China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware
UAT-7810, a China-linked APT group, is expanding its Operational Relay Box (ORB) network by compromising internet-facing networking devices. The group has evolved its malware from ShortLeash to LONGLEASH, adding sophisticated proxying capabilities and self-preservation mechanisms. New tools include DOGLEASH, a passive backdoor for Linux, and LEASHTEST, an ELF binary for testing functionality on MIPS-based embedded devices. Attack campaigns exploit known vulnerabilities in Ruckus and ASUS routers
Analysis
TL;DR
- UAT-7810, a China-linked APT group, is expanding its Operational Relay Box (ORB) network by compromising internet-facing networking devices.
- The group has evolved its malware from ShortLeash to LONGLEASH, adding sophisticated proxying capabilities and self-preservation mechanisms.
- New tools include DOGLEASH, a passive backdoor for Linux, and LEASHTEST, an ELF binary for testing functionality on MIPS-based embedded devices.
- Attack campaigns exploit known vulnerabilities in Ruckus and ASUS routers, such as CVE-2025-2492, to establish persistent access.
- The ORB infrastructure is shared with secondary actors like UAT-5918 to target critical infrastructure, particularly in Taiwan.
Why It Matters
This development highlights the increasing sophistication of state-sponsored threat actors in building resilient, multi-layered command-and-control infrastructures through compromised consumer and enterprise networking hardware. For security practitioners, it underscores the critical risk posed by unpatched vulnerabilities in internet-facing routers and embedded devices, which serve as foundational nodes for broader cyber espionage campaigns. Understanding these relay networks is essential for detecting lateral movement and attributing attacks to larger APT groups.
Technical Details
- LONGLEASH Malware: The successor to ShortLeash, featuring an executor component that proxies traffic via HTTP, DNS, SOCKS, TCP, ICMP, and UDP. It acts as an intermediate C2 server, relaying commands between primary C2 and peers, and includes anti-tampering features to remove itself if compromised.
- DOGLEASH Backdoor: A passive backdoor deployed on compromised Linux devices, capable of executing arbitrary shellcode. UAT-7810 hosts multiple variations on dedicated servers to target different victims.
- JARLEASH Administration Tool: A Java-based JAR package used for administrative tasks on compromised servers, providing file management, FTP, SFTP, and Netcat capabilities.
- LEASHTEST Utility: An ELF binary designed to test specific functionalities, such as thread creation, child processes, and async timers, specifically on MIPS-based embedded devices, indicating ongoing refinement for this architecture.
- Exploitation Vectors: Attacks leverage known vulnerabilities in unpatched Ruckus wireless routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and ASUS AiCloud Routers (CVE-2025-2492) to gain initial access and expand the ORB network.
Industry Insight
- Organizations must prioritize the patching of internet-facing networking equipment, especially routers from vendors like Ruckus and ASUS, as these devices are prime targets for establishing persistent backdoors.
- Security operations should monitor for unusual outbound traffic patterns indicative of proxying or relay activities, as APT groups increasingly use compromised devices as intermediaries to obscure their true command-and-control sources.
- Threat intelligence sharing regarding specific malware variants like LONGLEASH and DOGLEASH should be disseminated quickly to help defenders identify indicators of compromise across MIPS and Linux-based embedded systems.
Disclaimer: The above content is generated by AI and is for reference only.