China-Nexus UAT-7810 Exploits Ruckus Devices to Expand LapDogs ORB Network


Cisco Talos says a China-nexus threat actor tracked as UAT-7810 is continuing to build and maintain the LapDogs Operational Relay Box network by compromising internet-facing networking devices.

The campaign relies heavily on unpatched Ruckus wireless routers and access points, then deploys custom malware that turns those devices into relay infrastructure. According to Cisco Talos, UAT-7810 likely builds these relay networks so other China-nexus actors can route malicious traffic through ordinary devices.

That makes the activity harder to trace. Instead of connecting from obvious attacker infrastructure, operators can bounce traffic through home, small office, and business network gear that already blends into normal internet activity.

What is the LapDogs ORB network?

An Operational Relay Box, or ORB, is a network of compromised devices used as covert relay infrastructure. The devices may continue working normally for their owners while attackers use them to hide the true origin of cyber operations.

SecurityScorecard first disclosed the LapDogs campaign in 2025 and said it had identified more than 1,000 actively infected nodes. The company said the network focused on the United States and parts of Asia, including Japan, South Korea, Hong Kong, and Taiwan.

Unlike noisy botnets built for spam or denial-of-service attacks, ORB networks support stealth. They give operators flexible, long-term infrastructure for espionage and access operations.

ItemDetails
Threat actorUAT-7810
Assessed linkChina-nexus threat activity
NetworkLapDogs Operational Relay Box network
Main targetsUnpatched SOHO and enterprise networking devices
Primary device focusRuckus wireless routers and access points
New malwareLONGLEASH, DOGLEASH, JARLEASH, and LEASHTEST
Main riskHidden relay infrastructure for follow-on intrusions

UAT-7810 is using known Ruckus flaws

The group is not relying on brand-new vulnerabilities. Cisco Talos says UAT-7810 primarily exploits known flaws in unpatched Ruckus wireless routers, a tactic it has used since 2025.

One of the most important entries is CVE-2023-25717, which NVD describes as an unauthenticated remote code execution issue in Ruckus Wireless Admin through version 10.4. The vulnerability is also listed in CISAโ€™s Known Exploited Vulnerabilities catalog.

Talos also observed exploitation of older Ruckus image upgrade weaknesses, including CVE-2020-22653 and CVE-2020-22658. Those older bugs show why abandoned firmware can remain useful to attackers years after disclosure.

LONGLEASH upgrades the older SHORTLEASH backdoor

At the center of the latest activity is LONGLEASH, which Talos tracks as a newer version of the previously documented SHORTLEASH backdoor.

LONGLEASH can proxy traffic, manage tunnels, support multiple network protocols, host web services, and act as an intermediate command server that forwards instructions to peers. Talos also found that it uses a Chrome browser user agent string, which may help its traffic look more ordinary during network review.

The malwareโ€™s design fits the ORB model. It does not need to destroy the device or create obvious disruption. It needs to stay quiet, maintain access, and relay traffic reliably.

DOGLEASH and JARLEASH expand the toolkit

Talos also identified DOGLEASH, a newly discovered C-based backdoor for Linux devices. After compromise, UAT-7810 deploys a script that downloads the malware, opens firewall rules, and starts a listener on a hardcoded port.

DOGLEASH can execute shell commands, read files, rename files, collect system information, close its listener, and execute code in memory. That makes it a lightweight but flexible implant for embedded Linux devices.

JARLEASH adds an administrative layer. It is a Java-based backdoor that can host a web file management interface, provide FTP and SFTP services, and run a Netcat server. Talos found Simplified Chinese comments in its configuration file.

Ruckus advisories show the patching problem

Ruckus issued a vendor bulletin for CVE-2023-25717 in 2023, describing it as a RUCKUS AP web vulnerability involving RCE and CSRF. The bulletin lists many affected access point models and related software updates.

The vendor also published a 2020 security bulletin for the Ruckus AP image upgrade vulnerability, which aligns with the older image-related flaws later referenced in public CVE records.

Those advisories matter because UAT-7810 appears to benefit from organizations and device owners not applying old fixes. In many homes and small offices, routers and access points run for years without firmware review.

ASUS AiCloud targeting points to broader expansion

UAT-7810 may not be limiting itself to Ruckus devices. Talos said one of the servers tied to the campaign was also linked to exploitation of ASUS AiCloud routers in early 2026.

The related issue, CVE-2025-2492, is an ASUS AiCloud improper authentication control vulnerability. NVD says a crafted request could trigger unauthorized execution of functions.

Startup script for SHORTLEASH (Source – Cisco Talos)

That overlap suggests the operator or an associated actor is testing additional device families for ORB growth. For defenders, the lesson is broader than one vendor: any exposed edge device with old firmware can become relay infrastructure.

Why ORB networks frustrate defenders

ORB networks undermine traditional indicator-based defense because the infrastructure changes constantly. A blocked IP address may only represent one compromised router, not the true operator or the final target.

SecurityScorecardโ€™s LapDogs research said the compromised devices can keep functioning normally, which makes detection and attribution difficult. It also noted that the network appeared methodical, with structured tasking and regional focus.

Organizations that only monitor servers and employee laptops may miss the problem entirely. Many routers, access points, cameras, and storage devices sit outside normal endpoint detection coverage.

  • Review internet-facing routers, access points, firewalls, cameras, and NAS devices.
  • Apply vendor firmware updates and replace end-of-life hardware.
  • Disable remote administration unless it has a clear business need.
  • Restrict management access to trusted IP ranges or VPNs.
  • Monitor unusual outbound traffic from edge devices.
  • Baseline expected ports, certificates, and user agents for network gear.
  • Hunt for unexpected web services on embedded Linux devices.

Indicators defenders should review

Talos published several network and malware indicators tied to UAT-7810 activity. These indicators can help with hunting, although defenders should not rely on them alone because ORB infrastructure changes quickly.

Indicator typeIndicatorContext
IP address194.233.92[.]26VPS server used to host malicious payloads
IP address217.15.160[.]247VPS server used to host malicious payloads
IP address217.15.164[.]147VPS server also linked to ASUS AiCloud router exploitation
IP address95.182.100[.]231Hong Kong-based server hosting malicious payloads
SHA-256755fcee1337a252203002ecfdf673a08cfadeda8d738bef2d518a08e0626aa4fLONGLEASH sample
SHA-256604b53f87d6c070bf387e80c70a6df8d272fa3fc143148d41f13e59d52ab1f13DOGLEASH sample
SHA-256324d95024fc8da5c92b5a1f4825aed5a2a91c9ca8fb6aa52abb332a4c9cf4257JARLEASH sample
TLS fingerprintc2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15TLS server certificate observed on port 99

What organizations should do now

The most important fix is basic but often missed: update exposed networking hardware. Ruckus customers should review the Ruckus advisory for affected AP models and available software updates, then confirm no unsupported devices remain in production.

Teams should also review the older Ruckus bulletin for legacy AP image upgrade issues and validate whether any still-deployed devices fall into the affected ranges. NVD lists CVE-2020-22653 as critical with a network attack vector and no privileges required.

ASUS device owners should also check exposure and firmware status, since CVE-2025-2492 shows that attackers are looking beyond one device family.

Bottom line

UAT-7810โ€™s activity shows why routers and access points now deserve the same security attention as servers and laptops. They sit at the edge, they often lack EDR, and they can give advanced actors durable relay infrastructure.

The LapDogs network also shows how China-nexus actors continue to use compromised everyday devices to hide espionage infrastructure. For network defenders, that means firmware hygiene, edge-device visibility, and passive traffic monitoring matter as much as endpoint alerts.

The safest path is to patch Ruckus devices, remove unsupported hardware, lock down remote administration, and hunt for ORB-style behavior before a quiet relay box becomes part of someone elseโ€™s intrusion chain.

FAQ

What is UAT-7810?

UAT-7810 is a China-nexus threat actor tracked by Cisco Talos. Talos says the group is responsible for maintaining and expanding the LapDogs Operational Relay Box network.

What is the LapDogs ORB network?

LapDogs is an Operational Relay Box network made from compromised SOHO and networking devices. Attackers can use the devices to relay traffic and hide the true origin of malicious activity.

Which Ruckus vulnerabilities has UAT-7810 exploited?

Cisco Talos says UAT-7810 has exploited known Ruckus vulnerabilities including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 against unpatched devices.

How can organizations reduce the risk from ORB networks?

Organizations should update router and access point firmware, replace end-of-life hardware, disable unnecessary remote administration, restrict management access, and monitor unusual outbound traffic from edge devices.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages