DEV Community

Mark0
Mark0

Posted on

China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware

UAT-7810, a Chinese advanced persistent threat (APT) actor, is actively evolving its custom malware toolkit to expand its Operational Relay Box (ORB) network, known as LapDogs. This network, first identified in June 2025, is leveraged by associated secondary threat actors, such as UAT-5918, to establish persistent access in high-value targets, including critical infrastructure entities in Taiwan. The group's primary objective appears to be the proliferation and maintenance of this ORB infrastructure for broader malicious campaigns.

The threat actor has significantly enhanced its malware arsenal, introducing a newer version of ShortLeash, codenamed LONGLEASH, which includes advanced functionalities like proxying through various protocols and acting as an intermediate command-and-control (C2) server. Additionally, Cisco Talos researchers uncovered previously unreported tools: DOGLEASH, a passive backdoor for Linux devices capable of executing arbitrary shellcode, and LEASHTEST, an ELF binary used for testing new features on MIPS-based embedded devices. A Java-based backdoor, JARLEASH, was also found to be used for administrative purposes.

UAT-7810's attack chains exploit known vulnerabilities in unpatched networking devices, specifically targeting Ruckus wireless routers (e.g., CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and ASUS AiCloud Routers (CVE-2025-2492). The continuous development of their tools, including the use of LEASHTEST, underscores their ongoing efforts to refine and broaden their ORB network capabilities, indicating a persistent and adaptive threat.


Read Full Article

Top comments (0)