Cisco Talos reported that UAT-7810 is continuing to build and maintain its LapDogs operational relay box (ORB) network, using a growing malware toolkit to compromise internet-facing networking devices. Talos identified LONGLEASH as a new version of the previously documented SHORTLEASH backdoor, along with two additional malware families, DOGLEASH and JARLEASH, plus a testing utility called LEASHTEST. The activity primarily targets unpatched Ruckus wireless routers through known vulnerabilities, and researchers also linked one server to exploitation of ASUS AiCloud routers via CVE-2025-2492, indicating efforts to broaden the relay infrastructure.
Researchers said UAT-7810 likely serves as an initial-access and relay-capability provider for other China-nexus espionage actors, including UAT-5918, while remaining a distinct cluster. Talos found four servers hosting payloads for MIPS, ARM, and x64 systems, with DOGLEASH and shell scripts used to infect compromised Linux devices, and assessed with high confidence that the actor is China-nexus. The report also published infrastructure IPs, malware capabilities, detection signatures, and indicators of compromise to help defenders identify activity tied to the expanding ORB network.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Talos assessed with high confidence that UAT-7810 is a China-nexus threat actor and described it as a provider of infrastructure and initial access for other China-aligned actors, including UAT-5918, while remaining a distinct cluster. This attribution update was included in the newly published reporting.
Talos disclosed a new SHORTLEASH successor called LONGLEASH, along with DOGLEASH, JARLEASH, and a testing utility named LEASHTEST tied to UAT-7810 activity. The report also published four infrastructure IPs, malware capabilities, detection signatures, and indicators of compromise.
Cisco Talos reported that UAT-7810 is actively maintaining and expanding the LapDogs operational relay box network while continuing to compromise networking devices, primarily through known vulnerabilities in unpatched Ruckus wireless routers. Talos also linked one server to exploitation of ASUS AiCloud routers via CVE-2025-2492, indicating efforts to broaden the ORB network.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcecybersecuritynews.com
Open sourcecommunity.gurucul.com
Open sourceblog.talosintelligence.com
Open sourcedecipher.sc
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.