Expanding the ORB Network
Chinese advanced persistent threat group UAT-7810 is actively expanding its Operational Relay Box (ORB) network by compromising internet facing networking devices. According to Cisco Talos researchers, the group maintains and grows the LapDogs ORB network first identified in June 2025. This infrastructure is then leveraged by affiliated threat actors, such as UAT-5918, which has targeted critical infrastructure entities in Taiwan since 2023 to establish persistent access within victim environments.
The threat actor deploys a variety of custom tools to compromise unpatched devices, including Ruckus wireless routers vulnerable to CVE-2023-25717 and ASUS AiCloud Routers susceptible to CVE-2025-2492. Attack chains weaponize these known vulnerabilities to gain initial access and expand the relay network.
Enhanced Malware Capabilities
UAT-7810 has evolved its bespoke ShortLeash malware into a newer version codenamed LONGLEASH with significantly expanded functionality. LONGLEASH includes an executor component that enables proxying functions using HTTP, DNS, SOCKS, TCP, ICMP, and UDP protocols. It can manage network connections to other servers, authorize clients, and automatically remove all traces from a compromised server if tampering is detected.
The group also employs DOGLEASH, a passive backdoor for executing arbitrary shellcode on Linux devices, and LEASHTEST, a testing tool for MIPS based embedded devices. A Java based backdoor called JARLEASH provides administrative capabilities including file management, FTP, SFTP, and Netcat functionality. Researchers note that active development of LEASHTEST suggests UAT-7810 continues testing on MIPS platforms despite having developed the more advanced LONGLEASH framework.
Source: The Hacker News
