A China-affiliated hacking cluster that specializes in building covert espionage highways — not collecting data itself, but running the infrastructure other Chinese state-aligned groups use to stay hidden — has fielded a significantly upgraded malware toolkit targeting enterprise wireless routers, Cisco Talos researchers disclosed Tuesday. The group, tracked as UAT-7810, has deployed a new implant called LONGLEASH that gives it something its predecessor lacked: the ability to turn a single compromised Ruckus access point into an autonomous command-and-control relay node, receiving instructions from an upstream controller and forwarding them to other infected devices in a layered chain that keeps the campaign’s true origin servers insulated from detection.
For any organization running Ruckus or ASUS AiCloud networking hardware — and Ruckus is dominant in higher education, hospitality, and healthcare — the Talos report published this week is an immediate action item, not background reading.
What UAT-7810 Actually Does — and Why It Is Harder to Stop Than a Standard Hacker Group
Most China-linked hacking groups break into systems to steal data. UAT-7810 does something more operationally significant: it builds and maintains the relay infrastructure that other China-aligned groups use to conduct their own attacks while hiding their tracks. Cisco Talos assesses with high confidence that UAT-7810 is a China-nexus threat actor, based on the relay services it provides to secondary China-aligned advanced persistent threat groups including UAT-5918 — a cluster that Talos separately documented in 2025 as conducting sustained espionage against Taiwan’s telecommunications, healthcare, and information technology sectors.
The network UAT-7810 operates belongs to a category known in threat intelligence as an Operational Relay Box (ORB) network — a mesh of compromised legitimate devices that sits between an attacker’s true command-and-control servers and their targets. UAT-7810’s specific ORB cluster was first publicly documented by SecurityScorecard in 2025 under the name LapDogs in SecurityScorecard’s LapDogs STRIKE report. What the Talos report adds is a detailed picture of the malware engine now powering that network — and a warning that the engine has been substantially upgraded.
Why ORB Networks Make Standard Cyber Defenses Unreliable
The core threat that ORB networks pose is not theft — it is the structural defeat of the most common enterprise defense: blocking known-bad IP addresses. When UAT-7810 routes attack traffic through a compromised Ruckus access point at a university, the traffic defenders see at the next target appears to originate from a legitimate academic institution’s networking device. Blocking that IP means blocking a university, not blocking China. Seizing it as evidence yields one relay hop, not the true origin infrastructure. Mandiant’s 2024 ORB network analysis first documented this structural problem publicly in May 2024, warning that the industry’s standard IoC (indicator of compromise) feed paradigm — which centers on known-bad IP lists — becomes materially less effective when the “attacker IPs” belong to victim organizations.
LONGLEASH’s new intermediate C2 relay capability deepens this problem. A previous-generation ORB implant could receive commands and execute tasks on the local compromised device. LONGLEASH can now do that and relay those commands downstream to peer implants on other infected devices — meaning a single compromised Ruckus router can function as a sub-command-server for additional infected hardware, creating a multi-hop chain where every intermediate node that defenders might discover leads only to the next hop.
How LONGLEASH Was Built to Run on a Router
Understanding why LONGLEASH is technically significant requires understanding the engineering constraints of running sophisticated malware on embedded networking hardware. A Ruckus wireless access point is not a server. It typically runs a minimal Linux distribution on a MIPS-architecture processor — a RISC design built for low power and high throughput in networking tasks, not for the kind of general-purpose computing that most malware assumes.
UAT-7810’s developers built LONGLEASH to fit this environment specifically. For MIPS processor builds, the implant uses Boost.Asio, an asynchronous I/O library that allows LONGLEASH to handle multiple concurrent network tasks — proxy tunnels, C2 connections, TLS sessions — without blocking the processor while waiting for network operations to complete. Blocking I/O would stall a constrained embedded CPU; asynchronous I/O allows the implant to juggle tasks efficiently on hardware with limited processing headroom.
The rest of the library stack is equally deliberate. LONGLEASH uses Nanopb instead of the full Google Protocol Buffers library to process command messages — Nanopb is a minimal C implementation designed specifically for memory-constrained embedded systems. For TLS and x509 certificate management, it uses MbedTLS rather than OpenSSL, again choosing the lightweight embedded-systems alternative. And instead of the standard GNU C library, LONGLEASH uses musl, a minimal libc that implements standard C functions over Linux system calls with a far smaller footprint. The result is an implant that can run persistently on enterprise networking hardware that was never designed to host a multi-protocol espionage toolkit.
