China-Nexus UAT-7810 Exploits Ruckus Devices to Expand LapDogs ORB Network
Cisco Talos says a China-nexus threat actor tracked as UAT-7810 is continuing to build and maintain the LapDogs Operational Relay Box network by compromising internet-facing networking devices.
The campaign relies heavily on unpatched Ruckus wireless routers and access points, then deploys custom malware that turns those devices into relay infrastructure. According to Cisco Talos, UAT-7810 likely builds these relay networks so other China-nexus actors can route malicious traffic through ordinary devices.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
That makes the activity harder to trace. Instead of connecting from obvious attacker infrastructure, operators can bounce traffic through home, small office, and business network gear that already blends into normal internet activity.
What is the LapDogs ORB network?
An Operational Relay Box, or ORB, is a network of compromised devices used as covert relay infrastructure. The devices may continue working normally for their owners while attackers use them to hide the true origin of cyber operations.
SecurityScorecard first disclosed the LapDogs campaign in 2025 and said it had identified more than 1,000 actively infected nodes. The company said the network focused on the United States and parts of Asia, including Japan, South Korea, Hong Kong, and Taiwan.
Unlike noisy botnets built for spam or denial-of-service attacks, ORB networks support stealth. They give operators flexible, long-term infrastructure for espionage and access operations.
| Item | Details |
|---|---|
| Threat actor | UAT-7810 |
| Assessed link | China-nexus threat activity |
| Network | LapDogs Operational Relay Box network |
| Main targets | Unpatched SOHO and enterprise networking devices |
| Primary device focus | Ruckus wireless routers and access points |
| New malware | LONGLEASH, DOGLEASH, JARLEASH, and LEASHTEST |
| Main risk | Hidden relay infrastructure for follow-on intrusions |
UAT-7810 is using known Ruckus flaws
The group is not relying on brand-new vulnerabilities. Cisco Talos says UAT-7810 primarily exploits known flaws in unpatched Ruckus wireless routers, a tactic it has used since 2025.
One of the most important entries is CVE-2023-25717, which NVD describes as an unauthenticated remote code execution issue in Ruckus Wireless Admin through version 10.4. The vulnerability is also listed in CISAโs Known Exploited Vulnerabilities catalog.
Talos also observed exploitation of older Ruckus image upgrade weaknesses, including CVE-2020-22653 and CVE-2020-22658. Those older bugs show why abandoned firmware can remain useful to attackers years after disclosure.
LONGLEASH upgrades the older SHORTLEASH backdoor
At the center of the latest activity is LONGLEASH, which Talos tracks as a newer version of the previously documented SHORTLEASH backdoor.
LONGLEASH can proxy traffic, manage tunnels, support multiple network protocols, host web services, and act as an intermediate command server that forwards instructions to peers. Talos also found that it uses a Chrome browser user agent string, which may help its traffic look more ordinary during network review.
The malwareโs design fits the ORB model. It does not need to destroy the device or create obvious disruption. It needs to stay quiet, maintain access, and relay traffic reliably.
DOGLEASH and JARLEASH expand the toolkit
Talos also identified DOGLEASH, a newly discovered C-based backdoor for Linux devices. After compromise, UAT-7810 deploys a script that downloads the malware, opens firewall rules, and starts a listener on a hardcoded port.
DOGLEASH can execute shell commands, read files, rename files, collect system information, close its listener, and execute code in memory. That makes it a lightweight but flexible implant for embedded Linux devices.
JARLEASH adds an administrative layer. It is a Java-based backdoor that can host a web file management interface, provide FTP and SFTP services, and run a Netcat server. Talos found Simplified Chinese comments in its configuration file.
Ruckus advisories show the patching problem
Ruckus issued a vendor bulletin for CVE-2023-25717 in 2023, describing it as a RUCKUS AP web vulnerability involving RCE and CSRF. The bulletin lists many affected access point models and related software updates.
The vendor also published a 2020 security bulletin for the Ruckus AP image upgrade vulnerability, which aligns with the older image-related flaws later referenced in public CVE records.
Those advisories matter because UAT-7810 appears to benefit from organizations and device owners not applying old fixes. In many homes and small offices, routers and access points run for years without firmware review.
ASUS AiCloud targeting points to broader expansion
UAT-7810 may not be limiting itself to Ruckus devices. Talos said one of the servers tied to the campaign was also linked to exploitation of ASUS AiCloud routers in early 2026.
