UAT-7810 LONGLEASH: Chinese APT Hijacks Ruckus Routers to Build Invisible Spy Network

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
UAT-7810 LONGLEASH malware has turned thousands of Ruckus and ASUS routers into autonomous command-and-control relay nodes serving at least two Chinese APT groups, according to Cisco Talos research published July 7, 2026. The China-nexus threat actor known as UAT-7810 operates the LapDogs Operational Relay Box (ORB) network, a shared spy infrastructure that routes malicious traffic through geographically local devices to defeat attribution and evade detection. LONGLEASH, a direct evolution of the earlier SHORTLEASH backdoor, gives each compromised router the ability to receive encrypted commands from an upstream controller and forward them across a layered relay chain, making the ultimate source of any sponsored attack effectively invisible to defenders.
The attack chain begins at internet-facing network devices running unpatched software. UAT-7810 exploits four documented vulnerabilities: CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 in Ruckus wireless routers, and CVE-2025-2492 in ASUS AiCloud appliances. Two of the Ruckus CVEs have been publicly known since 2020, meaning every unpatched Ruckus device in a corporate network has been exploitable for six years. LONGLEASH installs as a persistent backdoor, and the compromised device immediately joins the LapDogs relay grid. A second threat actor, UAT-5918, has been documented using the same ORB infrastructure to conduct its own intrusion campaigns against separate targets.
The UAT-7810 LONGLEASH campaign is particularly dangerous for three reasons. First, ORB networks make traditional IP-based IOCs near-useless because relay nodes rotate continuously. Second, the malware is purpose-built to look like legitimate protocol traffic on the wire. Third, the infrastructure serves as a shared platform for other Chinese APT groups, meaning compromise of your network perimeter routers may be enabling nation-state espionage campaigns your organization will never directly observe. Cisco Talos has documented 62-plus unique DOGLEASH malware hashes and four active C2 IP addresses in the LapDogs infrastructure as of July 2026.
How Does the UAT-7810 LONGLEASH ORB Network Work?
An Operational Relay Box (ORB) network is a distributed infrastructure of compromised internet-facing devices that routes malicious traffic through geographically local nodes, making an APT group's activity appear to originate from trusted regional sources. UAT-7810 operates the LapDogs ORB network by chaining infected Ruckus routers into a multi-hop relay architecture. Traffic enters through an upstream controller, passes through one or more intermediate relay nodes, and exits at a device geographically proximate to the target. At no point does the malicious connection directly touch the threat actor's actual infrastructure.
LONGLEASH is the linchpin of this design. The malware installs on the compromised router and acts simultaneously as a slave node receiving instructions from a controller and as an intermediate C2 server forwarding instructions to other infected devices. This dual-role capability, absent from the earlier SHORTLEASH backdoor, is what enables the layered chain architecture. LONGLEASH supports six proxy protocols: HTTP, DNS, SOCKS, TCP, ICMP, and UDP. Each protocol option allows the malware to blend traffic into the legitimate protocol mix of a given network, with ICMP tunneling particularly effective in environments that block outbound TCP.
The ORB network serves more than one threat actor. UAT-7810 builds and maintains the LapDogs infrastructure, and associated China-nexus groups including UAT-5918 use the relay capacity to conduct their own intrusion operations. Mandiant's analysis of China-aligned ORB networks shows that IOC-based defenses are increasingly ineffective because relay nodes are continuously cycled. Defenders who rely solely on blocking known malicious IPs will miss ORB-routed traffic entirely.
June 2025: LapDogs ORB network first disclosed
SecurityScorecard identifies and names the LapDogs ORB network, linking it to UAT-7810. SHORTLEASH is the primary backdoor at this stage, providing basic proxying capabilities for China-aligned secondary threat actors.
Early 2026: ASUS AiCloud routers added to ORB pool
UAT-7810 begins exploiting CVE-2025-2492, an authentication bypass in ASUS AiCloud routers, broadening the ORB network beyond Ruckus hardware and increasing the relay node count available to associated APT groups.
July 7, 2026: Talos publishes LONGLEASH and 3 new tools
Cisco Talos discloses LONGLEASH, DOGLEASH, JARLEASH, and LEASHTEST, revealing that UAT-7810 has significantly upgraded their toolset with autonomous C2 relay functionality and passive backdoor capabilities active at scale.
