Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Chinese hackers develop LONGLEASH malware to expand ORB network

0
Medium
Malware
Published: 07/07/2026 (07/07/2026, 18:52:19 UTC)
Source: Bleeping Computer

Description

Chinese hackers tracked as 'UAT-7810' are actively evolving their malware to expand their Operational Relay Box (ORB) network by compromising internet-facing networking devices, primarily unpatched Ruckus routers. The newly discovered LONGLEASH malware is an upgraded version of SHORTLEASH with expanded capabilities including reverse shell, multiple proxy protocols, SMTP functionality, TLS/PKI support, self-removal, and acting as an intermediate C2 server. The campaign exploits known vulnerabilities in Ruckus and ASUS AiCloud routers to gain initial access. Additional tools include DOGLEASH (Linux backdoor), JARLEASH (Java-based admin tool), and LEASHTEST (testing utility for MIPS IoT devices). This infrastructure supports China-aligned APTs by proxying network traffic to evade detection and complicate attribution.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/07/2026, 18:58:32 UTC

Technical Analysis

The threat actor UAT-7810 is expanding its ORB network by deploying LONGLEASH malware, an advanced evolution of the previously documented SHORTLEASH backdoor. LONGLEASH enhances command-and-control capabilities with reverse shell access, multiple proxying protocols (HTTP, DNS, SOCKS, TCP, ICMP, UDP), SMTP client/server functions, TLS and PKI support, and self-removal mechanisms. It can also serve as an intermediate C2 server forwarding commands and data between infected nodes. Initial access is primarily gained by exploiting known (n-day) vulnerabilities in internet-facing Ruckus routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and ASUS AiCloud routers (CVE-2025-2492). Additional malware tools discovered include DOGLEASH, a Linux backdoor with shell command execution and arbitrary code execution capabilities; JARLEASH, a Java-based administrative tool with file management and FTP/SFTP/Netcat server functions; and LEASHTEST, a utility to test MIPS IoT device compatibility with malware operations. This ORB infrastructure facilitates proxying of network traffic for China-aligned APTs, complicating detection and attribution efforts.

Potential Impact

The LONGLEASH malware and associated toolset enable the threat actor to compromise and control internet-facing networking devices, primarily unpatched Ruckus and ASUS routers. This expands the ORB network infrastructure used to proxy malicious traffic, making detection and attribution more difficult. The malware supports multiple proxy protocols and can act as an intermediate command-and-control server, increasing operational flexibility for the threat actor. The exploitation of known vulnerabilities indicates that unpatched devices are at risk of compromise. The presence of backdoors and administrative tools allows for persistent access, remote command execution, and potential lateral movement within targeted networks.

Mitigation Recommendations

Patch all affected networking devices promptly by applying vendor security updates addressing the known vulnerabilities CVE-2020-22653, CVE-2020-22658, CVE-2023-25717 (Ruckus routers), and CVE-2025-2492 (ASUS AiCloud routers). Since the campaign exploits known (n-day) vulnerabilities, maintaining up-to-date firmware is critical. Network defenders should also review Cisco Talos’ report and indicators of compromise (IoCs) linked to UAT-7810 activity to detect and remediate infections. No vendor advisory or official fix status is provided in the input; therefore, patch status is not yet confirmed — check vendor advisories for current remediation guidance. Implementing network segmentation and restricting internet-facing management interfaces can reduce exposure. Monitor for unusual proxying activity and command-and-control communications consistent with LONGLEASH capabilities.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.bleepingcomputer.com/news/security/chinese-hackers-develop-longleash-malware-to-expand-orb-network/","fetched":true,"fetchedAt":"2026-07-07T18:58:23.647Z","wordCount":735}

Threat ID: 6a4d4c4fc9d9e3dbe3ae158a

Added to database: 07/07/2026, 18:58:23 UTC

Last enriched: 07/07/2026, 18:58:32 UTC

Last updated: 07/08/2026, 03:23:23 UTC

Views: 50

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses