HomeTopics 1Advanced Persistent ThreatChina-Linked UAT-7810 Expands LapDogs ORB Network with New Linux Backdoors and Enhanced...

China-Linked UAT-7810 Expands LapDogs ORB Network with New Linux Backdoors and Enhanced Malware

Date:

Related stories

spot_imgspot_imgspot_imgspot_img

China-Linked APT Evolves Its ORB Infrastructure with New Malware. A sophisticated China-linked threat actor is continuing to expand one of the internet’s most concerning covert cyber infrastructures.

Researchers at Cisco Talos have published new findings revealing that UAT-7810, the advanced persistent threat (APT) behind the LapDogs Operational Relay Box (ORB) network, has significantly upgraded its malware toolkit while expanding attacks against vulnerable internet-facing networking devices.

The latest research shows the actor is not standing still. Instead, it is actively developing new malware families, improving its command-and-control architecture, and broadening its operational infrastructure an indication that the campaign remains active and strategically important.

According to the original research published by Cisco Talos, the group continues to target unpatched networking equipment, primarily Linux-based embedded devices, transforming compromised routers into covert operational relay nodes that can later be used by other Chinese state-aligned threat actors for espionage and cyber operations.

What is UAT-7810?

UAT-7810 is an advanced persistent threat that cybersecurity researchers assess with high confidence to have links to Chinese state-sponsored cyber activity.

Rather than directly conducting espionage campaigns against victims, Talos believes UAT-7810 specializes in building and maintaining Operational Relay Box (ORB) infrastructure.

ORB networks consist of compromised internet-connected devices—particularly routers, IoT appliances and edge networking equipment that function as anonymous relay servers. These networks provide stealthy infrastructure that other threat groups can leverage to hide their activities during attacks.

Cisco Talos notes that UAT-7810 appears to provide this infrastructure to other China-nexus threat actors, including UAT-5918, although the two groups remain operationally distinct.

Four Malware Families Now Identified

The latest investigation identified four significant components of the actor’s growing malware arsenal.

LONGLEASH

The biggest discovery is LONGLEASH, an upgraded version of the previously documented SHORTLEASH malware.

Unlike its predecessor, LONGLEASH introduces substantially enhanced capabilities including:

  • Reverse shell access
  • HTTP, TCP, UDP, DNS, ICMP and SOCKS proxying
  • Network tunnel management
  • SMTP server and client functionality
  • TLS communications
  • Intermediate command-and-control relay capability
  • Self-deletion and anti-tampering features

Talos observed that LONGLEASH can even function as a secondary command-and-control server, forwarding communications between compromised devices and primary operators.

This architecture significantly improves the resilience of the ORB network while making attribution considerably more difficult.

DOGLEASH

Talos also discovered a completely new Linux backdoor named DOGLEASH.

Once deployed on a compromised networking device, DOGLEASH listens on a hidden TCP port awaiting specially crafted requests.

The malware can:

  • Execute arbitrary shell commands
  • Read files
  • Rename files
  • Collect operating system information
  • Execute shellcode directly in memory

Because it operates quietly until activated, DOGLEASH represents a stealthy persistence mechanism suitable for long-term infrastructure management.

JARLEASH

A third malware family, JARLEASH, is written in Java and primarily serves administrative purposes.

Researchers found it capable of providing:

  • Web-based file management
  • FTP services
  • Secure FTP (SFTP)
  • Netcat functionality

Configuration files included comments written in Simplified Chinese, providing additional indicators regarding the developers behind the malware.

LEASHTEST

Talos additionally identified a testing utility called LEASHTEST.

Although not malicious by itself, its presence strongly suggests an infected device.

The binary performs diagnostic testing on MIPS-based IoT hardware, indicating that UAT-7810 continues refining malware compatibility across embedded Linux platforms.

Exploiting Old Vulnerabilities Still Works

Perhaps one of the most concerning findings is that UAT-7810 continues to successfully compromise devices using years-old vulnerabilities that remain unpatched.

Talos observed exploitation of:

  • CVE-2020-22653
  • CVE-2020-22658
  • CVE-2023-25717

Researchers also linked one of the actor’s servers to exploitation attempts against ASUS AiCloud routers via CVE-2025-2492, suggesting expansion beyond previously observed Ruckus router targeting.

This serves as another reminder that attackers frequently rely on well-known vulnerabilities because many organizations still fail to patch internet-facing infrastructure.

Infrastructure Continues to Grow

Talos identified four additional servers supporting UAT-7810 operations.

These servers distribute malware compiled for multiple processor architectures including:

  • MIPS
  • ARM
  • x64

The actor uses shell scripts to automatically download and execute malware after compromising a device.

The infrastructure also hosted TLS services using suspicious self-issued certificates and attacker-controlled download servers.

Such operational improvements demonstrate a mature development lifecycle rather than opportunistic cybercrime.

Why Operational Relay Box Networks Matter

Unlike ransomware groups seeking immediate financial gain, ORB operators invest in long-term infrastructure.

