Cybersecurity researchers have uncovered a new malware strain named LONGLEASH, developed by the China-linked threat group UAT-7810, which is being used to expand a covert Operational Relay Box (ORB) network by compromising internet-facing networking devices. According to a report by Cisco Talos, the campaign primarily targets unpatched Ruckus and ASUS AiCloud routers.
Researchers said the ORB network functions as a secure relay infrastructure that enables China-aligned Advanced Persistent Threat (APT) groups to route malicious traffic through compromised regional devices. This allows attackers to disguise the origin of their operations, making detection and attribution significantly more difficult.
Cisco Talos stated that LONGLEASH is an upgraded version of the previously documented SHORTLEASH backdoor. In addition to existing command-and-control (C2), web server and network tunnelling capabilities, the new malware supports reverse shell access, HTTP, DNS, SOCKS, TCP, ICMP and UDP proxying, SMTP client and server functionality, TLS and PKI support, self-removal mechanisms, and the ability to operate as an intermediate C2 server between infected systems.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
According to the report, the attackers gain initial access by exploiting known vulnerabilities in internet-facing devices. These include CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 affecting Ruckus routers, as well as CVE-2025-2492 impacting ASUS AiCloud routers.
Researchers also identified three additional tools deployed alongside LONGLEASH—DOGLEASH, JARLEASH, and LEASHTEST. DOGLEASH is a lightweight Linux backdoor capable of remote command execution, file access, system information retrieval and in-memory code execution through web shell deployment. JARLEASH is a Java-based administrative utility providing web-based file management along with FTP, SFTP and Netcat server functionality. LEASHTEST is designed to verify whether MIPS-based IoT devices can support malware-related operations, helping attackers refine malware deployment on those platforms.
According to a Researcher at Algoritha Security, LONGLEASH demonstrates the growing sophistication of modern cyber-espionage operations, where attackers are building resilient and scalable malware platforms capable of supporting large covert infrastructure rather than merely stealing data. The researcher advised organisations to apply security patches promptly, continuously monitor internet-facing routers and IoT devices, and remediate known vulnerabilities without delay.
Cisco Talos warned that UAT-7810 continues to expand its ORB infrastructure by replacing the older SHORTLEASH malware with the more capable LONGLEASH while simultaneously broadening its malware toolkit. The researchers have also published Indicators of Compromise (IoCs) to help security teams detect potential infections and strengthen their defensive measures.
