Cisco Talos published new research on UAT-7810, a China-nexus threat actor building and maintaining Operational Relay Box (ORB) infrastructure connected to the LapDogs network. The important part for defenders is not just the malware names. It is the operational model: compromise exposed edge and embedded devices, turn them into relay infrastructure, and give other operators a deniable path into higher-value targets.
Talos assesses that UAT-7810 is likely tasked with establishing ORB networks that can be reused by associated China-nexus actors. The latest reporting shows continued development of custom malware including LONGLEASH, DOGLEASH, JARLEASH, and supporting test tooling for embedded platforms.
What Talos Reported
The activity centers on compromised networking and embedded devices, including unpatched Ruckus wireless routers and possibly additional router families. Talos observed exploitation of known vulnerabilities, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, with infrastructure also tied to exploitation of ASUS AiCloud routers via CVE-2025-2492.
The malware set is built for relay, persistence, and administration:
- LONGLEASH appears to be an evolved version of SHORTLEASH, with proxying and relay capabilities across HTTP, DNS, SOCKS, TCP, ICMP, UDP, and SMTP paths.
- DOGLEASH is a passive Linux backdoor that listens on a local port and can execute commands, read files, rename files, close listeners, gather OS information, or run code in memory.
- JARLEASH is a Java-based administration backdoor that can provide web-based file management, FTP/SFTP, and netcat-style access.
- LEASHTEST is non-malicious test tooling, but its presence on a device is a strong compromise indicator because it suggests operator validation on MIPS-based IoT hardware.
Why ORB Networks Matter
ORB networks are a serious problem because they blur attribution and make malicious traffic look like it is coming from ordinary routers, wireless gear, and small office infrastructure. For a government contractor, municipal office, MSP, or small manufacturer, that means the threat may not arrive from an obviously suspicious hosting provider. It may come through a compromised device that looks like normal residential, small business, or regional infrastructure.
This changes the defensive mindset. Blocking a few known bad IPs is useful, but it is not enough. ORB infrastructure is designed to rotate, blend in, and provide operational cover for follow-on activity. The real priority is reducing the number of unmanaged devices that can become relay nodes, and improving detection around traffic patterns that do not match the device’s business purpose.
Defensive Takeaways for SMBs and Government Contractors
- Inventory edge devices first. Wireless controllers, routers, VPN appliances, firewalls, NAS devices, and remote admin portals should be treated as high-value assets, not background infrastructure.
- Patch old n-day vulnerabilities. UAT-7810’s reported exploitation includes known flaws, which means basic patch drift remains a real intrusion path.
- Restrict management exposure. Device admin interfaces should not be reachable from the public internet unless there is a strong business case and compensating control.
- Monitor outbound behavior from infrastructure devices. Routers and wireless gear should not suddenly initiate unusual sessions to unfamiliar VPS providers, high-risk regions, or odd ports.
- Segment edge and IoT management networks. If a router, controller, camera, or embedded appliance is compromised, it should not have a clean path into identity systems, file shares, build infrastructure, or sensitive enclaves.
- Collect logs before rebooting suspicious devices. Embedded compromises can be volatile. If feasible, capture config, process, network, and filesystem artifacts before wiping or replacing hardware.
Bulwark Black Assessment
UAT-7810 is a reminder that edge-device security is now part of counterintelligence hygiene. For organizations supporting government, defense, critical infrastructure, or regulated sectors, routers and wireless gear are not just IT plumbing. They can become someone else’s covert relay infrastructure.
The practical move is to build an edge-control program: know every internet-facing device, know who owns it, know its firmware state, know which services are exposed, and know what normal outbound traffic looks like. That sounds basic, but it is exactly where many smaller organizations are weakest.
Read the original Cisco Talos research here: UAT-7810 continues building ORB networks using new malware.
