New Tools for an Evolving Threat
In a report published July 6, Talos revealed that UAT-7810 has been building on its previously documented ShortLeash backdoor with a newer, more capable variant called LongLeash, alongside two entirely new tools: DogLeash, a passive backdoor that executes arbitrary shellcode on compromised Linux devices, and JarLeash, a Java-based backdoor used for server administration tasks including file management, FTP, and Netcat. thehackernews.com blog.talosintelligence.com
LongLeash adds proxy capabilities across HTTP, DNS, SOCKS, TCP, ICMP, and UDP protocols, and can act as an intermediate command-and-control server, relaying instructions from a primary C2 to other infected machines. The backdoor also includes a self-destruct mechanism that removes all traces from a server if tampering is detected. blog.talosintelligence.com thehackernews.com
“UAT-7810 is most likely tasked with establishing Operational Relay Box networks that can then be leveraged by associated secondary threat actors to conduct their own malicious attacks against high value targets,” researchers Jungsoo An, Asheer Malhotra, Vanja Svajcer, and Brandon White wrote. thehackernews.com blog.talosintelligence.com
Exploiting Router Vulnerabilities at Scale
The group primarily targets unpatched Ruckus wireless routers by exploiting known vulnerabilities, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, to build what are known as Operational Relay Box networks — meshes of hijacked devices that other threat actors rent to route traffic and conceal their origins. Talos identified four new servers hosting malicious payloads compiled for MIPS, ARM, and x64 platforms, with one server also linked to exploitation of Asus AiCloud routers via CVE-2025-2492 earlier in 2026. infosecurity-magazine.com mallory.ai blog.talosintelligence.com
The researchers also found a testing utility dubbed LeashTest, an ELF binary used to check basic functionality on MIPS-based embedded devices, suggesting the group is still refining its tools for certain hardware platforms. blog.talosintelligence.com thehackernews.com
Ties to Broader Chinese Espionage Operations
Talos assessed with high confidence that UAT-7810 is a China-nexus actor, noting infrastructure overlap with UAT-5918, a separate group linked to attacks on critical infrastructure in Taiwan since at least 2023. Configuration files for JarLeash contained comments in Simplified Chinese, further supporting the attribution. The LapDogs ORB network that UAT-7810 maintains first came to light through SecurityScorecard research in 2025, with the group’s router-targeting campaigns since expanding to encompass Asus devices as part of activity researchers have dubbed Operation WrtHug. securityscorecard.com mallory.ai thehackernews.com blog.talosintelligence.com