Chinese Hackers Evolve LONGLEASH Malware to Expand ORB Network

Chinese Hackers Evolve LONGLEASH Malware to Expand ORB Network

First seen 7 Jul 2026, 19:26 UTC Blog.TalosintelligenceBleepingcomputernvd.nist.gov 89% similarity 77.0

Article Content

Browse articles
ThreatCluster

Chinese threat actor UAT-7810 is enhancing its malware capabilities to expand its Operational Relay Box (ORB) network by targeting unpatched Ruckus routers. The group is developing LONGLEASH, an upgraded version of the SHORTLEASH backdoor, alongside new tools like DOGLEASH and JARLEASH. UAT-7810 exploits known vulnerabilities, including CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492, to gain initial access to compromised devices. The ORB network allows them to proxy traffic through local infrastructure, complicating detection and attribution. Talos researchers have identified four new servers used by UAT-7810 for hosting malicious payloads. The ongoing development of LONGLEASH indicates a significant escalation in their operational capabilities. Security teams are advised to monitor for indicators of compromise linked to UAT-7810's activities.

Key Points: • UAT-7810 is evolving its malware, including the new LONGLEASH backdoor. • The group exploits vulnerabilities in Ruckus routers and ASUS AiCloud devices. • LONGLEASH expands capabilities for command and control, complicating detection.

ThreatCluster AI

Timeline

2023-01-20
CVE-2020-22653 and CVE-2020-22658 published
Two vulnerabilities in Ruckus routers were disclosed, enabling unauthorized access.
Bleepingcomputer
2023-02-13
CVE-2023-25717 published
A new vulnerability affecting Ruckus routers was disclosed, contributing to ongoing exploitation.
Bleepingcomputer
2025-04-18
CVE-2025-2492 published
A vulnerability in ASUS AiCloud routers was disclosed, allowing potential exploitation.
Bleepingcomputer
Recent
UAT-7810 expands ORB infrastructure
Talos reports that UAT-7810 is actively developing LONGLEASH and other tools to enhance their operational capabilities.
Blog.Talosintelligence

Community

Browse all →