LONGLEASH’s functional architecture divides across three modules. The Base module handles encoding and logging — including Base58 and Base64 encoding routines used for communication obfuscation. The Core module manages node identity, authorization, task scheduling, and the protobuf message processing that structures commands. The Executor module is where the operational capability lives: it supports a reverse shell back to the attacker, proxy servers across six protocols (HTTP, DNS, SOCKS, TCP, ICMP, and UDP), packet redirection, an SMTP server and client, TLS and public key infrastructure management, client authorization and routing, and the self-removal function that triggers if the implant detects suspicious connections or tampering.
That self-removal capability means that network defenders who try to investigate a suspected ORB node without first capturing a forensic image may find the implant has already cleaned itself up.
Three More Tools in the Arsenal
LONGLEASH is not the only new capability Cisco Talos documented. Researchers identified three additional tools UAT-7810 has added to its toolkit, each serving a distinct role in the operation.
DOGLEASH is a compact C-language backdoor deployed on compromised Linux networking devices through startup shell scripts. Once deployed, it opens a listening TCP port and decodes inbound connections using a hardcoded password. Its command table covers shell execution, file reading, file renaming, network listener management, OS information retrieval, and — through a catch-all command code — arbitrary in-memory code execution. The hardcoded password authentication is simple but effective against passive scanning: the port looks like any other listening service until a properly authenticated connection arrives.
JARLEASH is a Java-based (JAR package) backdoor that UAT-7810 deploys both on its own attacker-controlled servers and on compromised systems where a Java runtime is available. It provides web-based file management, FTP and SFTP servers, and Netcat functionality — essentially a remote administration toolkit for operating compromised systems. Talos found a significant piece of attribution evidence inside JARLEASH: its configuration file contains comments written in Simplified Chinese, directly indicating that the operators are native Chinese-language speakers.
LEASHTEST is a Linux ELF binary that Talos describes as a capability probe — it checks whether a target MIPS IoT device can create threads, bind TCP listeners, fork child processes, and handle asynchronous timers. These are exactly the capabilities LONGLEASH depends on. Talos interprets the existence of LEASHTEST as a sign that UAT-7810 is still testing and refining LONGLEASH’s behavior on MIPS hardware across different device models, and is not yet fully confident of its stability on all MIPS variants. The implication is that LONGLEASH development is ongoing and the toolkit is likely to continue expanding.
How Routers Get Compromised: Deferred Patches, Not Zero-Days
The entire UAT-7810 campaign runs not on sophisticated zero-day exploits but on known, long-patched vulnerabilities that organizations have simply not applied. Talos identified three CVEs being weaponized against Ruckus hardware: CVE-2020-22653 and CVE-2020-22658 (both from 2020) and CVE-2023-25717 on the National Vulnerability Database — a remote code execution flaw in Ruckus Wireless Admin version 10.4 and earlier, rated critical at CVSS 9.8, that allows an unauthenticated attacker to execute arbitrary code via a single HTTP GET request with no credentials and no user interaction required. CISA added CVE-2023-25717 to its Known Exploited Vulnerabilities catalog, meaning it carries a federal patch mandate for US government agencies. Patches have been available since February 2023.
UAT-7810 has also linked one of its four C2 servers — specifically the IP address 217.15.164[.]147, a server residing in China-adjacent IP space — to the exploitation of ASUS AiCloud routers through CVE-2025-2492 on the National Vulnerability Database, a 2026 authentication bypass vulnerability. This cross-vendor targeting signals that UAT-7810 is actively working to diversify its ORB network beyond Ruckus equipment and expand the pool of compromised relay nodes.
Four attacker-controlled servers were identified, hosting DOGLEASH variants compiled for MIPS, ARM, and x64 architectures, with the fourth server confirmed at IP address 95.182.100[.]231, located in Hong Kong. Two of the servers operated a TLS listener on port 99 using a self-signed certificate with the distinctive subject field “C=exploit, ST=exploit, L=exploit, O=exploit, OU=exploit, CN=exploit” — an operational signature that defenders can hunt for.
Why Ruckus Deployments in Education, Healthcare, and Hospitality Are Specifically at Risk
Ruckus wireless access points and controllers are the dominant enterprise Wi-Fi platform in higher education, hospitality, and healthcare — the same sectors that make attractive targets for an actor building a regional relay network. The strategic value of an ORB node is directly proportional to how “normal” its traffic looks and how trusted its IP address is. A router at a research university, a hotel, or a hospital is a natural choice: the IP is trusted, the traffic volume is high enough that additional relay traffic blends in, and deferred firmware maintenance is common in institutions with limited IT staffing.
For UAT-7810, a compromised router in those sectors is worth more as a relay node than as a source of local network data. The ORB network’s value comes from geographic and institutional distribution: the more diverse the compromised node pool, the harder it is for any single defender, ISP, or government to isolate and block the full relay chain.
