Warning: UAT-7810 Hackers Use LONGLEASH Malware to Target Routers and Build a Stealth Relay Network

Views: 56 views

373/69 Thursday, July 9, 2026

Security researchers have identified activity linked to a cyber threat group known as UAT-7810, which is developing a new malware toolkit to expand the capabilities of its Operational Relay Box (ORB) network. The group targets internet-connected network devices, especially unpatched Ruckus and ASUS routers. This type of network is used as intermediary infrastructure by other advanced persistent threat (APT) groups to disguise network traffic as legitimate activity originating from trusted sources within a specific region. This helps attackers evade detection and significantly complicates efforts to trace the true source of the activity.

In terms of attack details, UAT-7810 exploits previously disclosed but unpatched n-day vulnerabilities, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 in Ruckus routers, as well as CVE-2025-2492 in ASUS AiCloud routers, to gain access to target systems. The attackers then deploy a new malware called LONGLEASH, which has been developed with enhanced capabilities, including opening channels for system control, acting as a proxy to route traffic, automatically deleting itself when suspicious activity is detected, and functioning as a sub-command-and-control node to relay commands between nodes. Researchers also identified additional supporting tools, including a Linux backdoor named DOGLEASH, a Java-based file management tool named JARLEASH, and a program called LEASHTEST, which attackers use to test malware functionality on IoT devices in preparation for expanding their attack infrastructure.

To reduce risk and prevent potential impact from this threat, network administrators and general users should promptly inspect devices under their control, especially the router models identified in the report, and update their firmware to the latest version to patch the vulnerabilities being exploited by attackers. Organizations should also increase monitoring for abnormal network traffic and apply Indicators of Compromise (IoCs) from the report to their security systems to determine whether any internal devices have been compromised or used as part of this hidden relay infrastructure. These measures can help limit potential damage and strengthen the overall security posture of the environment.

Source : https://www.bleepingcomputer.com/news/security/chinese-hackers-develop-longleash-malware-to-expand-orb-network