// 1 CRITICAL · 2 ZERO-DAY · 7 CVE · 5 EXPLOIT · 1 ADVISORY IN THE LAST 24H
Cisco Talos reveals the China-nexus APT UAT-7810 is actively expanding its LapDogs Operational Relay Box (ORB) network with new malware families and a previously undocumented multi-protocol proxy architecture. The July 7, 2026 analysis details the evolution from SHORTLEASH to LONGLEASH, alongside DOGLEASH, JARLEASH, and LEASHTEST — five components signaling a shift from isolated backdoor to shared malicious infrastructure framework.

The China-nexus APT UAT-7810, tracked by Cisco Talos, is actively expanding the LapDogs Operational Relay Box (ORB) network with new malware families and a previously undocumented multi-protocol proxy architecture. On July 7, 2026, Talos published an analysis of the evolution from SHORTLEASH to LONGLEASH, together with the identification of DOGLEASH, JARLEASH, and LEASHTEST: five components that indicate a transition from isolated backdoor to shared malicious infrastructure framework.

Key Takeaways
  • UAT-7810 develops LONGLEASH, an evolution of SHORTLEASH, with HTTP/DNS/SOCKS/TCP/ICMP/UDP proxy capabilities and intermediate C2 server functionality for secondary actors.
  • The toolkit expands with DOGLEASH (C-based backdoor for arbitrary shellcode execution on Linux), JARLEASH (Java-based backdoor for file/FTP/SFTP/Netcat administration), and LEASHTEST (non-malicious test binary for MIPS platforms).
  • The actor exploits known vulnerabilities with CVSS 9.8 in Ruckus wireless routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and has extended targeting to ASUS AiCloud via CVE-2025-2492.
  • Talos assesses with high confidence that UAT-7810 provides ORB infrastructure to other China-nexus APTs, including UAT-5918, which targets critical infrastructure in Taiwan.

From SHORTLEASH to LONGLEASH: The Network Proxy Framework

LONGLEASH represents not merely an update but an architectural redesign. Internally designated "nz1.0" and derived from the "ff-agent" codebase shared with SHORTLEASH, the malware comprises three components: Base, Executor, and Core. The Executor manages proxy servers for HTTP, DNS, SOCKS, TCP, ICMP, and UDP, plus packet redirection and tunneling; the Core handles authorization, protobuf serialization, and SHA functions.

The technology choices reveal attention to portability and performance on resource-constrained devices. LONGLEASH uses Boost.Asio in asynchronous mode, Nanopb for binary protobufs, MbedTLS for the TLS layer, and musl libc as the C library. The component includes Chrome 122 User-Agent spoofing to blend into standard web traffic. This build profile aligns with the goal of operating on embedded routers and IoT devices without sacrificing lightweight operation.

The ability to act as an "intermediate C2 server" — explicitly stated by Talos — transforms compromised devices from passive endpoints into active nodes of a distributed infrastructure. The model is no longer direct access to the final victim, but the construction of intermediate layers that provide anonymity and resilience to the actors who lease them.

DOGLEASH and JARLEASH: Operational Specialization

Alongside LONGLEASH, UAT-7810 has developed two families with distinct roles. DOGLEASH is a C-language backdoor designed for arbitrary shellcode execution on compromised Linux devices. Commands 0x2268 and 0x2267 trigger execution via /bin/sh -c, giving the actor flexibility to run custom payloads without updating the main binary.

JARLEASH, developed in Java, serves an administrative function: file management, FTP and SFTP transfer, and Netcat capabilities. Internal configuration comments are written in simplified Chinese, an element Talos records as a recognizable cultural indicator. The choice of Java for this component suggests deployment on administration servers with an existing runtime, likely distinct from the edge devices targeted by DOGLEASH and LONGLEASH.

