Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

Cisco says the threat actor behind the LapDogs campaign has expanded its SOHO router malware toolkit with LongLeash, DogLeash, and JarLeash backdoors.

China APT

A China-linked advanced persistent threat (APT) actor building an operational relay box (ORB) network for espionage has been updating its arsenal with new backdoors, Cisco’s Talos researchers warn.

As part of a prolonged espionage infrastructure campaign tracked as LapDogs, the APT infected over 1,000 small office/home office (SOHO) routers with the ShortLeash backdoor, SecurityScorecard reported last year.

Talos, which tracks the threat actor as UAT-7810, has discovered a newer version of the backdoor, dubbed LongLeash, as well as two other malware families the APT has been relying on, namely DogLeash and JarLeash.

UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, and was seen using payloads for multiple architectures, including MIPS, ARM, and x64.

Talos identified three IP addresses associated with VPS instances that UAT-7810 uses to download payloads, as well as four new servers the APT has been using to host malicious payloads such as DogLeash and accompanying shell scripts.

One of the IPs was also used in attacks targeting Asus AiCloud Routers, likely as part of the apparent ORB facilitation campaign dubbed Operation WrtHug that was publicly detailed in November 2025.

Advertisement. Scroll to continue reading.

UAT-7810, Talos says, provides infrastructure to another China-linked APT, namely UAT-5918. The groups’ tooling overlaps, but they are still tracked as separate groups.

The recently identified LongLeash backdoor builds on the functionality previously observed in ShortLeash, such as command-and-control (C&C) communication, web server hosting, tunnel management, and the ability to act both as C&C and client, as well as additional capabilities.

It was built largely on the same codebase, but also contains code from the Nanopb and MbedTLS open source libraries. The backdoor can function as an intermediate server, forwarding commands and data received from the C&C to other peers.

DogLeash is a C-based passive backdoor deployed via a shell script that also adds iptables rules allowing TCP traffic to a port that DogLeash binds and listens to. Based on code received from the C&C, the backdoor can execute commands, read files, rename files, close the socket listener, retrieve OS information, and execute code in memory.

JarLeash is a Java-based backdoor that provides UAT-7810 with easy access to compromised systems. It is used alongside a script that kills all other instances of the backdoor and then spawns the Java container to deploy the malware. The backdoor can also be deployed on the APT’s internal infrastructure.

The backdoor can host a web-based file management interface and FTP and SFTP servers, and can run a netcat server on a provided IP and port number.

UAT-7810 was also seen developing LeashTest, a binary that tests functionality on the MIPS platform, and which is not malicious on its own, but can be an indicator of compromise (IoC).

“The development and use of LeashTest signifies that even though they have developed LongLeash, a full-fledged backdoor framework, UAT-7810 is still actively testing functionality on MIPS platforms and may not be completely confident of its behavior on MIPS devices,” Talos notes.

Related: Chinese Framework Powers 200,000 Scam Sites

Related: Chinese Hackers Target Medical, Military, and AI Research in North America

Related: FBI Seizes 13 Websites That Officials Say Were Used by China to Target and Recruit US Workers

Related: Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.