The news about UAT-7810 deploying LONGLEASH malware to expand their Operational Relay Box (ORB) network isn't just another malware alert; it's a clear signal that China-aligned APTs are doubling down on infrastructure that makes our jobs harder. We're seeing this pop up in SecOps communities, mostly as a heads-up, and for good reason. This new backdoor signifies a more resilient, harder-to-trace foundation for their long-game cyber espionage.
The mainstream narrative correctly points out that Chinese hackers, specifically UAT-7810, are evolving their malware to grow their ORB network. They're hitting unpatched Ruckus and ASUS AiCloud routers, using known vulnerabilities to build this relay infrastructure. The goal is clear: give groups like UAT-5918 a secure way to proxy traffic, evade detection, and make attribution a nightmare. But that's just the surface. The real issue is how LONGLEASH's new capabilities, combined with a shared ORB, change the defensive calculus.
Why LONGLEASH Malware and the ORB Network are a Strategic Problem for Defenders
What we're seeing is UAT-7810 actively compromising internet-facing networking devices. Cisco Talos identified LONGLEASH, DOGLEASH, JARLEASH, and LEASHTEST as the tools in play. The primary targets are unpatched Ruckus routers, exploited via CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. ASUS AiCloud routers are also in the crosshairs, using CVE-2025-2492. These aren't zero-days; these are n-day vulnerabilities that should have been patched.
The objective here isn't just to get a foothold on a single device. It's about building out a distributed, resilient network of compromised devices that can act as relays. Think of it as a global mesh of stepping stones, all controlled by the adversary, designed to obscure their true origin and destination. This expanded LONGLEASH malware ORB network provides a robust infrastructure for long-term cyber espionage.
The Incident: A Network of Compromised Routers
LONGLEASH is the key piece here. It's an upgraded version of SHORTLEASH, first documented by SecurityScorecard in 2025. SHORTLEASH already gave them C2 comms, web server hosting, and network tunnel management. LONGLEASH takes that to another level, making the LONGLEASH malware ORB network even more formidable. This evolution significantly enhances their operational capabilities.
Here's how the attack chain generally works once they get initial access through those unpatched routers:
- Initial Access: UAT-7810 exploits a known vulnerability on an internet-facing Ruckus or ASUS router. This gives them a foothold.
- Deployment of DOGLEASH: Often, a lightweight Linux backdoor like DOGLEASH gets deployed via web shell scripts. This opens a listening TCP port, authenticated with a hardcoded password, giving them basic shell command execution, file access, and OS info retrieval. It's their initial persistent access.
- Deployment of JARLEASH: For administrative tasks, they might drop JARLEASH, a Java-based tool that gives them web-based file management, FTP, SFTP, and Netcat server functionality. This helps them move files around and set up more solid access.
- LONGLEASH Installation: This is where it gets serious. LONGLEASH is installed, replacing or augmenting the initial backdoors. Its new capabilities are what make this a strategic problem for the LONGLEASH malware ORB network:
- Reverse Shell: Immediate interactive access to the compromised device.
- Advanced Proxying: HTTP, DNS, SOCKS, TCP, ICMP, UDP proxying with traffic redirection. This means they can tunnel almost any kind of traffic through these devices, making it incredibly hard to distinguish legitimate traffic from their C2.
- SMTP Client/Server: They can send and receive emails directly from the compromised router. This is a powerful exfiltration channel and can be used for further phishing or command delivery.
- TLS and PKI Support: Encrypted communications, making it harder for network defenders to inspect their C2 traffic. They're using proper certificates, not just raw TCP.
- Self-Removal: If they detect tampering, LONGLEASH can wipe itself. This is a forensic nightmare, making incident response and attribution even more difficult.
- Intermediate C2 Server: This is the big one. A compromised router running LONGLEASH can act as a C2 for other compromised devices or even other APT groups. This creates a multi-layered, distributed C2 infrastructure that's incredibly resilient. If one ORB node goes down, others can pick up the slack, or even re-route through a different intermediate C2.
They're also using LEASHTEST, a utility to verify MIPS IoT device functions. This tells me they're actively refining LONGLEASH's support for MIPS-based IoT devices, which are common in routers and other networking gear. They're not just deploying; they're iterating and improving their reach for the LONGLEASH malware ORB network.
How LONGLEASH Elevates the Game
The practical impact of this expanded LONGLEASH malware ORB network is significant for global defenders.
First, attribution becomes a serious challenge. When an attack originates from an ORB node, tracing it back to the actual threat actor becomes a multi-hop exercise through potentially dozens of compromised devices across different jurisdictions. Each hop adds layers of complexity, legal hurdles, and technical obfuscation.
Second, detection is harder. The advanced proxying capabilities mean their C2 traffic can blend in with legitimate network traffic. DNS tunneling, for example, is notoriously difficult to detect without deep packet inspection and behavioral analytics, which many organizations don't have deployed at the edge. TLS encryption further complicates this.
Third, resilience is built-in. The ability for LONGLEASH to act as an intermediate C2 means the ORB network isn't a flat structure. It's a dynamic, self-healing mesh. Taking down one node doesn't cripple the network; it just forces traffic to re-route. This makes large-scale takedowns much less effective against the LONGLEASH malware ORB network.
This isn't just about UAT-7810. The ORB network is a shared resource for various China-aligned APTs, like UAT-5918. This means a single infrastructure investment by one group benefits many, amplifying the overall threat and making the LONGLEASH malware ORB network a force multiplier for their cyber espionage efforts.
The Impact: Obfuscation and Resilience
So, what do we do about it?
The most immediate and obvious response is patching. The fact that these attacks rely on n-day vulnerabilities for Ruckus and ASUS routers is frustrating. Organizations running these devices need to prioritize patching CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492. It's a non-negotiable first step. If you're running internet-facing network devices, you need a solid patch management program.
Beyond patching, enhanced network monitoring is essential. We need to look for anomalous traffic patterns, even if they're TLS-encrypted. Behavioral analytics that can spot unusual DNS queries, unexpected SMTP traffic from network devices, or abnormal proxying activity are key. Look for connections to known C2 infrastructure, but also for deviations from baseline behavior on your edge devices.
Threat intelligence sharing is also critical. Cisco Talos and SecurityScorecard have done good work here, and we need to keep sharing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) related to LONGLEASH and the ORB network. Understanding the evolving capabilities and how they're being used helps us build better defenses against the LONGLEASH malware ORB network.
Finally, segmentation and access control on network devices. These routers should not have broad access to internal networks. Implement strict firewall rules, limit administrative access, and use strong, unique credentials. If a router gets compromised, you want to contain that breach as much as possible.
This isn't a problem that's going away. UAT-7810 and other groups will continue to build out these resilient infrastructures. Our defense has to evolve to match that resilience, focusing on detection at multiple layers and making attribution easier, not harder, especially against the LONGLEASH malware ORB network.