Network Security

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

Cisco says the threat actor behind the LapDogs campaign has expanded its SOHO router malware toolkit with LongLeash, DogLeash, and JarLeash backdoors.

China APT

A China-linked advanced persistent threat (APT) actor building an operational relay box (ORB) network for espionage has been updating its arsenal with new backdoors, Cisco’s Talos researchers warn.

As part of a prolonged espionage infrastructure campaign tracked as LapDogs, the APT infected over 1,000 small office/home office (SOHO) routers with the ShortLeash backdoor, SecurityScorecard reported last year.

Talos, which tracks the threat actor as UAT-7810, has discovered a newer version of the backdoor, dubbed LongLeash, as well as two other malware families the APT has been relying on, namely DogLeash and JarLeash.

UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, and was seen using payloads for multiple architectures, including MIPS, ARM, and x64.

Talos identified three IP addresses associated with VPS instances that UAT-7810 uses to download payloads, as well as four new servers the APT has been using to host malicious payloads such as DogLeash and accompanying shell scripts.

One of the IPs was also used in attacks targeting Asus AiCloud Routers, likely as part of the apparent ORB facilitation campaign dubbed Operation WrtHug that was publicly detailed in November 2025.

Advertisement. Scroll to continue reading.

UAT-7810, Talos says, provides infrastructure to another China-linked APT, namely UAT-5918. The groups’ tooling overlaps, but they are still tracked as separate groups.

The recently identified LongLeash backdoor builds on the functionality previously observed in ShortLeash, such as command-and-control (C&C) communication, web server hosting, tunnel management, and the ability to act both as C&C and client, as well as additional capabilities.

It was built largely on the same codebase, but also contains code from the Nanopb and MbedTLS open source libraries. The backdoor can function as an intermediate server, forwarding commands and data received from the C&C to other peers.

DogLeash is a C-based passive backdoor deployed via a shell script that also adds iptables rules allowing TCP traffic to a port that DogLeash binds and listens to. Based on code received from the C&C, the backdoor can execute commands, read files, rename files, close the socket listener, retrieve OS information, and execute code in memory.

JarLeash is a Java-based backdoor that provides UAT-7810 with easy access to compromised systems. It is used alongside a script that kills all other instances of the backdoor and then spawns the Java container to deploy the malware. The backdoor can also be deployed on the APT’s internal infrastructure.

The backdoor can host a web-based file management interface and FTP and SFTP servers, and can run a netcat server on a provided IP and port number.

UAT-7810 was also seen developing LeashTest, a binary that tests functionality on the MIPS platform, and which is not malicious on its own, but can be an indicator of compromise (IoC).

“The development and use of LeashTest signifies that even though they have developed LongLeash, a full-fledged backdoor framework, UAT-7810 is still actively testing functionality on MIPS platforms and may not be completely confident of its behavior on MIPS devices,” Talos notes.

Related: Chinese Framework Powers 200,000 Scam Sites

Related: Chinese Hackers Target Medical, Military, and AI Research in North America

Related: FBI Seizes 13 Websites That Officials Say Were Used by China to Target and Recruit US Workers

Related: Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities

Related Content

Cybercrime

Threat actors are selling investment scam templates created using the legitimate DCloud Uni-App toolkit.

Nation-State

Google’s Threat Intelligence Group has been tracking the cyberespionage group as UNC6508 since early 2025.

Government

The 13 websites purported to be affiliated with consulting companies that advertised job openings for current and former holders of security clearances

Nation-State

Posing as recruiters on online platforms, Chinese intelligence officers target personnel with access to classified or privileged information.

Cybercrime

Relying on social engineering, the hacking group engages in credential phishing, malware distribution, and fraud activities.

Malware & Threats

Salt Typhoon has hit an energy entity in Azerbaijan. Twill Typhoon has targeted Asian entities with an updated RAT.

Nation-State

The cybersecurity firm has not explicitly accused China of being behind the attack, but the evidence suggests it was. 

Vulnerabilities

The security defects allow unauthenticated, remote attackers to execute arbitrary code through crafted requests.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version