A China-linked advanced persistent threat (APT) actor building an operational relay box (ORB) network for espionage has been updating its arsenal with new backdoors, Cisco’s Talos researchers warn.
As part of a prolonged espionage infrastructure campaign tracked as LapDogs, the APT infected over 1,000 small office/home office (SOHO) routers with the ShortLeash backdoor, SecurityScorecard reported last year.
Talos, which tracks the threat actor as UAT-7810, has discovered a newer version of the backdoor, dubbed LongLeash, as well as two other malware families the APT has been relying on, namely DogLeash and JarLeash.
UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, and was seen using payloads for multiple architectures, including MIPS, ARM, and x64.
Talos identified three IP addresses associated with VPS instances that UAT-7810 uses to download payloads, as well as four new servers the APT has been using to host malicious payloads such as DogLeash and accompanying shell scripts.
One of the IPs was also used in attacks targeting Asus AiCloud Routers, likely as part of the apparent ORB facilitation campaign dubbed Operation WrtHug that was publicly detailed in November 2025.
UAT-7810, Talos says, provides infrastructure to another China-linked APT, namely UAT-5918. The groups’ tooling overlaps, but they are still tracked as separate groups.
The recently identified LongLeash backdoor builds on the functionality previously observed in ShortLeash, such as command-and-control (C&C) communication, web server hosting, tunnel management, and the ability to act both as C&C and client, as well as additional capabilities.
It was built largely on the same codebase, but also contains code from the Nanopb and MbedTLS open source libraries. The backdoor can function as an intermediate server, forwarding commands and data received from the C&C to other peers.
DogLeash is a C-based passive backdoor deployed via a shell script that also adds iptables rules allowing TCP traffic to a port that DogLeash binds and listens to. Based on code received from the C&C, the backdoor can execute commands, read files, rename files, close the socket listener, retrieve OS information, and execute code in memory.
JarLeash is a Java-based backdoor that provides UAT-7810 with easy access to compromised systems. It is used alongside a script that kills all other instances of the backdoor and then spawns the Java container to deploy the malware. The backdoor can also be deployed on the APT’s internal infrastructure.
The backdoor can host a web-based file management interface and FTP and SFTP servers, and can run a netcat server on a provided IP and port number.
UAT-7810 was also seen developing LeashTest, a binary that tests functionality on the MIPS platform, and which is not malicious on its own, but can be an indicator of compromise (IoC).
“The development and use of LeashTest signifies that even though they have developed LongLeash, a full-fledged backdoor framework, UAT-7810 is still actively testing functionality on MIPS platforms and may not be completely confident of its behavior on MIPS devices,” Talos notes.
Related: Chinese Framework Powers 200,000 Scam Sites
Related: Chinese Hackers Target Medical, Military, and AI Research in North America
Related: FBI Seizes 13 Websites That Officials Say Were Used by China to Target and Recruit US Workers
Related: Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities
