ctipilot.ch

UAT-7810

actor · actor:uat-7810 single-source

China-nexus threat actor Cisco Talos (2026-07-07) assesses with high confidence builds and maintains Operational Relay Box (ORB) networks by exploiting unpatched Ruckus and ASUS AiCloud routers; its relay infrastructure is leveraged by secondary China-nexus APTs including UAT-5918.

Coverage timeline
1
first 2026-07-08 → last 2026-07-08
Entries
1
1 distinct days
Sources cited
1
1 hosts
Sections touched
1
active-threats
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-07-08Cisco Talos: China-nexus UAT-7810 expands its ORB network with LONGLEASH/DOGLEASH/JARLEASH via unpatched Ruckus and ASUS routers
    active-threatsTalos: China-nexus UAT-7810 builds ORB relay networks from unpatched Ruckus/ASUS routers for secondary APTs

Where this entity is cited

  • active-threats1

Source distribution

  • blog.talosintelligence.com1 (100%)

Related entities

Entries about UAT-7810 (1)

2026-07-08 · view entry permalink →

NOTABLE

Cisco Talos: China-nexus UAT-7810 expands its ORB network with LONGLEASH/DOGLEASH/JARLEASH via unpatched Ruckus and ASUS routers

Cisco Talos profiled UAT-7810, a China-nexus actor Talos assesses with high confidence is tasked with building and maintaining Operational Relay Box (ORB) networks — relay/proxy infrastructure built from compromised networking gear that secondary China-nexus APTs use to launder the origin of operations against high-value targets (Cisco Talos, 2026-07-07). Talos names UAT-5918 — previously documented targeting Taiwanese critical infrastructure — as one such downstream consumer. Initial access is exploitation of known, unpatched vulnerabilities in Ruckus wireless routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and ASUS AiCloud routers (CVE-2025-2492), a tactic UAT-7810 has used since 2025 rather than a fresh zero-day (T1190). The malware suite, internally "ff-agent", now includes LONGLEASH — an enhanced successor to the SHORTLEASH backdoor adding reverse-shell and HTTP/DNS/SOCKS/TCP/ICMP/UDP multi-protocol proxying (T1090.003) — plus DOGLEASH, a passive C-based Linux backdoor, and JARLEASH, a Java-based admin tool for file management and FTP/SFTP access; it is built with Boost.Asio, custom protobuf encoding and MbedTLS TLS proxying, compiled for MIPS/ARM/x64, and self-deletes if tampering or a suspicious connection is detected (T1070). Defender takeaway: the relevance here is the actor and infrastructure model, not a specific victim — a China-nexus ORB builder feeding critical-infrastructure-targeting APTs is exactly the same-actor read that matters for Swiss/European CI and government defenders, whose exposure is twofold: their own edge/CPE being conscripted into the relay mesh, and adversary traffic arriving from residential/SOHO ranges that IP-reputation alone will not flag. Detection is network-telemetry-based since the implants live on embedded CPE, not managed endpoints.

Talos assesses with high confidence that UAT-7810 is a China-nexus threat actor based on the infrastructure that it provides to secondary China-nexus APTs such as UAT-5918.

Talos has observed UAT-7810 primarily exploit known vulnerabilities in unpatched Ruckus wireless routers, a tactic UAT-7810 has used since 2025.

Cisco Talos 2026-07-07
threat08 Jul 20:35Zsingle-sourceOpen finding ↗
Sources: Cisco Talos