Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Talos has observed UAT-7810 primarily exploit known vulnerabilities in unpatched Ruckus wireless routers, a tactic UAT-7810 has used since 2025. CVEs exploited include: CVE-2020-22653, CVE-2020-22658, CVE-2023-25717.
Talos has observed UAT-7810 primarily exploit known vulnerabilities in unpatched Ruckus wireless routers, a tactic UAT-7810 has used since 2025. CVEs exploited include: CVE-2020-22653, CVE-2020-22658, CVE-2023-25717.
Talos has observed UAT-7810 primarily exploit known vulnerabilities in unpatched Ruckus wireless routers, a tactic UAT-7810 has used since 2025. CVEs exploited include: CVE-2020-22653, CVE-2020-22658, CVE-2023-25717.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Cisco Talos recently analyzed a newer version of the group’s SHORTLEASH backdoor that the researchers named LONGLEASH.
8 distinct techniques documented for this family, organized by ATT&CK tactic.
SHORTLEASH provided robust functionality, including C2 communication, web server hosting, tunnel management, and acting as both a C2 server and client.
The actor’s executor utility continues to facilitate a broad suite of capabilities, such as reverse shells, packet redirection for various protocols including HTTP, DNS, SOCKS, TCP, ICMP, and UDP, and acting as an SMTP server and client.
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An evolved version of SHORTLEASH built from the same codebase and internally named "ff-agent" / project "nz1.0". It supports reverse shell to C2, proxy servers for HTTP, DNS, SOCKS, TCP, ICMP, and UDP, packet redirection, SMTP server/client functions, TLS/PKI-enabled communications, client authorization, routing through a proxy network, tunnel management, self-removal on suspected tampering, and operation as an intermediate C2 server.
A successor to the SHORTLEASH backdoor used by UAT-7810. It reflects the group’s continued development of custom malware hosted on attacker-controlled infrastructure.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.