What Security Teams Should Do Right Now
Cisco Talos’ UAT-7810 indicator package published a full indicator-of-compromise package alongside the report, including Snort detection signatures (SIDs 66430, 66431, 66432, 66433, and 301493), ClamAV malware signatures covering LONGLEASH, DOGLEASH, and JARLEASH across MIPS, ARM, x64, and multiple MIPS subarchitectures, and the four C2 server IP addresses.
Security teams running Ruckus equipment should apply the latest vendor firmware immediately, with no exceptions for devices still awaiting a maintenance window. CVE-2023-25717 has been actively exploited since at least 2023 and is currently on CISA’s Known Exploited Vulnerabilities catalog.
Beyond patching, defenders should audit iptables rules on all internet-facing routers for unexpected TCP listener entries — DOGLEASH creates these entries via startup script. Any TLS session on port 99, particularly those with the certificate subject containing “exploit” strings, should be treated as a confirmed compromise indicator. Proxy tunnel traffic that does not match expected device behavior — particularly SOCKS, DNS-over-TCP, or ICMP-encapsulated connections from a device that has no business creating them — warrants immediate investigation. LONGLEASH also spoofs a Windows Chrome 122 browser User-Agent string from embedded Linux devices, which creates a detectable mismatch between the claimed user agent and the actual device type in traffic logs.
Any Ruckus or ASUS device suspected of compromise should be forensically imaged before remediation. Self-removal is a documented LONGLEASH capability, and cleaning a device without first capturing its runtime state will destroy the evidence needed to identify lateral movement into the broader network environment.
Frequently Asked Questions
What is an ORB network and why does it make Chinese cyberattacks harder to stop?
An Operational Relay Box network is a mesh of compromised legitimate devices — enterprise routers, access points, servers — that routes attack traffic so that it appears to come from trusted regional infrastructure rather than from attacker-controlled servers. When UAT-7810 routes attack traffic through a Ruckus router at a US university, the traffic a target organization’s firewall sees appears to originate from a legitimate academic institution. Blocking that IP means disrupting the university’s connectivity, not the attacker’s. Traditional threat intelligence defenses that center on blocking known-bad IP addresses are structurally less effective against this approach, because the “attacker IPs” are victim organizations’ devices. Google Mandiant’s 2024 analysis of Chinese ORB network use argued that defenders need to shift from treating ORB node IPs as standard indicators of compromise and instead track ORB networks as persistent, evolving adversarial entities.
Is my organization’s Ruckus hardware vulnerable to UAT-7810’s attacks?
If your organization operates Ruckus Wireless Admin version 10.4 or earlier and has not applied the vendor patch for CVE-2023-25717 — available since February 2023 — the answer is yes. That vulnerability has a CVSS score of 9.8 (critical), requires no attacker credentials and no user interaction, and is currently listed on CISA’s Known Exploited Vulnerabilities catalog with confirmed active exploitation. UAT-7810 has been targeting unpatched Ruckus devices since at least 2025. ASUS AiCloud router operators should also check their firmware status against CVE-2025-2492. In both cases, applying available firmware updates is the single most effective immediate action.
What exactly does LONGLEASH do on a compromised router that SHORTLEASH couldn’t?
SHORTLEASH, the predecessor implant first documented by SecurityScorecard in 2025, supported basic command-and-control communication, web server hosting, and network tunnel management. LONGLEASH adds reverse shell access back to attacker infrastructure, proxying across six distinct protocols (HTTP, DNS, SOCKS, TCP, ICMP, and UDP), TLS and certificate management, a self-removal capability triggered by suspicious connections, and — most significantly — the ability to act as an intermediate C2 relay node. That last capability means a single compromised Ruckus router can receive commands from the true upstream control server and forward them to other infected devices, creating a multi-hop command chain in which no single discovered node reveals the campaign’s origin.
How do I know if my router is already part of an ORB network?
Several behavioral indicators suggest compromise: an unexpected TCP listener on an unusual port created via iptables rules added without administrator action; TLS sessions on port 99 using a certificate whose subject field contains the word “exploit”; HTTP traffic from the device carrying a Windows Chrome 122 User-Agent string (a Windows browser user agent has no legitimate business originating from an embedded Linux router); and unexplained proxy tunnel connections — particularly SOCKS, DNS-over-TCP, or ICMP-encapsulated connections — from a device whose normal function does not include proxying. Cisco Talos has published Snort detection signatures (SIDs 66430–66433 and 301493) and ClamAV rules covering LONGLEASH, DOGLEASH, and JARLEASH for organizations with network intrusion detection in place. If you suspect a device is compromised, forensically image it before attempting cleanup — LONGLEASH includes a self-removal routine that can destroy evidence during remediation.
Click Here For The Original Source.
