en.Wedoany.com Reported - A Chinese threat actor, designated UAT-7810, is continuously expanding its malware toolkit to broaden a network of relay proxies (ORB) built from compromised routers and IoT devices. According to a research report published by Cisco Talos on July 7, 2026, the group has upgraded from the previously discovered SHORTLEASH backdoor to a more capable LONGLEASH variant, and has added DOGLEASH, JARLEASH, and a testing tool named LEASHTEST.

ORB networks are described as a hybrid of traditional VPN structures and botnets, with organizations such as Team Cymru and Mandiant extensively documenting this type of infrastructure. Attackers route traffic through seemingly normal devices within a region to obscure the true source of their activities. Mandiant's research indicates that, at least since 2024, China-linked APT actors have increasingly turned to these distributed proxy networks, using compromised virtual private servers, IoT devices, and SOHO routers to hide command-and-control paths. Cisco Talos notes that UAT-7810 exploits multiple known vulnerabilities, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 in Ruckus routers, as well as CVE-2025-2492 in ASUS AiCloud devices. These are all known vulnerabilities, not zero-days, highlighting the persistent issue of unpatched internet-facing devices.
The newly discovered LONGLEASH backdoor significantly expands capabilities over the original SHORTLEASH, documented by SecurityScorecard in 2025. The malware now supports reverse shells, multi-protocol proxying across HTTP, DNS, SOCKS, TCP, ICMP, and UDP, along with SMTP client and server functionality, and supports TLS and PKI. It can self-delete upon detecting tampering or suspicious activity, manage tunnels, and act as an intermediate command-and-control node by forwarding instructions and data between infected devices. This tool operates within a broader espionage ecosystem, helping to create a mesh structure through which other China-linked APTs, including UAT-5918, can route traffic.
DOGLEASH and JARLEASH demonstrate UAT-7810's modular approach. DOGLEASH is a lightweight Linux backdoor deployed via a web shell script that opens a listening TCP port and authenticates incoming requests using a hardcoded password, supporting shell command execution, file access, and arbitrary code execution in memory. JARLEASH is a Java management tool offering web-based file management along with FTP, SFTP, and Netcat server capabilities. LEASHTEST focuses on verifying whether MIPS IoT devices can execute functions related to malware operations, indicating that the attacker routinely tests hardware limitations before deploying new tools at scale.
Industry analysts have long observed this tactical shift. The IEEE community has repeatedly discussed the risks associated with unmanaged edge devices, particularly as cheap (home) routers and IP cameras continue to ship with outdated firmware. Gartner, in its security operations coverage, notes that distributed command infrastructure often requires organizations to rethink how they monitor east-west traffic within their environments. GAO, in its ongoing review of federal cybersecurity readiness, points out that agencies sometimes struggle to maintain accurate inventories of networked devices, which can lead to blind spots.
Cisco Talos's analysis emphasizes that UAT-7810 heavily relies on known vulnerabilities. Patch timelines and asset inventories determine exposure in a very practical manner. The reported capabilities align with frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the MITRE ATT&CK matrix. ORB networks fall under a hybrid of ATT&CK techniques related to command and control, proxies, and the use of compromised infrastructure.
Cisco Talos concludes that UAT-7810 is actively replacing or expanding its old SHORTLEASH deployments with LONGLEASH, while broadening its overall coverage by compromising devices through n-day vulnerabilities. The group's assessment reflects an emerging norm: espionage operators are investing not only in intrusion tools but also in persistent infrastructure designed to withstand takedowns.










