Winning 54% of the time
Cisco Talos reports that the China-nexus threat actor UAT-7810 is expanding its Operational Relay Box (ORB) networks by exploiting known vulnerabilities in unpatched Ruckus and ASUS routers. The group deploys new custom malware tools, including upgraded LONGLEASH and DOGLEASH backdoors, to build covert proxy networks that mask origins and route malicious traffic. These networks create significant blind spots for defenders by compromising edge devices and enabling other APT groups to launch attacks. Defenders are advised to patch affected routers and monitor for unusual proxying behavior. The threat actor relies on exploiting known (n-day) vulnerabilities rather than zero-days. No known exploits in the wild have been reported at this time.
AI Analysis
Technical Summary
The threat actor UAT-7810, associated with China, is actively expanding its covert infrastructure by exploiting unpatched vulnerabilities in Ruckus and ASUS routers. They deploy sophisticated custom malware, including LONGLEASH and DOGLEASH backdoors, to establish Operational Relay Box (ORB) networks. These ORB networks serve as decentralized proxy infrastructures that enable secondary threat actors to obfuscate their attack origins and bypass traditional perimeter defenses. The group’s focus on edge device compromise and multi-platform malware development indicates a strategic investment in resilient and evasive attack infrastructure. The exploitation vector is based on known vulnerabilities in specific router models, emphasizing the importance of patching. Cisco Talos provides indicators of compromise (IOCs) to detect and block this malware suite. No confirmed exploits in the wild have been documented.
Potential Impact
The exploitation of known vulnerabilities in Ruckus and ASUS routers allows UAT-7810 to build covert proxy networks that create significant blind spots in network defenses. This infrastructure facilitates stealthy routing of malicious traffic and enables other advanced persistent threat (APT) groups to launch attacks against high-value targets. The compromised edge devices undermine perimeter security by acting as decentralized proxies, complicating detection and attribution efforts. The threat actor’s use of custom malware backdoors increases the resilience and evasiveness of their infrastructure. No direct exploitation incidents have been confirmed in the wild, but the potential for indirect impact via secondary threat actors is significant.
Mitigation Recommendations
A fix is available through patching: defenders must ensure that all Ruckus and ASUS routers are fully updated with the latest security patches to remediate the known vulnerabilities exploited by UAT-7810. Monitoring network traffic for unusual proxying behavior or unauthorized connections on edge devices that typically do not run complex services is recommended. Utilize the provided indicators of compromise (IOCs) from Cisco Talos to detect and block the LONGLEASH and DOGLEASH malware suite. Since the threat actor exploits n-day vulnerabilities, timely patch management is the primary mitigation. No vendor advisory indicates that no action is required or that the issue is already mitigated.
Winning 54% of the time
Description
Cisco Talos reports that the China-nexus threat actor UAT-7810 is expanding its Operational Relay Box (ORB) networks by exploiting known vulnerabilities in unpatched Ruckus and ASUS routers. The group deploys new custom malware tools, including upgraded LONGLEASH and DOGLEASH backdoors, to build covert proxy networks that mask origins and route malicious traffic. These networks create significant blind spots for defenders by compromising edge devices and enabling other APT groups to launch attacks. Defenders are advised to patch affected routers and monitor for unusual proxying behavior. The threat actor relies on exploiting known (n-day) vulnerabilities rather than zero-days. No known exploits in the wild have been reported at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat actor UAT-7810, associated with China, is actively expanding its covert infrastructure by exploiting unpatched vulnerabilities in Ruckus and ASUS routers. They deploy sophisticated custom malware, including LONGLEASH and DOGLEASH backdoors, to establish Operational Relay Box (ORB) networks. These ORB networks serve as decentralized proxy infrastructures that enable secondary threat actors to obfuscate their attack origins and bypass traditional perimeter defenses. The group’s focus on edge device compromise and multi-platform malware development indicates a strategic investment in resilient and evasive attack infrastructure. The exploitation vector is based on known vulnerabilities in specific router models, emphasizing the importance of patching. Cisco Talos provides indicators of compromise (IOCs) to detect and block this malware suite. No confirmed exploits in the wild have been documented.
Potential Impact
The exploitation of known vulnerabilities in Ruckus and ASUS routers allows UAT-7810 to build covert proxy networks that create significant blind spots in network defenses. This infrastructure facilitates stealthy routing of malicious traffic and enables other advanced persistent threat (APT) groups to launch attacks against high-value targets. The compromised edge devices undermine perimeter security by acting as decentralized proxies, complicating detection and attribution efforts. The threat actor’s use of custom malware backdoors increases the resilience and evasiveness of their infrastructure. No direct exploitation incidents have been confirmed in the wild, but the potential for indirect impact via secondary threat actors is significant.
Mitigation Recommendations
A fix is available through patching: defenders must ensure that all Ruckus and ASUS routers are fully updated with the latest security patches to remediate the known vulnerabilities exploited by UAT-7810. Monitoring network traffic for unusual proxying behavior or unauthorized connections on edge devices that typically do not run complex services is recommended. Utilize the provided indicators of compromise (IOCs) from Cisco Talos to detect and block the LONGLEASH and DOGLEASH malware suite. Since the threat actor exploits n-day vulnerabilities, timely patch management is the primary mitigation. No vendor advisory indicates that no action is required or that the issue is already mitigated.
Technical Details
- Article Source
- {"url":"https://blog.talosintelligence.com/winning-54-of-the-time/","fetched":true,"fetchedAt":"2026-07-09T18:13:07.230Z","wordCount":1280}
Threat ID: 6a4fe4b368715ace43d7da9e
Added to database: 07/09/2026, 18:13:07 UTC
Last enriched: 07/09/2026, 18:13:15 UTC
Last updated: 07/09/2026, 18:13:15 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.