Full Report
A Chinese threat actor tracked as UAT-7810 is actively refining its bespoke malware to expand its Operational Relay Box (ORB) network by breaking into internet-facing networking devices. According to findings from Cisco Talos, UAT-7810 is an advanced persistent threat (APT) actor that's responsible for maintaining and proliferating LapDogs, an ORB network that first came to light in June 2025.
Analysis Summary
# Threat Actor: UAT-7810
## Attribution & Identity
* **Name:** UAT-7810
* **Origin:** China-nexus (Advanced Persistent Threat - APT)
* **Role:** Infrastructure Facilitator / ORB Operator
* **Associated Groups:**
* **UAT-5918:** A secondary threat actor known to leverage UAT-7810’s infrastructure for attacks on critical infrastructure.
* **LapDogs:** The name of the Operational Relay Box (ORB) network maintained and expanded by UAT-7810.
## Activity Summary
UAT-7810 is primarily tasked with the establishment and maintenance of Operational Relay Box (ORB) networks. These networks consist of compromised internet-facing devices (largely SOHO routers) used to mask the activities of other Chinese state-sponsored actors. Recent activity in mid-2026 indicates the group is refining bespoke malware frameworks (LONGLEASH) and exploiting new vulnerabilities in networking hardware to scale their proxy infrastructure.
## Tactics, Techniques & Procedures
* **Vulnerability Exploitation:** The actor weaponizes known and N-day vulnerabilities in edge networking equipment for initial access.
* **ORB Network Provisioning:** Establishes "relay boxes" to facilitate proxying for secondary threat actors, making attribution and detection more difficult for defenders.
* **Embedded Device Testing:** Conducts active testing of ELF binaries on MIPS-based architectures to ensure malware stability on IoT hardware.
* **Anti-Tampering:** Implements self-preservation mechanisms that remove all traces of the implant if tampering is detected.
* **Multi-Protocol Proxying:** Utilizes HTTP, DNS, SOCKS, TCP, ICMP, and UDP for data relay and Command & Control (C2).
**MITRE ATT&CK IDs (Inferred):**
* **T1190:** Exploit Public-Facing Application
* **T1090.003:** Proxy: Multi-hop Proxy
* **T1071:** Application Layer Protocol
* **T1106:** Native API (Testing via LEASHTEST)
* **T1070:** Indicator Removal
## Targeting
* **Sectors:** Critical Infrastructure (via downstream partners), Internet Service Providers, and SOHO/SMB networking.
* **Geography:** Global (infrastructure level), with downstream targeting specifically noted in **Taiwan**.
* **Victims:**
* Ruckus Wireless Routers
* ASUS AiCloud Routers
* MIPS-based embedded devices
## Tools & Infrastructure
* **LONGLEASH:** An advanced successor to ShortLeash; a full-fledged backdoor framework with proxying and intermediate C2 capabilities.
* **SHORTLEASH:** A bespoke backdoor used for initial C2 and web hosting on compromised devices.
* **DOGLEASH:** A passive backdoor capable of executing arbitrary shellcode on Linux-based devices.
* **JARLEASH:** A Java-based (JAR) backdoor used for file management and administrative tasks (FTP, SFTP, Netcat).
* **LEASHTEST:** An ELF binary used to test timer and thread functionality on MIPS platforms.
* **Infrastructure:** Utilizes "LapDogs" ORB network. Recent operations identified at least four new hosting servers for DOGLEASH deployment.
## Implications
UAT-7810 represents a specialized "tier-one" logistical element of Chinese cyber operations. Rather than conducting direct espionage, they provide the "hide-in-plain-sight" infrastructure that allows other threat actors (like UAT-5918) to operate with high stealth. The continued evolution of the "LEASH" malware suite suggests a long-term commitment to maintaining a robust, resilient proxy network that is difficult for traditional geofencing or IP-reputation services to block.
## Mitigations
* **Patch Management:** Prioritize patching of internet-facing networking equipment, specifically addressing **CVE-2020-22653**, **CVE-2020-22658**, **CVE-2023-25717**, and **CVE-2025-2492**.
* **Hardening:** Disable unused services such as AiCloud or remote management interfaces on SOHO routers.
* **Monitoring:** Implement behavior-based detection for unauthorized binary execution on networking hardware (MIPS/ARM ELF binaries).
* **Egress Filtering:** Restrict internal devices from communicating with unknown external IPs over non-standard proxy protocols.