China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors
China-linked APT UAT-7810 expands SOHO router malware with new LongLeash, DogLeash, and JarLeash backdoors.
Summary
A China-linked APT, tracked as UAT-7810, has updated its malware arsenal with new backdoors including LongLeash, DogLeash, and JarLeash, targeting SOHO routers. These new tools build upon previous capabilities and exploit known vulnerabilities in devices like Ruckus routers, expanding the APT's espionage infrastructure.
Full text
A China-linked advanced persistent threat (APT) actor building an operational relay box (ORB) network for espionage has been updating its arsenal with new backdoors, Cisco’s Talos researchers warn. As part of a prolonged espionage infrastructure campaign tracked as LapDogs, the APT infected over 1,000 small office/home office (SOHO) routers with the ShortLeash backdoor, SecurityScorecard reported last year. Talos, which tracks the threat actor as UAT-7810, has discovered a newer version of the backdoor, dubbed LongLeash, as well as two other malware families the APT has been relying on, namely DogLeash and JarLeash. UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, and was seen using payloads for multiple architectures, including MIPS, ARM, and x64. Talos identified three IP addresses associated with VPS instances that UAT-7810 uses to download payloads, as well as four new servers the APT has been using to host malicious payloads such as DogLeash and accompanying shell scripts. One of the IPs was also used in attacks targeting Asus AiCloud Routers, likely as part of the apparent ORB facilitation campaign dubbed Operation WrtHug that was publicly detailed in November 2025.Advertisement. Scroll to continue reading. UAT-7810, Talos says, provides infrastructure to another China-linked APT, namely UAT-5918. The groups’ tooling overlaps, but they are still tracked as separate groups. The recently identified LongLeash backdoor builds on the functionality previously observed in ShortLeash, such as command-and-control (C&C) communication, web server hosting, tunnel management, and the ability to act both as C&C and client, as well as additional capabilities. It was built largely on the same codebase, but also contains code from the Nanopb and MbedTLS open source libraries. The backdoor can function as an intermediate server, forwarding commands and data received from the C&C to other peers. DogLeash is a C-based passive backdoor deployed via a shell script that also adds iptables rules allowing TCP traffic to a port that DogLeash binds and listens to. Based on code received from the C&C, the backdoor can execute commands, read files, rename files, close the socket listener, retrieve OS information, and execute code in memory. JarLeash is a Java-based backdoor that provides UAT-7810 with easy access to compromised systems. It is used alongside a script that kills all other instances of the backdoor and then spawns the Java container to deploy the malware. The backdoor can also be deployed on the APT’s internal infrastructure. The backdoor can host a web-based file management interface and FTP and SFTP servers, and can run a netcat server on a provided IP and port number. UAT-7810 was also seen developing LeashTest, a binary that tests functionality on the MIPS platform, and which is not malicious on its own, but can be an indicator of compromise (IoC). “The development and use of LeashTest signifies that even though they have developed LongLeash, a full-fledged backdoor framework, UAT-7810 is still actively testing functionality on MIPS platforms and may not be completely confident of its behavior on MIPS devices,” Talos notes. Related: Chinese Framework Powers 200,000 Scam Sites Related: Chinese Hackers Target Medical, Military, and AI Research in North America Related: FBI Seizes 13 Websites That Officials Say Were Used by China to Target and Recruit US Workers Related: Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Iran-Linked Hackers Using Modular C&C Framework in CyberattacksLinux Kernel Vulnerability Allows VM Escape on Intel and AMD SystemsBlogspot-Hosted Payloads Delivered in ‘Veil#Drop’ AttacksArmored Likho APT Targeting Government, Electric Power EntitiesNorth Korean Hackers Target Open Source Developers in Supply Chain Attacks Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access VulnerabilityPrompt Injection Attacks Trick AI Agents Into Making Crypto PaymentsAgentic AI Used to Conduct Ransomware Attack via Langflow Latest News Webinar Today: Why Email Security Keeps FailingGoogle Dialogflow CX Bug Allowed Attackers to Hijack AI ConversationsCISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla FlawsCritical Vulnerability Exposes GitHub Agentic Workflows to Prompt InjectionCounty Government Reportedly Paid $1 Million to Cyber Extortion GroupCritical Gitea Flaw Under Active Exploitation, Researchers WarnCISA Reportedly Using Anthropic’s Mythos to Scan Government Software for FlawsCritical Adobe ColdFusion Vulnerability Exploited in Attacks Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveSherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2020-22653
- cve — CVE-2020-22658
- cve — CVE-2023-25717
- ip — 185.220.102.11
- ip — 185.220.101.12
- ip — 185.220.100.13