Chinese hackers have developed a new LONGLEASH malware to expand their covert relay network, as per Cisco Talos researchers, who exposed the campaign this week. The threat group, tracked as UAT-7810, compromises internet-facing routers to hide malicious traffic. The malware primarily targets unpatched Ruckus wireless routers.
LONGLEASH upgrades the earlier SHORTLEASH backdoor. It adds significant new capabilities to an already dangerous toolkit. The malware supports reverse shell access and multiple proxying protocols including HTTP, DNS, SOCKS, TCP, ICMP, and UDP. It can operate as an intermediate command-and-control server between infected systems. The malware also removes itself when it detects tampering attempts.
The ORB network functions as secure relay infrastructure. Operational Relay Box networks route malicious traffic through compromised regional devices. This disguises the true origin of attacks. Detection and attribution become significantly harder. Other China-aligned groups rent this infrastructure to mask their own espionage operations.
UAT-7810 maintains the LapDogs network, first exposed in 2025. The group infected over 1,000 small office and home office routers. Its role focuses on building infrastructure for other threat actors. One group, UAT-5918, has targeted Taiwan critical infrastructure since 2023.
The hackers exploit known vulnerabilities to gain access. Targeted flaws include CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 in Ruckus routers. Campaigns this year also targeted ASUS AiCloud routers vulnerable to CVE-2025-2492. The group relies on organizations failing to patch known flaws.
Talos discovered additional tools in the campaign. DOGLEASH is a lightweight Linux backdoor deployed through web shell scripts. JARLEASH is a Java-based administrative tool for server management. A JARLEASH configuration file contained Simplified Chinese comments, confirming Chinese-speaking operators.
Security experts urge immediate action. Organizations should apply patches promptly and monitor internet-facing routers. IoT devices require continuous monitoring for compromise. Attackers increasingly build resilient malware platforms supporting large covert infrastructure rather than merely stealing data.