LEASHTEST rounds out the picture as a non-malicious test binary for rudimentary functionality on embedded MIPS devices. Its presence is significant: as Talos observes, "even though they have developed LONGLEASH, a full-fledged backdoor framework, UAT-7810 is still actively testing functionality on MIPS platforms and may not be completely confident of its behavior on MIPS devices." This indicates development is ongoing and multi-architecture support is not yet consolidated.

Exploited Vulnerabilities: From Ruckus to ASUS

Initial access is achieved through known vulnerabilities, not zero-days, in edge network devices typically excluded from aggressive patch cycles. For Ruckus wireless routers, UAT-7810 exploits CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, all with a CVSS 3.1 score of 9.8 (CRITICAL) and an unauthenticated remote attack vector. CVE-2023-25717 specifically concerns RCE in the Ruckus Wireless Admin panel up to version 10.4.

The expansion of the target surface is documented by the exploitation of CVE-2025-2492, an authentication bypass in ASUS AiCloud routers in the 3.0.0.4_382, 386, 388, and 3.0.0.6_102 series. Infrastructure associated with the exploit includes IP 217.15.164[.]147, already identified among four new servers hosting DOGLEASH variants compiled for MIPS, ARM, and x64. Talos cautiously qualifies the link: the IP was used "to conduct exploitation of ASUS' AiCloud Routers in early 2026 — specifically CVE-2025-2492," but does not directly and unreservedly attribute this activity to UAT-7810 versus "an associated threat actor."

The TLS server on port 99 presents a self-signed certificate with a subject_dn in which every field — C, ST, L, O, OU, CN — contains the value "exploit." The SHA-256 fingerprint is c2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15. This rudimentary but recognizable configuration pattern is consistent with infrastructure managed by actors who prioritize operationality over opsec.

"UAT-7810 is most likely tasked with establishing Operational Relay Box (ORB) networks that can then be leveraged by associated secondary threat actors to conduct their own malicious attacks against high value targets."

The Operational-Economic Model: Infrastructure as a Service

The central revelation of the Talos analysis concerns not just technique, but the organization of malicious labor. UAT-7810 does not appear to conduct direct attacks against high-value final victims; rather, it builds and maintains the relay infrastructure that other APTs use for their own objectives. Talos assesses with high confidence that "UAT-7810 is a China-nexus threat actor based on the infrastructure that it provides to secondary China-nexus APTs such as UAT-5918."

UAT-5918 is a separate actor, previously documented in attacks on critical infrastructure in Taiwan, with which UAT-7810 shares tooling overlaps but not operational identity. This division of labor indicates ecosystem maturation: one group specializing in mass compromise and ORB network management, other groups purchasing or receiving access for targeted operations. The model lowers the barrier to entry for actors less capable of independently developing persistent C2 infrastructure.

Why It Matters

The dossier does not specify the exact size of the compromised ORB network nor the identity of all "associated secondary threat actors" beyond UAT-5918. It also does not reveal exactly when LONGLEASH development began relative to the SHORTLEASH timeline, nor whether patches for the exploited CVEs are available and to what extent they have been applied by the installed base of Ruckus and ASUS routers.

The source does not clarify whether CVE-2025-2492 was exploited directly by UAT-7810 or by an associated actor; Talos's wording keeps this distinction open. The extracted text for LEASHTEST is incomplete, ending with the fragment "3b," which limits full understanding of the test capabilities. Finally, no specific remedial measures or vendor operational guidance for detection or mitigation are documented.

The dossier provides no data on the precise geolocation of current victims beyond the location of infrastructure servers. The nature of data exposed or transmitted through the ORB relays is not specified.

The expansion documented by Talos indicates that edge network devices — wireless routers, embedded systems, IoT platforms — have become primary vectors for persistent, shared attack infrastructures. The commoditization of custom-built ORB networks, with quality testing included and multi-architecture support, signals an industrialization that will make attribution and takedown more difficult. For organizations, the traditional security perimeter — endpoints and servers — leaves out precisely the devices that now serve as bridges for attacks against high-value targets.

Information is based on the cited advisory and current as of publication.

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. blog.talosintelligence.com
  2. nvd.nist.gov