UAT-7810 Router Attacks: Inside the LapDogs ORB Network

World Leaks Tata Electronics breach leaking Apple and Tesla trade secret files on a dark web leak site

Specialists at Cisco Talos have unveiled new details regarding the UAT-7810 group. This collective actively develops the sophisticated LapDogs ORB network. They strategically infect internet routers to help other China-affiliated factions safely conceal their cyber operations.

According to Talos, UAT-7810 does not merely compromise isolated devices. Instead, the group constructs a sprawling, complex infrastructure to target high-value assets later. This architectural scheme utilizes infected routers as silent intermediary nodes. Consequently, malicious traffic flows through them entirely undetected. As a result, tracing the true origins of these cyberattacks becomes exceptionally difficult. Ordinary network devices unknowingly transform into an adversarial infrastructure.

An Advanced Malware Arsenal

Furthermore, the syndicate continues to refine its proprietary tools tirelessly. Talos recently discovered a sophisticated iteration of the known SHORTLEASH malware. They now track this highly advanced variant as LONGLEASH. This new version proxies network traffic much more effectively. It creates robust network tunnels and manages encrypted connections smoothly. Moreover, it seamlessly relays commands between various infected nodes.

LONGLEASH can also function as a reliable intermediary command-and-control server. It receives vital directives from the primary nexus and directly forwards them to other compromised devices.

Cisco Talos analysis of UAT-7810 router attacks and the LapDogs ORB network architecture.

JARLEASH core components

DOGLEASH and JARLEASH Emerge

Investigators also unearthed two previously undocumented malicious programs. DOGLEASH acts as a clandestine backdoor specifically tailored for Linux environments. It empowers threat actors to execute commands and extract sensitive files. Additionally, it initiates backups and runs malicious code directly in memory.

Meanwhile, JARLEASH utilizes Java to boast incredibly robust file management capabilities. It operates hidden FTP and SFTP servers effortlessly. It also ensures reliable remote access via standard network utilities. Notably, analysts discovered annotations written in Simplified Chinese deeply embedded within the JARLEASH configuration.

Targeting Unpatched Network Devices

Unpatched network appliances remain the primary targets for this group. Talos tightly correlates UAT-7810 with the active exploitation of prominent vulnerabilities. They frequently target Ruckus wireless routers. This includes severe flaws like CVE-2020-22653, CVE-2020-22658, and the critical CVE-2023-25717.

Additionally, attackers actively utilized one of the identified IP addresses in early 2026. They used it during malicious campaigns targeting ASUS AiCloud routers via CVE-2025-2492. This sustained activity strongly indicates a strategic endeavor to expand their infected botnet rapidly.

Establishing New Cyber Infrastructure

Recently, Talos identified four newly established malicious servers. The adversaries utilized these hubs to distribute malicious payloads across various hardware architectures. They targeted MIPS, ARM, and x64 platforms specifically. The compromised devices successfully executed deployment scripts. Subsequently, these scripts downloaded DOGLEASH and exposed the requisite ports for incoming connections.

A distinct test file, appropriately dubbed LEASHTEST, verified foundational functions on MIPS devices. This clearly demonstrates a continued focus on optimizing cyber tools for embedded systems.

With high confidence, Talos attributes UAT-7810 directly to the Chinese nexus. However, they distinctly separate this collective from the UAT-5918 group. UAT-7810 likely focuses entirely on forging the foundational network infrastructure. Meanwhile, allied syndicates leverage these primed nodes to execute their own targeted offensives.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply