used to test low‑level functionality—such as spawning threads, creating child processes, or setting up async timers—on MIPS‑based embedded devices commonly found in routers and IoT gear. The continued employment of LEASHTEST indicates that the actor is still validating its implants on these platforms before relying on them for full operational use. Finally, JARLEASH is a Java‑based backdoor packaged as a JAR file, observed on at least one of the actor’s servers. It provides administrative capabilities including file management, FTP/SFTP transfers, and raw network communication via Netcat, suggesting a role in post‑exploitation maintenance and lateral movement within the ORB.

Exploited Vulnerabilities and Targeted Devices
Initial access to victim devices is achieved through the exploitation of known, unpatched vulnerabilities in widely deployed networking equipment. UAT‑7810 has been observed leveraging flaws in Ruckus wireless routers, specifically CVE‑2020‑22653, CVE‑2020‑22658, and CVE‑2023‑25717. More recently, the group turned its attention to ASUS AiCloud routers, exploiting CVE‑2025‑2492 to gain footholds. These vulnerabilities typically involve improper input validation or authentication bypasses that allow remote code execution or privileged access without user interaction. By focusing on edge devices that often lack rigorous patching regimens, the actor can quickly expand its ORB with minimal effort.

Deployment Infrastructure and Server Usage
To support its malware distribution and C2 functions, UAT‑7810 operates a cluster of dedicated servers. Researchers identified at least four new servers hosting various minor variants of DOGLEASH, each tailored to specific target environments or evasion techniques. In addition, a single server was found to host the JARLEASH Java backdoor, which appears to serve as an administrative hub for file transfers, FTP/SFTP services, and Netcat‑based communication. This distributed server model provides redundancy: if one node is taken down or blacklisted, others can continue to deliver payloads and relay commands, thereby increasing the resilience of the LapDogs ORB.

Testing on MIPS Platforms (LEASHTEST)
The presence of LEASHTEST underscores a cautious development approach. Although LONGLEASH represents a mature, full‑featured backdoor framework, the actor continues to run LEASHTEST on MIPS‑based devices to verify that core functionalities—such as process creation, threading, and timer handling—behave as expected across the diverse firmware implementations found in consumer and enterprise routers. This testing phase suggests that UAT‑7810 is not yet fully confident in the cross‑platform compatibility of its newest implant and wishes to avoid operational failures that could expose its infrastructure.

Implications for Secondary Threat Actors (UAT‑5918 Example)
The LapDogs ORB’s utility as a relay network is illustrated by the activity of UAT‑5918, a China‑linked APT that has conducted sustained intrusions against Taiwan’s critical‑infrastructure sector since at least 2023. By piggybacking on UAT‑7810’s infrastructure, UAT‑5918 can obscure its attack origins, bypass geographic‑based defenses, and maintain persistent footholds even when individual compromised devices are remediated. This symbiotic relationship amplifies the overall threat landscape: a single ORB‑building group can enable multiple, technically distinct campaigns, increasing the difficulty for defenders to attribute and mitigate attacks.

Recommendations and Mitigations
Defending against threats like UAT‑7810 requires a layered strategy focused on both device hardening and network‑level monitoring. Administrators should prioritize applying patches for the cited router vulnerabilities (CVE‑2020‑22653, CVE‑2020‑22658, CVE‑2023‑25717, CVE‑2025‑2492) and consider disabling unnecessary remote management interfaces where feasible. Deploying intrusion‑detection/prevention systems that flag anomalous outbound connections to unfamiliar IP ranges—especially those hosting Java JARs, ELF binaries, or unknown HTTP/SOCKS traffic—can aid in early detection. Endpoint‑behavior analytics that look for signs of passive backdoors (e.g., unexplained shellcode execution, atypical process spawning on Linux devices) are also valuable. Finally, sharing threat‑intelligence indicators related to DOGLEASH, LEASHTEST, JARLEASH, and LONGLEASH across industry ISACs can help preempt the expansion of the LapDogs ORB.

Conclusion
UAT‑7810 exemplifies a modern APT that has shifted from direct espionage to the construction and rental of a resilient offensive infrastructure. Through continual refinement of its malware—ShortLeash → LONGLEASH—and the deployment of specialized tools like DOGLEASH, LEASHTEST, and JARLEASH, the group maintains a versatile and adaptable ORB network. Its exploitation of routine router vulnerabilities highlights the persistent risk posed by unpatched edge devices, while the observed use by secondary actors such as UAT‑5918 demonstrates the strategic value of such relay networks in enabling broader, harder‑to‑trace campaigns. Organizations that secure their networking hardware, monitor for the behavioral signatures of these tools, and collaborate on threat intelligence will be best positioned to mitigate the evolving threat posed by UAT‑7810 and its associated ORB ecosystem.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here