Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

China-Linked UAT-7810 Expands ORB Net With LONGLEASH

Cisco Talos ties China-aligned UAT-7810 to LONGLEASH backdoor and an expanding ORB relay network built on unpatched Ruckus and ASUS routers.

China-Linked UAT-7810 Expands ORB Net With LONGLEASH
Image: 0dayNews / 0dayNews Editorial · All rights reserved
airgap · Published · 3 min read

Confidence: high on the campaign, medium on the actor cluster, low on downstream tasking. Sourcing: Cisco Talos.

Cisco Talos attributes an active router-compromise campaign to a China-aligned cluster it tracks as UAT-7810, working alongside a related cluster tracked as UAT-5918. The reported purpose: expand an Operational Relay Box network — an ORB — used to proxy later APT traffic through compromised edge devices. Primary targets are unpatched Ruckus routers. ASUS AiCloud routers and MIPS-class IoT devices are also in scope.

The malware family is called LONGLEASH. It is described by Talos as an evolved successor to SHORTLEASH, which SecurityScorecard documented in 2025. Two additional tools were named in the same reporting: DOGLEASH, a Linux backdoor deployed after web-shell access, and JARLEASH, a Java-based administrative utility. A separate tool called LEASHTEST is used to exercise MIPS-device functionality before deployment.

What an ORB is, briefly

An ORB is a mesh of low-signal edge devices — home and small-office routers, IoT gear — that a state-aligned operator uses as an outbound proxy layer for later intrusions. The router isn’t the target. The router is the return address the next intrusion will appear to come from. Google Mandiant framed the concept in earlier reporting. The pattern is: compromise a lot of these, rotate through them, and never route the interesting traffic through infrastructure that has your name on it.

The defensive read is that the visible activity — the router compromise — is a step, not a goal. What lands on the ORB will not always be attributable to the same operator.

What Talos ties to the campaign

Reported entry points, per the same Talos writeup:

  • CVE-2020-22653 — Ruckus
  • CVE-2020-22658 — Ruckus
  • CVE-2023-25717 — Ruckus, remote code execution
  • CVE-2025-2492 — ASUS AiCloud, authentication bypass

Every one of the above is a patched flaw. Every one of the above is landing in exploitation because the boxes on the internet weren’t patched. That is the shape of the whole story.

Timeline

  • 2025 — SecurityScorecard publishes on SHORTLEASH. Actor cluster is not yet named UAT-7810 in public reporting.
  • 2026, ongoing — Talos observes LONGLEASH, DOGLEASH, and JARLEASH in active use. Ruckus and ASUS boxes are the observed victims.
  • 2026-07-07 — Talos’ analysis is published through BleepingComputer and the actor cluster is publicly named.

No CISA advisory as of this writing. No named victim organizations. The reporting is on the ORB build-out itself, not on downstream intrusions attributable to it.

What to do

If you operate any of the affected device families on the internet edge, the priority order is the same one that would have held last year, and the year before:

  • Confirm patch level against the four CVEs above. Any Ruckus or ASUS AiCloud device that has been sitting at a stale firmware build is a plausible ORB node right now — Talos observed it. Not “could.” Observed.
  • Where the device is a home-office router terminating remote-worker traffic, get eyes on it. This is where consumer-grade Ruckus and ASUS gear tends to live inside a corporate estate, and it is exactly the surface an ORB operator picks up cheaply.
  • Where a compromise is suspected, treat the device as fully controlled. A factory reset followed by a patched firmware image is the minimum. Rotate any credentials the device saw in plaintext transit or held in configuration.
  • Watch outbound. If a router in your estate is being used as an ORB relay, the tell is unexplained outbound sessions from the device itself — not from a client behind it. Netflow from the perimeter switch that the router terminates on is the first place to look.

The ORB story is not the sensational half. The sensational half — the intrusions the ORB is going to carry — has not surfaced publicly yet. What has surfaced is the plumbing. Fix the plumbing first.

Sourcing

Found this useful? Share it.