# Chinese APT Group UAT-7810 Enhances ORB Network Using New Malware

*Published July 10, 2026*
*Source: [https://thehackernews.com/2026/07/china-linked-uat-7810-expands-orb.html](https://thehackernews.com/2026/07/china-linked-uat-7810-expands-orb.html)*

## Executive Summary

Cisco Talos has discovered that the Chinese threat actor UAT-7810 is enhancing its ORB network using updated malware called LONGLEASH. This development poses significant risks to critical infrastructure due to the network's potential use by secondary threat actors.

## Article

Cisco Talos researchers have uncovered that the Chinese threat actor known as UAT-7810 is actively upgrading its malware to grow its Operational Relay Box (ORB) network by compromising internet-facing networking devices. UAT-7810, an advanced persistent threat (APT) group, is known for maintaining and expanding LapDogs, an ORB network first identified in June 2025. This network can be exploited by secondary threat actors to execute malicious operations against high-value targets.

UAT-7810 has recently developed a more advanced version of its malware, known as LONGLEASH. This new variant includes additional features compared to its predecessor, ShortLeash, indicating ongoing development efforts. Alongside LONGLEASH, the group has been using several new tools, including DOGLEASH variations and a Java-based backdoor called JARLEASH, which facilitates file management and other administrative tasks on compromised servers.

The threat actor has been exploiting known vulnerabilities in unpatched Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. Earlier attacks targeted ASUS AiCloud Routers vulnerable to CVE-2025-2492, suggesting attempts to further expand the ORB network.

UAT-7810's activities have implications for critical infrastructure, as evidenced by its connection to UAT-5918, which has targeted critical infrastructure in Taiwan since at least 2023. The group's development of LEASHTEST suggests ongoing testing on MIPS platforms, indicating that the malware's behavior on these devices may still be under evaluation.
