At a glance
| Actor | UAT-7810 — assessed China-nexus APT (Cisco Talos, high confidence) |
| Activity | Building and expanding the LapDogs ORB relay network with router malware |
| Targets | Unpatched edge devices — Ruckus wireless routers and ASUS AiCloud routers |
| Scale | LapDogs tied to 1,000+ infected nodes (SecurityScorecard); four new payload servers |
| Law-enforcement status | No arrests or charges; nation-state espionage infrastructure |
| Source | Cisco Talos |
TL;DR
Cisco Talos is tracking UAT-7810, a China-nexus group that builds relay networks. The actor keeps expanding the LapDogs ORB network with fresh router malware. Its new kit includes LONGLEASH, DOGLEASH, and JARLEASH.
What happened
A growing malware toolkit
UAT-7810 hacks internet-facing routers to grow its relay network. Then it installs backdoors that turn devices into proxy nodes. Talos found a new implant called LONGLEASH, built on the older SHORTLEASH. Also, LONGLEASH shares its codebase with that earlier tool. SHORTLEASH already handled C2 traffic and network tunnels. LONGLEASH adds reverse shells, proxy channels, and self-removal on tampering. It can also act as an intermediate C2 relay. It even fakes a Chrome browser header to hide in traffic. So the upgrade shows steady, active work, per Talos. Talos expects more updates to follow.
DOGLEASH, JARLEASH, and LEASHTEST

DOGLEASH is a lean Linux backdoor delivered by a shell script. It listens on a fixed port and unlocks with a hardcoded password. Then it decodes each request before it acts. From there, it runs shell commands and reads or backs up files. Operators ran several DOGLEASH variants across their servers. None of these tools needs a zero-day to run. JARLEASH is a Java tool for file management, FTP, and netcat. A test binary called LEASHTEST probes basic functions on MIPS gear. Talos notes that “its presence on a device likely indicates a compromise.”
How access happens
The group leans on old, known flaws rather than zero-days. It exploits n-day bugs in Ruckus routers from 2020 and 2023. One server also hit ASUS AiCloud routers via CVE-2025-2492. Because the flaws are old, patched routers stay safe. Still, many owners never update these devices. Talos found four payload servers, one hosted in Hong Kong. Those servers covered MIPS, ARM, and x64 targets. So the actor keeps widening its pool of relay devices.
Who is behind it
Talos assesses with high confidence that UAT-7810 is China-nexus. Several clues support that view. The JARLEASH config carries comments in Simplified Chinese. So the operators appear to be Chinese speakers. UAT-7810 also supplies servers to other China-nexus actors like UAT-5918. Even so, Talos treats the two as separate teams. SecurityScorecard first exposed the LapDogs network in 2025. The group has run this ORB operation since then. In Talos’s words, the group is “most likely tasked with establishing Operational Relay Box networks.”
Impact and scale
ORB networks give spies a quiet way to hide. They route traffic through regional devices to blend in. So attacks look local, which muddies the trail. ORBs work like spy relays, not noisy botnets. Google Mandiant has tracked this ORB trend for years. SecurityScorecard tied LapDogs to more than 1,000 infected nodes. Early victims spanned real estate, IT, networking, and media. Many sat across the US, Japan, South Korea, and Taiwan. Later, second-stage actors ride that hidden network. So one weak router can shield a whole spying operation.
What comes next and how to stay protected
The campaign looks active and still growing. No arrests or charges have followed the report. First, inventory every router on the network. Then retire anything past its support date. Router owners should patch Ruckus and ASUS devices right away. Also watch edge devices for odd listeners and proxy traffic. Block the indicators that Talos published with its report. Also disable remote router admin where you can.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.