China-Linked APT Evolves Its ORB Infrastructure with New Malware. A sophisticated China-linked threat actor is continuing to expand one of the internet’s most concerning covert cyber infrastructures.
Researchers at Cisco Talos have published new findings revealing that UAT-7810, the advanced persistent threat (APT) behind the LapDogs Operational Relay Box (ORB) network, has significantly upgraded its malware toolkit while expanding attacks against vulnerable internet-facing networking devices.
The latest research shows the actor is not standing still. Instead, it is actively developing new malware families, improving its command-and-control architecture, and broadening its operational infrastructure an indication that the campaign remains active and strategically important.
According to the original research published by Cisco Talos, the group continues to target unpatched networking equipment, primarily Linux-based embedded devices, transforming compromised routers into covert operational relay nodes that can later be used by other Chinese state-aligned threat actors for espionage and cyber operations.
What is UAT-7810?
UAT-7810 is an advanced persistent threat that cybersecurity researchers assess with high confidence to have links to Chinese state-sponsored cyber activity.
Rather than directly conducting espionage campaigns against victims, Talos believes UAT-7810 specializes in building and maintaining Operational Relay Box (ORB) infrastructure.
ORB networks consist of compromised internet-connected devices—particularly routers, IoT appliances and edge networking equipment that function as anonymous relay servers. These networks provide stealthy infrastructure that other threat groups can leverage to hide their activities during attacks.
Cisco Talos notes that UAT-7810 appears to provide this infrastructure to other China-nexus threat actors, including UAT-5918, although the two groups remain operationally distinct.
Four Malware Families Now Identified
The latest investigation identified four significant components of the actor’s growing malware arsenal.
LONGLEASH
The biggest discovery is LONGLEASH, an upgraded version of the previously documented SHORTLEASH malware.
Unlike its predecessor, LONGLEASH introduces substantially enhanced capabilities including:
- Reverse shell access
- HTTP, TCP, UDP, DNS, ICMP and SOCKS proxying
- Network tunnel management
- SMTP server and client functionality
- TLS communications
- Intermediate command-and-control relay capability
- Self-deletion and anti-tampering features
Talos observed that LONGLEASH can even function as a secondary command-and-control server, forwarding communications between compromised devices and primary operators.
This architecture significantly improves the resilience of the ORB network while making attribution considerably more difficult.
DOGLEASH
Talos also discovered a completely new Linux backdoor named DOGLEASH.
Once deployed on a compromised networking device, DOGLEASH listens on a hidden TCP port awaiting specially crafted requests.
The malware can:
- Execute arbitrary shell commands
- Read files
- Rename files
- Collect operating system information
- Execute shellcode directly in memory
Because it operates quietly until activated, DOGLEASH represents a stealthy persistence mechanism suitable for long-term infrastructure management.
JARLEASH
A third malware family, JARLEASH, is written in Java and primarily serves administrative purposes.
Researchers found it capable of providing:
- Web-based file management
- FTP services
- Secure FTP (SFTP)
- Netcat functionality
Configuration files included comments written in Simplified Chinese, providing additional indicators regarding the developers behind the malware.
LEASHTEST
Talos additionally identified a testing utility called LEASHTEST.
Although not malicious by itself, its presence strongly suggests an infected device.
The binary performs diagnostic testing on MIPS-based IoT hardware, indicating that UAT-7810 continues refining malware compatibility across embedded Linux platforms.
Exploiting Old Vulnerabilities Still Works
Perhaps one of the most concerning findings is that UAT-7810 continues to successfully compromise devices using years-old vulnerabilities that remain unpatched.
Talos observed exploitation of:
- CVE-2020-22653
- CVE-2020-22658
- CVE-2023-25717
Researchers also linked one of the actor’s servers to exploitation attempts against ASUS AiCloud routers via CVE-2025-2492, suggesting expansion beyond previously observed Ruckus router targeting.
This serves as another reminder that attackers frequently rely on well-known vulnerabilities because many organizations still fail to patch internet-facing infrastructure.
