Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

0
Medium
Malware
Published: 07/08/2026 (07/08/2026, 15:42:11 UTC)
Source: SecurityWeek

Description

A China-linked advanced persistent threat (APT) group known as UAT-7810 has expanded its malware toolkit targeting small office/home office (SOHO) routers with new backdoors named LongLeash, DogLeash, and JarLeash. These backdoors build on previous malware used in the LapDogs campaign, enabling command-and-control communication, web server hosting, tunnel management, and file management capabilities. The group exploits known vulnerabilities in Ruckus wireless routers and uses multiple architectures including MIPS, ARM, and x64. The malware can act as intermediate servers, execute commands, and provide remote access to compromised devices. The threat actor also maintains infrastructure to support another China-linked APT, UAT-5918. No known exploits in the wild or patches are specified in the available information.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/08/2026, 15:43:28 UTC

Technical Analysis

Cisco Talos researchers report that the China-linked APT group UAT-7810, involved in the LapDogs espionage campaign, has enhanced its SOHO router malware arsenal with new backdoors: LongLeash, DogLeash, and JarLeash. LongLeash extends the functionality of the earlier ShortLeash backdoor, supporting C&C communication, web server hosting, tunnel management, and acting as both client and server. DogLeash is a C-based passive backdoor deployed via shell scripts that can execute commands, manipulate files, and retrieve OS information. JarLeash is a Java-based backdoor providing web-based file management, FTP/SFTP servers, and netcat server capabilities. The group targets known vulnerabilities in Ruckus wireless routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and uses payloads for multiple CPU architectures. The APT operates infrastructure overlapping with another China-linked group, UAT-5918. The threat actor also uses LeashTest, a non-malicious binary for testing functionality on MIPS platforms. No specific patch or remediation guidance is provided in the source content.

Potential Impact

The malware enables persistent remote access and control over compromised SOHO routers, facilitating espionage activities by allowing command execution, file management, and network traffic forwarding. The backdoors can act as intermediate servers, potentially expanding the reach and stealth of the threat actor's infrastructure. Exploitation of known vulnerabilities in widely deployed Ruckus routers increases the risk of large-scale compromise. The presence of multiple backdoors and support for various architectures indicates a sophisticated and adaptable threat. However, no known active exploitation in the wild is reported at this time.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The threat actor exploits known vulnerabilities in Ruckus wireless routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717); therefore, applying official patches for these vulnerabilities from the router vendor is recommended. Network defenders should monitor for indicators of compromise related to the LongLeash, DogLeash, and JarLeash backdoors and consider isolating or replacing affected SOHO routers. Since no specific vendor advisory or patch links are provided, organizations should consult Ruckus and Cisco Talos advisories for updates and mitigation instructions.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.securityweek.com/china-linked-apt-expands-arsenal-with-new-leash-backdoors/","fetched":true,"fetchedAt":"2026-07-08T15:43:19.159Z","wordCount":1236}

Threat ID: 6a4e7017c9d9e3dbe35c2fdf

Added to database: 07/08/2026, 15:43:19 UTC

Last enriched: 07/08/2026, 15:43:28 UTC

Last updated: 07/09/2026, 01:57:38 UTC

Views: 10

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses