China-Linked UAT-7810 Expands ORB Network With LONGLEASH Malware
A Chinese threat actor identified as UAT-7810 is actively developing custom malware to broaden its Operational Relay Box (ORB) network through the compromise of internet-facing networking devices. Cisco Talos researchers have detailed these activities, noting that UAT-7810 is an advanced persistent threat (APT) group responsible for the LapDogs ORB network, which was first observed in June 2025.
The group's latest efforts involve the deployment of a new malware strain named LONGLEASH. This malware is designed to establish and maintain persistent access within compromised devices, allowing UAT-7810 to integrate them into their ORB infrastructure. The ORB network functions as a series of interconnected compromised devices that can be used to relay malicious traffic, obscure the origin of attacks, and facilitate further network intrusions.
Cisco Talos's analysis indicates that UAT-7810 targets a variety of networking hardware, exploiting vulnerabilities to gain initial access. Once inside, LONGLEASH establishes a command-and-control (C2) channel, enabling the threat actor to manage the compromised device and use it as a stepping stone for other malicious operations. The expansion of the ORB network enhances the actor's capabilities for conducting sophisticated cyberattacks, including espionage and data theft.
The findings highlight the ongoing evolution of APT tactics, techniques, and procedures (TTPs) employed by state-sponsored groups. The continuous refinement of bespoke malware like LONGLEASH underscores the persistent threat posed by actors like UAT-7810 to global cybersecurity infrastructure. Organizations are advised to maintain vigilance and implement robust security measures to protect their internet-facing devices from such sophisticated threats.
Original source — read the full reporting at the publisher:
Read on The Hacker News