The related issue, CVE-2025-2492, is an ASUS AiCloud improper authentication control vulnerability. NVD says a crafted request could trigger unauthorized execution of functions.

That overlap suggests the operator or an associated actor is testing additional device families for ORB growth. For defenders, the lesson is broader than one vendor: any exposed edge device with old firmware can become relay infrastructure.
Why ORB networks frustrate defenders
ORB networks undermine traditional indicator-based defense because the infrastructure changes constantly. A blocked IP address may only represent one compromised router, not the true operator or the final target.
SecurityScorecardโs LapDogs research said the compromised devices can keep functioning normally, which makes detection and attribution difficult. It also noted that the network appeared methodical, with structured tasking and regional focus.
Organizations that only monitor servers and employee laptops may miss the problem entirely. Many routers, access points, cameras, and storage devices sit outside normal endpoint detection coverage.
- Review internet-facing routers, access points, firewalls, cameras, and NAS devices.
- Apply vendor firmware updates and replace end-of-life hardware.
- Disable remote administration unless it has a clear business need.
- Restrict management access to trusted IP ranges or VPNs.
- Monitor unusual outbound traffic from edge devices.
- Baseline expected ports, certificates, and user agents for network gear.
- Hunt for unexpected web services on embedded Linux devices.
Indicators defenders should review
Talos published several network and malware indicators tied to UAT-7810 activity. These indicators can help with hunting, although defenders should not rely on them alone because ORB infrastructure changes quickly.
| Indicator type | Indicator | Context |
|---|---|---|
| IP address | 194.233.92[.]26 | VPS server used to host malicious payloads |
| IP address | 217.15.160[.]247 | VPS server used to host malicious payloads |
| IP address | 217.15.164[.]147 | VPS server also linked to ASUS AiCloud router exploitation |
| IP address | 95.182.100[.]231 | Hong Kong-based server hosting malicious payloads |
| SHA-256 | 755fcee1337a252203002ecfdf673a08cfadeda8d738bef2d518a08e0626aa4f | LONGLEASH sample |
| SHA-256 | 604b53f87d6c070bf387e80c70a6df8d272fa3fc143148d41f13e59d52ab1f13 | DOGLEASH sample |
| SHA-256 | 324d95024fc8da5c92b5a1f4825aed5a2a91c9ca8fb6aa52abb332a4c9cf4257 | JARLEASH sample |
| TLS fingerprint | c2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15 | TLS server certificate observed on port 99 |
What organizations should do now
The most important fix is basic but often missed: update exposed networking hardware. Ruckus customers should review the Ruckus advisory for affected AP models and available software updates, then confirm no unsupported devices remain in production.
Teams should also review the older Ruckus bulletin for legacy AP image upgrade issues and validate whether any still-deployed devices fall into the affected ranges. NVD lists CVE-2020-22653 as critical with a network attack vector and no privileges required.
ASUS device owners should also check exposure and firmware status, since CVE-2025-2492 shows that attackers are looking beyond one device family.
Bottom line
UAT-7810โs activity shows why routers and access points now deserve the same security attention as servers and laptops. They sit at the edge, they often lack EDR, and they can give advanced actors durable relay infrastructure.
The LapDogs network also shows how China-nexus actors continue to use compromised everyday devices to hide espionage infrastructure. For network defenders, that means firmware hygiene, edge-device visibility, and passive traffic monitoring matter as much as endpoint alerts.
The safest path is to patch Ruckus devices, remove unsupported hardware, lock down remote administration, and hunt for ORB-style behavior before a quiet relay box becomes part of someone elseโs intrusion chain.
FAQ
UAT-7810 is a China-nexus threat actor tracked by Cisco Talos. Talos says the group is responsible for maintaining and expanding the LapDogs Operational Relay Box network.
LapDogs is an Operational Relay Box network made from compromised SOHO and networking devices. Attackers can use the devices to relay traffic and hide the true origin of malicious activity.
Cisco Talos says UAT-7810 has exploited known Ruckus vulnerabilities including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 against unpatched devices.
Organizations should update router and access point firmware, replace end-of-life hardware, disable unnecessary remote administration, restrict management access, and monitor unusual outbound traffic from edge devices.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages