UAT-7810 Expands Malware Arsenal to Enhance ORB Network

UAT-7810 Expands Malware Arsenal to Enhance ORB Network

First seen 7 Jul 2026, 19:26 UTC Blog.TalosintelligenceBleepingcomputerInfosecurity-Magazinenvd.nist.gov 88% similarity 77.0

Article Content

Browse articles
ThreatCluster

The China-linked threat actor UAT-7810 is evolving its malware toolkit, notably introducing LONGLEASH, an upgraded version of the SHORTLEASH backdoor. This group exploits known vulnerabilities in unpatched Ruckus routers and recently began targeting ASUS AiCloud routers. The malware facilitates the creation of an Operational Relay Box (ORB) network, allowing other APTs to mask their traffic. Talos has identified multiple CVEs exploited by UAT-7810, including CVE-2020-22653, CVE-2020-22658, and CVE-2025-2492. The group has also developed additional tools like DOGLEASH, a Linux backdoor, and JARLEASH, a Java-based administrative tool. The ongoing activity indicates a significant threat to organizations using the affected devices. The group’s tactics rely on exploiting unpatched vulnerabilities, which remain a low-effort yet effective attack vector.

Key Points: • UAT-7810 is developing LONGLEASH, an advanced version of its SHORTLEASH backdoor. • The group exploits vulnerabilities in Ruckus and ASUS routers to expand its ORB network. • New malware tools include DOGLEASH for Linux and JARLEASH for server management.

ThreatCluster AI

Timeline

2023-01-20
CVE-2020-22653 published
A vulnerability in Ruckus routers allows attackers to exploit unauthorized image signatures.
nvd.nist.gov
2023-01-20
CVE-2020-22658 published
A vulnerability in Ruckus routers allows attackers to switch to unauthorized images as primary.
nvd.nist.gov
2023-02-13
CVE-2023-25717 published
Ruckus Wireless Admin vulnerability allows remote code execution via unauthenticated HTTP GET requests.
nvd.nist.gov
2025-04-18
CVE-2025-2492 published
An improper authentication vulnerability in ASUS AiCloud allows unauthorized function execution.
nvd.nist.gov
Recent
UAT-7810 expands malware capabilities
Talos reports the development of LONGLEASH and other tools to enhance UAT-7810's ORB network.
Bleepingcomputer

Community

Browse all →