Every compromised router becomes another anonymous relay node capable of:

  • Masking future attacks
  • Launching espionage operations
  • Supporting supply chain attacks
  • Hosting malware
  • Relaying command-and-control traffic

Because these devices often sit outside traditional endpoint security monitoring, infections can remain undetected for months or even years.

The result is a highly resilient hidden infrastructure supporting multiple advanced threat campaigns simultaneously.

Global Impact

The campaign is global rather than region-specific.

Organizations relying on internet-facing routers, embedded Linux devices, edge gateways, IoT appliances and enterprise networking equipment may all be potential targets.

Critical sectors include:

  • Government
  • Telecommunications
  • Internet Service Providers
  • Energy
  • Manufacturing
  • Healthcare
  • Financial Services
  • Cloud Providers

Any organization operating unpatched networking equipment could unknowingly become part of an ORB network used to attack other victims.

Why This Matters for the Middle East and Africa

Although Cisco Talos did not identify specific Middle East or African victims, the findings carry significant relevance for organizations across the region.

Many enterprises, universities, telecom operators and government agencies continue operating legacy networking hardware due to budget constraints or long replacement cycles.

As digital transformation accelerates across MEA, securing routers, IoT infrastructure and edge devices must become a strategic priority.

Compromised infrastructure within one organization could ultimately facilitate attacks against entirely different victims across the globe.

10 Recommended Security Actions

Security teams should immediately consider the following actions:

  1. Patch internet-facing routers and networking devices without delay.
  2. Audit all embedded Linux and IoT assets for unsupported firmware.
  3. Replace end-of-life networking hardware.
  4. Restrict administrative interfaces from internet exposure.
  5. Monitor unusual outbound connections from routers and edge devices.
  6. Inspect for unauthorized shell scripts or unexpected binaries.
  7. Deploy network intrusion detection capable of identifying ORB-related activity.
  8. Segment networking infrastructure from critical business systems.
  9. Continuously monitor threat intelligence feeds for newly disclosed indicators of compromise.
  10. Develop incident response procedures specifically covering networking and IoT devices—not just traditional endpoints.

Industry Perspective

The latest Talos research demonstrates a broader evolution in state-sponsored cyber operations.

Instead of directly attacking high-value organizations from government-controlled infrastructure, sophisticated actors increasingly build decentralized ecosystems of compromised devices that obscure attribution while providing resilient operational capabilities.

This trend makes defending edge infrastructure just as important as protecting endpoints, cloud workloads and identity systems.

As attackers continue investing in custom malware designed specifically for routers and embedded devices, defenders must broaden visibility beyond conventional IT assets.

Conclusion

Cisco Talos’ latest investigation into UAT-7810 illustrates a threat actor that is steadily enhancing both its malware capabilities and operational infrastructure.

The introduction of LONGLEASH, DOGLEASH, JARLEASH and LEASHTEST demonstrates ongoing investment in Linux-based tooling capable of sustaining the LapDogs Operational Relay Box network for future cyber operations.

For defenders, the message is clear: routers, IoT devices and networking appliances can no longer be treated as “set-and-forget” infrastructure. They have become prime targets for nation-state actors seeking stealth, persistence and global operational reach.

Organizations that continue delaying firmware updates or neglecting visibility into edge devices risk becoming unwitting participants in sophisticated cyber campaigns.

Source

Cisco Talos. “Tracking UAT-7810 and the evolution of the LapDogs Operational Relay Box (ORB) network.”

https://blog.talosintelligence.com/uat-7810
Ouaissou DEMBELE
Ouaissou DEMBELE
Ouaissou DEMBELE is a seasoned cybersecurity expert with over 12 years of experience, specializing in purple teaming, governance, risk management, and compliance (GRC). He currently serves as Co-founder & Group CEO of Sainttly Group, a UAE-based conglomerate comprising Saintynet Cybersecurity, Cybercory.com, and CISO Paradise. At Saintynet, where he also acts as General Manager, Ouaissou leads the company’s cybersecurity vision—developing long-term strategies, ensuring regulatory compliance, and guiding clients in identifying and mitigating evolving threats. As CEO, his mission is to empower organizations with resilient, future-ready cybersecurity frameworks while driving innovation, trust, and strategic value across Sainttly Group’s divisions. Before founding Saintynet, Ouaissou held various consulting roles across the MEA region, collaborating with global organizations on security architecture, operations, and compliance programs. He is also an experienced speaker and trainer, frequently sharing his insights at industry conferences and professional events. Ouaissou holds and teaches multiple certifications, including CCNP Security, CEH, CISSP, CISM, CCSP, Security+, ITILv4, PMP, and ISO 27001, in addition to a Master’s Diploma in Network Security (2013). Through his deep expertise and leadership, Ouaissou plays a pivotal role at Cybercory.com as Editor-in-Chief, and remains a trusted advisor to organizations seeking to elevate their cybersecurity posture and resilience in an increasingly complex threat landscape.

Subscribe

- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories

spot_imgspot_imgspot_imgspot_img