Cisco Talos researchers have documented significant expansion in the malware arsenal of UAT-7810, an advanced persistent threat actor responsible for building and maintaining operational relay box networks that enable other Chinese APT groups to conduct attacks against high-value targets. The group, first disclosed by SecurityScorecard in 2025, has developed four distinct malware families that target networking devices and embedded systems. Talos assesses with high confidence that UAT-7810 operates on behalf of Chinese interests based on infrastructure sharing with other China-nexus threat actors, though the groups maintain separate operational objectives.
The threat actor's primary tactic involves exploiting known vulnerabilities in unpatched networking equipment, particularly Ruckus wireless routers. UAT-7810 has been observed targeting CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 in Ruckus devices since 2025. In early 2026, the group expanded operations to include ASUS AiCloud routers by exploiting CVE-2025-2492. After successful compromise, attackers deploy shell scripts that download malicious payloads, modify firewall rules to allow specific traffic, and execute backdoors on the compromised devices.
Talos identified four new malware families in UAT-7810's toolkit. LONGLEASH represents an enhanced version of the previously disclosed SHORTLEASH backdoor, built on the Boost.Asio library for improved network performance on MIPS processors. The malware supports reverse shells, multiple proxy protocols (HTTP, DNS, SOCKS, TCP, ICMP, UDP), packet redirection, and SMTP functionality. DOGLEASH functions as a passive backdoor that listens on hardcoded ports, decodes incoming traffic using a password string, and executes commands including file operations and arbitrary shellcode. JARLEASH, a Java-based tool, provides web-based file management, FTP/SFTP servers, and netcat capabilities, with configuration files containing Simplified Chinese comments. LEASHTEST serves as a testing utility for validating basic functionality on MIPS-based Internet of Things devices.
Researchers discovered four new command and control servers hosting these malware variants across multiple hardware platforms including MIPS, ARM, and x64 architectures. Three IP addresses (194.233.92[.]26, 217.15.160[.]247, and 217.15.164[.]147) were associated with VPS instances used as download locations, while a fourth server (95.182.100[.]231) located in Hong Kong was identified through forensic analysis of compromised devices. Two of these servers hosted TLS services on port 99 with identical certificate fingerprints containing the subject "exploit" across all fields, suggesting coordinated infrastructure management.
Organizations should prioritize patching the identified CVEs in Ruckus and ASUS networking equipment, particularly in environments with internet-facing devices. Network defenders should monitor for connections to the disclosed IP addresses and deploy available detection signatures, including SNORT SIDs 66433, 66432, 66430, 66431, and 301493, along with the published ClamAV signatures. Security teams should conduct forensic reviews of networking devices for signs of compromise, including unexpected iptables rules, suspicious listening ports, and the presence of the disclosed file hashes. Given UAT-7810's role in establishing relay infrastructure for secondary threat actors, compromised devices may facilitate broader attack campaigns beyond the initial intrusion.
Source: https://blog.talosintelligence.com/uat-7810/