UAT-7810's Four-Tool Arsenal: Built for Silent, Long-Term Router Access
UAT-7810 deploys four specialized malware families, each purpose-built for a distinct role in the compromise lifecycle. LONGLEASH is the primary network relay tool. DOGLEASH is the passive backdoor that provides persistent command execution on compromised Linux devices. JARLEASH is a Java-based administrator tool deployed for file management, FTP and SFTP server deployment, and Netcat functionality. LEASHTEST is a MIPS architecture testing binary used to verify that a target device is suitable for full compromise before deployment.
LONGLEASH is the most technically sophisticated of the four. The MIPS-compiled version uses the asynchronous Boost.Asio library to maximize network throughput and minimize blocking time, a design choice indicating active performance engineering. The malware's reverse shell capability gives an operator direct system access, while the self-removal function destroys all compromise evidence if tampering is detected. JARLEASH configuration files contain comments written in Simplified Chinese, a hard attribution indicator placing development within a Chinese-language operational environment.
DOGLEASH operates as a passive socket listener, meaning it generates no outbound traffic until an operator connects to it. The 62-plus unique hashes documented by Talos indicate that UAT-7810 regularly compiles fresh DOGLEASH variants to defeat signature-based antivirus detection. Each variant is functionally identical: it executes arbitrary shellcode in memory, reads files, renames files to create backups before modification, and retrieves OS metadata for device fingerprinting. Cisco Talos released five ClamAV detection signatures and five Snort rules covering LONGLEASH and DOGLEASH across multiple CPU architectures.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Who Is UAT-7810? Origin, Attribution, and Chinese State Connections
UAT-7810 is a China-nexus advanced persistent threat group that Cisco Talos assesses with high confidence is aligned with Chinese state interests. The group's primary mission is not traditional espionage but infrastructure provisioning: building and maintaining the LapDogs ORB network so that secondary China-aligned threat actors can conduct high-value intrusions while hiding behind geographically local relay traffic. This service-provider model for state-sponsored espionage makes UAT-7810 an enabler rather than a direct perpetrator, and attribution of downstream attacks to the correct actor correspondingly harder for defenders.
The strongest attribution indicator is linguistic. JARLEASH configuration files contain code comments written in Simplified Chinese, an artifact indicating the tool was developed by a native Simplified Chinese speaker or a team working in a Chinese-language environment. Secondary indicators include the operational overlap with UAT-5918, a separate China-nexus intrusion group documented using the LapDogs ORB relay capacity for its own campaigns. The tool-sharing relationship suggests either a collaborative structure or shared development infrastructure within the broader Chinese APT ecosystem.
UAT-7810 follows the playbook for China-nexus ORB network operators documented by Mandiant: shifting infrastructure responsibility from direct procurement to large-scale compromise of SOHO routers and IoT devices, continuously refreshing the node pool to defeat IOC-based defenses. Similar persistent infrastructure patterns have been documented in other nation-state actor profiles, including APT campaigns targeting critical infrastructure and power sector organizations that share the same long-dwell-time backdoor approach. No public indictment or OFAC sanction has named UAT-7810 or any individual operator as of July 2026.
“UAT-7810 is most likely tasked with establishing Operational Relay Box networks that can then be leveraged by associated secondary threat actors to conduct their own malicious attacks against high-value targets.”
Cisco Talos Intelligence, July 2026
UAT-7810 TTPs Mapped to MITRE ATT&CK
UAT-7810 uses a focused set of techniques reflecting the group's infrastructure-building mission. The tactics span initial access, command and control, and defense evasion, with each technique selected to maximize the operational lifespan of a compromised relay node.
T1190 (Exploit Public-Facing Application) is UAT-7810's primary initial access technique. The group targets internet-exposed network management interfaces on Ruckus and ASUS routers with published CVEs, prioritizing devices unlikely to receive rapid patching from SMB and enterprise network operations teams. The exploitation phase requires no user interaction and leaves minimal forensic evidence on the device.
T1090 (Proxy) is the core operational technique. LONGLEASH converts each compromised device into a multi-protocol proxy that forwards traffic for upstream APT groups. By chaining relay nodes across different geographic regions, UAT-7810 ensures that the ultimate source of a sponsored intrusion resolves to a geographically plausible IP near the target, defeating geolocation-based threat intelligence blocking.
T1071 (Application Layer Protocol) covers LONGLEASH's use of HTTP, DNS, SOCKS, TCP, ICMP, and UDP as carrier protocols for C2 communications. DNS and ICMP tunneling are particularly evasive: most perimeter security tools focus on TCP and HTTP traffic, and ICMP-encapsulated command channels are frequently allowed through restrictive firewall policies.