Infrastructure Continues to Grow
Talos identified four additional servers supporting UAT-7810 operations.
These servers distribute malware compiled for multiple processor architectures including:
- MIPS
- ARM
- x64
The actor uses shell scripts to automatically download and execute malware after compromising a device.
The infrastructure also hosted TLS services using suspicious self-issued certificates and attacker-controlled download servers.
Such operational improvements demonstrate a mature development lifecycle rather than opportunistic cybercrime.
Why Operational Relay Box Networks Matter
Unlike ransomware groups seeking immediate financial gain, ORB operators invest in long-term infrastructure.
Every compromised router becomes another anonymous relay node capable of:
- Masking future attacks
- Launching espionage operations
- Supporting supply chain attacks
- Hosting malware
- Relaying command-and-control traffic
Because these devices often sit outside traditional endpoint security monitoring, infections can remain undetected for months or even years.
The result is a highly resilient hidden infrastructure supporting multiple advanced threat campaigns simultaneously.
Global Impact
The campaign is global rather than region-specific.
Organizations relying on internet-facing routers, embedded Linux devices, edge gateways, IoT appliances and enterprise networking equipment may all be potential targets.
Critical sectors include:
- Government
- Telecommunications
- Internet Service Providers
- Energy
- Manufacturing
- Healthcare
- Financial Services
- Cloud Providers
Any organization operating unpatched networking equipment could unknowingly become part of an ORB network used to attack other victims.
Why This Matters for the Middle East and Africa
Although Cisco Talos did not identify specific Middle East or African victims, the findings carry significant relevance for organizations across the region.
Many enterprises, universities, telecom operators and government agencies continue operating legacy networking hardware due to budget constraints or long replacement cycles.
As digital transformation accelerates across MEA, securing routers, IoT infrastructure and edge devices must become a strategic priority.
Compromised infrastructure within one organization could ultimately facilitate attacks against entirely different victims across the globe.
10 Recommended Security Actions
Security teams should immediately consider the following actions:
- Patch internet-facing routers and networking devices without delay.
- Audit all embedded Linux and IoT assets for unsupported firmware.
- Replace end-of-life networking hardware.
- Restrict administrative interfaces from internet exposure.
- Monitor unusual outbound connections from routers and edge devices.
- Inspect for unauthorized shell scripts or unexpected binaries.
- Deploy network intrusion detection capable of identifying ORB-related activity.
- Segment networking infrastructure from critical business systems.
- Continuously monitor threat intelligence feeds for newly disclosed indicators of compromise.
- Develop incident response procedures specifically covering networking and IoT devices—not just traditional endpoints.
Industry Perspective
The latest Talos research demonstrates a broader evolution in state-sponsored cyber operations.
Instead of directly attacking high-value organizations from government-controlled infrastructure, sophisticated actors increasingly build decentralized ecosystems of compromised devices that obscure attribution while providing resilient operational capabilities.
This trend makes defending edge infrastructure just as important as protecting endpoints, cloud workloads and identity systems.
As attackers continue investing in custom malware designed specifically for routers and embedded devices, defenders must broaden visibility beyond conventional IT assets.
Conclusion
Cisco Talos’ latest investigation into UAT-7810 illustrates a threat actor that is steadily enhancing both its malware capabilities and operational infrastructure.
The introduction of LONGLEASH, DOGLEASH, JARLEASH and LEASHTEST demonstrates ongoing investment in Linux-based tooling capable of sustaining the LapDogs Operational Relay Box network for future cyber operations.
For defenders, the message is clear: routers, IoT devices and networking appliances can no longer be treated as “set-and-forget” infrastructure. They have become prime targets for nation-state actors seeking stealth, persistence and global operational reach.
Organizations that continue delaying firmware updates or neglecting visibility into edge devices risk becoming unwitting participants in sophisticated cyber campaigns.
Source
Cisco Talos. “Tracking UAT-7810 and the evolution of the LapDogs Operational Relay Box (ORB) network.”




