Chinese hackers develop LONGLEASH malware to expand ORB network
Chinese hackers tracked as 'UAT-7810' are actively evolving their malware to expand their Operational Relay Box (ORB) network by compromising internet-facing networking devices, primarily unpatched Ruckus routers. The newly discovered LONGLEASH malware is an upgraded version of SHORTLEASH with expanded capabilities including reverse shell, multiple proxy protocols, SMTP functionality, TLS/PKI support, self-removal, and acting as an intermediate C2 server. The campaign exploits known vulnerabilities in Ruckus and ASUS AiCloud routers to gain initial access. Additional tools include DOGLEASH (Linux backdoor), JARLEASH (Java-based admin tool), and LEASHTEST (testing utility for MIPS IoT devices). This infrastructure supports China-aligned APTs by proxying network traffic to evade detection and complicate attribution.
AI Analysis
Technical Summary
The threat actor UAT-7810 is expanding its ORB network by deploying LONGLEASH malware, an advanced evolution of the previously documented SHORTLEASH backdoor. LONGLEASH enhances command-and-control capabilities with reverse shell access, multiple proxying protocols (HTTP, DNS, SOCKS, TCP, ICMP, UDP), SMTP client/server functions, TLS and PKI support, and self-removal mechanisms. It can also serve as an intermediate C2 server forwarding commands and data between infected nodes. Initial access is primarily gained by exploiting known (n-day) vulnerabilities in internet-facing Ruckus routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and ASUS AiCloud routers (CVE-2025-2492). Additional malware tools discovered include DOGLEASH, a Linux backdoor with shell command execution and arbitrary code execution capabilities; JARLEASH, a Java-based administrative tool with file management and FTP/SFTP/Netcat server functions; and LEASHTEST, a utility to test MIPS IoT device compatibility with malware operations. This ORB infrastructure facilitates proxying of network traffic for China-aligned APTs, complicating detection and attribution efforts.
Potential Impact
The LONGLEASH malware and associated toolset enable the threat actor to compromise and control internet-facing networking devices, primarily unpatched Ruckus and ASUS routers. This expands the ORB network infrastructure used to proxy malicious traffic, making detection and attribution more difficult. The malware supports multiple proxy protocols and can act as an intermediate command-and-control server, increasing operational flexibility for the threat actor. The exploitation of known vulnerabilities indicates that unpatched devices are at risk of compromise. The presence of backdoors and administrative tools allows for persistent access, remote command execution, and potential lateral movement within targeted networks.
Mitigation Recommendations
Patch all affected networking devices promptly by applying vendor security updates addressing the known vulnerabilities CVE-2020-22653, CVE-2020-22658, CVE-2023-25717 (Ruckus routers), and CVE-2025-2492 (ASUS AiCloud routers). Since the campaign exploits known (n-day) vulnerabilities, maintaining up-to-date firmware is critical. Network defenders should also review Cisco Talos’ report and indicators of compromise (IoCs) linked to UAT-7810 activity to detect and remediate infections. No vendor advisory or official fix status is provided in the input; therefore, patch status is not yet confirmed — check vendor advisories for current remediation guidance. Implementing network segmentation and restricting internet-facing management interfaces can reduce exposure. Monitor for unusual proxying activity and command-and-control communications consistent with LONGLEASH capabilities.
Chinese hackers develop LONGLEASH malware to expand ORB network
Description
Chinese hackers tracked as 'UAT-7810' are actively evolving their malware to expand their Operational Relay Box (ORB) network by compromising internet-facing networking devices, primarily unpatched Ruckus routers. The newly discovered LONGLEASH malware is an upgraded version of SHORTLEASH with expanded capabilities including reverse shell, multiple proxy protocols, SMTP functionality, TLS/PKI support, self-removal, and acting as an intermediate C2 server. The campaign exploits known vulnerabilities in Ruckus and ASUS AiCloud routers to gain initial access. Additional tools include DOGLEASH (Linux backdoor), JARLEASH (Java-based admin tool), and LEASHTEST (testing utility for MIPS IoT devices). This infrastructure supports China-aligned APTs by proxying network traffic to evade detection and complicate attribution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat actor UAT-7810 is expanding its ORB network by deploying LONGLEASH malware, an advanced evolution of the previously documented SHORTLEASH backdoor. LONGLEASH enhances command-and-control capabilities with reverse shell access, multiple proxying protocols (HTTP, DNS, SOCKS, TCP, ICMP, UDP), SMTP client/server functions, TLS and PKI support, and self-removal mechanisms. It can also serve as an intermediate C2 server forwarding commands and data between infected nodes. Initial access is primarily gained by exploiting known (n-day) vulnerabilities in internet-facing Ruckus routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and ASUS AiCloud routers (CVE-2025-2492). Additional malware tools discovered include DOGLEASH, a Linux backdoor with shell command execution and arbitrary code execution capabilities; JARLEASH, a Java-based administrative tool with file management and FTP/SFTP/Netcat server functions; and LEASHTEST, a utility to test MIPS IoT device compatibility with malware operations. This ORB infrastructure facilitates proxying of network traffic for China-aligned APTs, complicating detection and attribution efforts.
Potential Impact
The LONGLEASH malware and associated toolset enable the threat actor to compromise and control internet-facing networking devices, primarily unpatched Ruckus and ASUS routers. This expands the ORB network infrastructure used to proxy malicious traffic, making detection and attribution more difficult. The malware supports multiple proxy protocols and can act as an intermediate command-and-control server, increasing operational flexibility for the threat actor. The exploitation of known vulnerabilities indicates that unpatched devices are at risk of compromise. The presence of backdoors and administrative tools allows for persistent access, remote command execution, and potential lateral movement within targeted networks.
Mitigation Recommendations
Patch all affected networking devices promptly by applying vendor security updates addressing the known vulnerabilities CVE-2020-22653, CVE-2020-22658, CVE-2023-25717 (Ruckus routers), and CVE-2025-2492 (ASUS AiCloud routers). Since the campaign exploits known (n-day) vulnerabilities, maintaining up-to-date firmware is critical. Network defenders should also review Cisco Talos’ report and indicators of compromise (IoCs) linked to UAT-7810 activity to detect and remediate infections. No vendor advisory or official fix status is provided in the input; therefore, patch status is not yet confirmed — check vendor advisories for current remediation guidance. Implementing network segmentation and restricting internet-facing management interfaces can reduce exposure. Monitor for unusual proxying activity and command-and-control communications consistent with LONGLEASH capabilities.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/chinese-hackers-develop-longleash-malware-to-expand-orb-network/","fetched":true,"fetchedAt":"2026-07-07T18:58:23.647Z","wordCount":735}
Threat ID: 6a4d4c4fc9d9e3dbe3ae158a
Added to database: 07/07/2026, 18:58:23 UTC
Last enriched: 07/07/2026, 18:58:32 UTC
Last updated: 07/08/2026, 03:23:23 UTC
Views: 50
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.