T1070 (Indicator Removal) applies to LONGLEASH's self-removal capability: the malware deletes itself from the device if tampering is detected, eliminating forensic artifacts and forcing investigators to reconstruct activity from network logs. Nation-state actors increasingly blend network intrusion with supply chain staging, a pattern also documented in nation-state supply chain attacks targeting developer toolchains.
LapDogs ORB Network: Active Infrastructure and IOCs to Block Today
Active C2 infrastructure confirmed by Cisco Talos includes four IP addresses currently serving LONGLEASH command traffic. These addresses communicate via three ports, 99, 2222, and 8088, with the multi-port design allowing the malware to fall back to an alternative port if one is blocked at the perimeter. The infrastructure resolves to hosting providers across multiple jurisdictions, consistent with the ORB network pattern of distributing relay capacity across geographically dispersed nodes to complicate takedown operations.
Snort signatures are available for immediate deployment. SIDs 66430, 66431, 66432, 66433, and 301493 cover LONGLEASH and DOGLEASH traffic patterns at the packet level. ClamAV coverage includes 10 signatures across MIPS, ARM, and x64 architectures, addressing the router chipset diversity that UAT-7810 targets. Network defenders should prioritize deploying these signatures at perimeter inspection points where router management traffic crosses into the enterprise network.
Behavioral hunting indicators include unusual multi-protocol traffic from network devices, ICMP volume spikes from routers that should only generate management protocol traffic, and SMTP connections originating from network infrastructure. A router sending or receiving SMTP traffic is a near-certain indicator of LONGLEASH compromise, as SMTP is one of LONGLEASH's built-in relay modes and has no legitimate function on a standard enterprise router.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Which Organizations Face the Highest UAT-7810 Exposure
UAT-7810 does not target organizations directly for data theft. The group targets the network perimeter devices of any organization operating unpatched Ruckus or ASUS routers connected to the internet. Once compromised, those devices become relay nodes that serve other Chinese APT groups conducting targeted espionage. Any organization with unpatched network infrastructure may be unknowingly hosting a component of a Chinese state espionage operation, even if that organization is not itself a high-value intelligence target.
The highest-risk organizations are those with internet-facing Ruckus RuckOS devices that have not received patches addressing CVE-2020-22653, CVE-2020-22658, or CVE-2023-25717. Ruckus issued patches for the 2020 CVEs years ago, but adoption remains incomplete across SMB deployments and legacy campus network installations. The ASUS AiCloud vulnerability CVE-2025-2492 is more recent, but AiCloud deployments in manufacturing and remote-work environments are often managed by teams without a formal vulnerability management program.
The secondary threat actors using LapDogs relay capacity have historically targeted critical infrastructure, government agencies, and defense contractors. Organizations in those sectors face a compounded risk: their own perimeter devices may be compromised by UAT-7810 to serve as ORB nodes, and the same relay network is actively routing attacks against their sector peers.
Detecting and Hunting UAT-7810 LONGLEASH Activity in Your Environment
Detection of UAT-7810 LONGLEASH activity requires looking at both endpoint indicators on network devices and behavioral network patterns. DOGLEASH's passive listener architecture generates no outbound traffic until an operator connects, so standard egress monitoring alone is insufficient. Defenders need inbound traffic inspection on router management interfaces combined with anomaly detection on ICMP and DNS volumes.
Cisco Talos Snort signatures (SIDs 66430-66433 and 301493) are the most direct detection mechanism. These signatures identify LONGLEASH command traffic patterns and DOGLEASH communication sequences at the packet level. Deploying these signatures at border inspection points on traffic crossing from the perimeter router segment into the enterprise network will surface active relay activity.
For threat hunting, query your SIEM for historical connections to the four confirmed C2 IPs over any time window: 194.233.92.26, 217.15.160.247, 217.15.164.147, and 95.182.100.231. Any connection from a network device to these addresses should be treated as a confirmed compromise requiring immediate incident response. LONGLEASH's SMTP functionality is particularly anomalous and easy to detect: query for SMTP traffic originating from router management IP addresses across your entire historical log archive.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
UAT-7810 LONGLEASH malware represents a structural threat to network perimeter security: every unpatched Ruckus or ASUS AiCloud router is a potential relay node in a Chinese state espionage infrastructure your organization will never directly see. The three key takeaways for defenders are these: patch CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492 immediately regardless of your sector; deploy the Talos Snort SIDs and block the four confirmed C2 IPs today; and shift your network device patching cadence to treat router firmware updates with the same urgency as endpoint OS patches. This week, audit every internet-facing router in your environment and confirm patch status.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is UAT-7810 and what does it do?
UAT-7810 is a China-nexus advanced persistent threat group that builds and operates the LapDogs Operational Relay Box network. The group compromises internet-facing Ruckus and ASUS routers using published vulnerabilities, installs LONGLEASH malware, and aggregates the infected devices into shared covert proxy infrastructure. Secondary China-aligned APT groups use this relay network to route their own espionage operations through geographically local exit nodes, making attribution far harder for defenders.
What is LONGLEASH malware and how does it work?
LONGLEASH is a backdoor developed by UAT-7810 that evolves from the earlier SHORTLEASH tool. It installs on compromised Ruckus or ASUS routers and gives each device dual functionality: it receives encrypted commands from an upstream controller and relays those commands to other infected devices in a chain. LONGLEASH supports six proxy protocols including HTTP, DNS, SOCKS, TCP, ICMP, and UDP, provides a reverse shell to the operator, and removes itself from the device if tampering is detected.
What is an ORB network in cybersecurity?
An Operational Relay Box network is a distributed botnet of compromised internet-facing devices, typically home routers, IoT appliances, and edge networking equipment. APT groups use ORB networks to route malicious traffic through multiple geographic hops, making the attack appear to originate from a legitimate regional IP address near the target. ORB networks defeat traditional IOC-based defenses because relay node IP addresses change continuously and may belong to legitimate organizations.
Which routers are vulnerable to UAT-7810 attacks?
UAT-7810 actively exploits four vulnerabilities: CVE-2020-22653 and CVE-2020-22658 in Ruckus wireless routers, CVE-2023-25717 (remote code execution) in Ruckus routers, and CVE-2025-2492 (authentication bypass) in ASUS AiCloud routers. Any organization running unpatched Ruckus or ASUS AiCloud hardware with internet-facing management interfaces is at risk of becoming an involuntary relay node in the LapDogs ORB network.
How can I detect UAT-7810 LONGLEASH activity?
Deploy Cisco Talos Snort signatures SID 66430 through 66433 and SID 301493 on your perimeter IDS/IPS. Block the four confirmed C2 IP addresses: 194.233.92.26, 217.15.160.247, 217.15.164.147, and 95.182.100.231. Behavioral hunting indicators include ICMP tunneling from router management interfaces, SMTP traffic originating from network devices, and simultaneous connection attempts on ports 99, 2222, and 8088 from a single device.
Is UAT-7810 linked to the Chinese government?
Cisco Talos assesses with high confidence that UAT-7810 is a China-nexus group operating in alignment with Chinese state interests. Attribution evidence includes Simplified Chinese code comments in JARLEASH configuration files and operational overlap with UAT-5918, another documented China-aligned APT. No public indictment or OFAC sanction has named UAT-7810 or its operators as of July 2026. The infrastructure-provisioning model is consistent with the Chinese intelligence community's compartmentalized operational structure.
Has UAT-7810 been indicted or sanctioned?
No. As of July 2026, no US government indictment, OFAC sanction, or Five Eyes joint advisory has publicly named UAT-7810 or attributed specific operators to the group. The Cisco Talos report published July 7, 2026 is the primary public technical disclosure. The lack of indictment reflects the difficulty of attributing infrastructure-provisioning operations and the compartmentalized nature of Chinese APT ecosystem relationships.
Why are ORB network IOCs less useful than traditional threat intelligence?
ORB networks continuously cycle their relay node IP addresses, rotating through compromised devices globally. By the time an IOC list is published, many of the listed IPs may have already been replaced with fresh nodes. Mandiant and Google Threat Intelligence Group have documented this pattern across multiple China-nexus ORB operators, recommending that defenders shift from IOC-based blocking to behavioral detection and anomaly analysis of network device traffic as the primary defense against ORB-routed intrusions.
Sources & references
- Cisco Talos Intelligence: UAT-7810 Continues Building ORB Networks Using New Malware
- BleepingComputer: Chinese Hackers Develop LONGLEASH Malware to Expand ORB Network
- The Hacker News: China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware
- Google Cloud: IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
