[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2eezHrgKLQV0GL4rQAroio2a61BqrLkR_dtWySAR8ho":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"0b72906b-dda6-4458-a42d-3048030e1a63","Chinese hackers develop LONGLEASH malware to expand ORB network","chinese-hackers-develop-longleash-malware-to-expand-orb-network-d209aa","Chinese hackers tracked as 'UAT-7810' are actively evolving their malware to expand their Operational Relay Box (ORB) network by compromising internet-facing networking devices, primarily unpatched Ruckus routers. [...]","Chinese threat actor UAT-7810 is expanding its Operational Relay Box (ORB) network by compromising internet-facing devices, primarily unpatched Ruckus routers. They have developed new malware, including LONGLEASH, an advanced backdoor, and other tools like DOGLEASH and JARLEASH, to enhance their proxy infrastructure for evading detection and complicating attribution. The group primarily exploits known vulnerabilities in networking devices.","Chinese hackers use LONGLEASH malware to expand ORB network via unpatched routers.","Chinese hackers develop LONGLEASH malware to expand ORB network By Bill Toulas July 7, 2026 02:52 PM 0 Chinese hackers tracked as 'UAT-7810' are actively evolving their malware to expand their Operational Relay Box (ORB) network by compromising internet-facing networking devices, primarily unpatched Ruckus routers. According to Cisco Talos researchers, the ORB network serves as a secure relay infrastructure for other China-aligned advanced persistent threats (APTs), including UAT-5918. This type of infrastructure, which was previously documented by Google Mandiant, allows threat actors to proxy their network traffic through regional devices, making it appear to originate from legitimate local infrastructure to evade detection and complicate attribution. The Talos analysts have identified new malware in the campaign, including LONGLEASH, a new version of the previously documented SHORTLEASH backdoor, DOGLEASH, a Linux backdoor, JARLEASH, an administrative tool, and LEASHTEST, a testing utility. The researchers report that UAT-7810 primarily exploits known (n-day) vulnerabilities to gain initial access, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 in Ruckus routers, as well as CVE-2025-2492 in ASUS AiCloud routers. LONGLEASH malware The newly discovered LONGLEASH malware is an upgraded version of SHORTLEASH, first documented by SecurityScorecard in 2025, that significantly expands its capabilities. The malware builds on the previous version, which supported command-and-control (C2) communications, web server hosting, network tunnel management, and operation as both a C2 server and client. In addition to those, Talos researchers have now also observed the following capabilities: Reverse shell HTTP, DNS, SOCKS, TCP, ICMP, and UDP proxying with traffic redirection SMTP client\u002Fserver functionality TLS and PKI support Self-removal for when tampering or other suspicious activity is detected Ability to act as an intermediate C2 server, forwarding commands and data between infected nodes DOGLEASH, JARLEASH, and LEASHTEST Apart from LONGLEASH, the researchers have also discovered DOGLEASH, a lightweight Linux backdoor deployed via web shell scripts. Upon launch, it opens a listening TCP port and authenticates incoming requests using a hardcoded password, supporting shell command execution, file access and modification, OS information retrieval, and arbitrary code execution directly in the host's memory. JARLEASH is a Java-based administrative tool that provides web-based file management and includes FTP, SFTP, and Netcat server functionality. Finally, the threat actors have developed LEASHTEST, which can be used to verify whether an MIPS IoT device can perform functions related to malware operations, likely to help refine LONGLEASH’s MIPS support. Cisco Talos concludes that UAT-7810 continues to expand its ORB infrastructure, actively replacing or extending SHORTLEASH with the more capable LONGLEASH while broadening its toolkit with new malware. A complete list of the indicators of compromise (IoCs) linked to UAT-7810 activity and the latest toolset is available at the bottom of Cisco Talos’ report. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Windows version of SprySOCKS Linux malware used to attack govt orgsChinese hackers breach REDCap servers, steal medical researchChina-linked JDY botnet expands targeting of U.S. military networksChinese hackers target telcos with new Linux, Windows malwareNew ChocoPoC malware targets researchers via trojanized PoC exploits","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fchinese-hackers-develop-longleash-malware-to-expand-orb-network\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F23\u002FChina.jpg","2026-07-07T18:52:19+00:00","2026-07-07T20:00:11.44683+00:00",8,[18,21,23,26,28,30],{"name":19,"type":20},"UAT-7810","threat_actor",{"name":22,"type":20},"UAT-5918",{"name":24,"type":25},"LONGLEASH","product",{"name":27,"type":25},"SHORTLEASH",{"name":29,"type":25},"DOGLEASH",{"name":31,"type":25},"JARLEASH","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":32,"icon":34,"name":35,"slug":36},null,"Nation-state","nation-state",[38,43,45,50],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":44},{"id":32,"icon":34,"name":35,"slug":36},{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":51},{"id":52,"icon":34,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,60,62,64],{"type":57,"value":58,"context":59},"cve","CVE-2020-22653","Ruckus router vulnerability exploited by UAT-7810",{"type":57,"value":61,"context":59},"CVE-2020-22658",{"type":57,"value":63,"context":59},"CVE-2023-25717",{"type":57,"value":65,"context":66},"CVE-2025-2492","ASUS AiCloud router vulnerability exploited by UAT-7810"]