A China-linked hacking crew is quietly converting hijacked routers into a covert relay network that other state-backed groups can hide behind, and it has just rolled out a fresh batch of custom backdoors to keep the operation growing. Researchers at Cisco Talos say the actor they track as UAT-7810 builds and maintains "LapDogs," a network of Operational Relay Boxes (ORBs). An ORB is simply a compromised internet-facing device that attackers push their traffic through, so an intrusion looks like it is coming from an innocuous home or office router rather than from the real operator.
According to the original report, UAT-7810's role appears to be building this relay layer and then handing it to other China-nexus groups for their own attacks on high value targets. Talos assesses with high confidence that UAT-7810 is China-nexus, partly because it shares infrastructure with a second Chinese APT the team tracks as UAT-5918, and because configuration files recovered from the malware contain comments written in Simplified Chinese. The LapDogs network was first disclosed by SecurityScorecard in 2025.
What is affected
UAT-7810 breaks in by exploiting old, unpatched network gear rather than burning zero-days. Since 2025 it has focused on Ruckus wireless routers, abusing CVE-2020-22653, CVE-2020-22658 and CVE-2023-25717, and in early 2026 it expanded to ASUS AiCloud routers through CVE-2025-2492. The group hosts payloads for a range of hardware, including MIPS, ARM and x64, which lets it enslave a wide variety of consumer and small-business devices.
New malware in the toolkit
Talos found that the crew keeps actively developing its implants. Its main tool, previously called SHORTLEASH, has evolved into a more capable version the researchers named LONGLEASH, which can proxy traffic over HTTP, DNS, SOCKS, TCP, ICMP and UDP, act as an intermediate command-and-control node for other infected devices, and wipe itself if it detects tampering. Alongside it, Talos identified three previously unknown tools: DOGLEASH, a passive Linux backdoor that runs attacker commands and shellcode; JARLEASH, a Java-based backdoor offering file management plus FTP, SFTP and Netcat services for hands-on administration; and LEASHTEST, a small test program the operators use to check their code on MIPS-based embedded devices.
What you should do
Organizations and home users should patch or replace end-of-life Ruckus and ASUS routers, apply the vendor fixes for the CVEs above, and retire internet-exposed devices that no longer receive updates, since these are exactly the boxes ORB operators recruit. Talos has published Snort and ClamAV detection coverage for the malware. The campaign fits a wider trend of state-linked actors turning neglected edge devices into hidden infrastructure, as seen with the AryStinger relay botnet and China's APT31 SOHO router spy network.
Indicators of compromise
Talos links the following defanged servers to UAT-7810: 194[.]233[.]92[.]26, 217[.]15[.]160[.]247, 217[.]15[.]164[.]147 and 95[.]182[.]100[.]231 (the last hosted in Hong Kong). Sample hashes include 755fcee1337a252203002ecfdf673a08cfadeda8d738bef2d518a08e0626aa4f (LONGLEASH), 604b53f87d6c070bf387e80c70a6df8d272fa3fc143148d41f13e59d52ab1f13 (DOGLEASH) and 324d95024fc8da5c92b5a1f4825aed5a2a91c9ca8fb6aa52abb332a4c9cf4257 (JARLEASH).
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.