Cisco Talos assesses that a Chinese state-linked actor is actively rebuilding its global proxy infrastructure, hijacking home and office routers to mask espionage operations against high-value targets including Taiwan.

Intelligence Lead

Cisco Talos has confirmed that UAT-7810, a China-linked advanced persistent threat actor, is actively refining a new generation of backdoor malware to expand the LapDogs Operational Relay Box (ORB) network, a distributed proxy infrastructure built from hijacked internet-facing routers. The expansion, centered on a newly documented backdoor called LONGLEASH, provides Beijing-aligned intrusion sets with a growing pool of compromised devices through which to route espionage traffic and obscure the true origin of attacks against high-value targets, including critical infrastructure in Taiwan.

Situation Report

Talos researchers Jungsoo An, Asheer Malhotra, Vanja Svajcer, and Brandon White reported on 8 July that UAT-7810 has continued developing its custom implant, ShortLeash, into a more capable successor codenamed LONGLEASH. The new backdoor adds a proxying executor supporting HTTP, DNS, SOCKS, TCP, ICMP, and UDP protocols, the ability to act as an intermediate command-and-control relay between a primary controller and its peers, and a self-destruct function that removes the implant and all traces from a compromised server if tampering is detected.

Alongside LONGLEASH, Talos identified two previously unreported tools in active use: DOGLEASH, a passive Linux backdoor capable of executing arbitrary shellcode, deployed across at least four new command-and-control servers in multiple minor variants; and JARLEASH, a Java-based administrative backdoor supporting file management, FTP, SFTP, and Netcat functions on at least one of those servers. A third tool, LEASHTEST, is an ELF testing binary UAT-7810 has used to validate thread creation, child-process spawning, and async-timer functions on MIPS-based embedded devices, indicating the group is still working to extend its framework reliably onto that architecture.

UAT-7810's attack chains weaponize known, patchable vulnerabilities in unpatched Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, and have separately targeted ASUS AiCloud routers vulnerable to CVE-2025-2492. Talos assesses this router-targeting pattern as UAT-7810's continued build-out of LapDogs, an ORB network first documented in June 2025 that has already exceeded a thousand compromised small office and home office devices.

Background & Context

Operational Relay Box networks function as reusable, distributed infrastructure: a dedicated actor compromises and maintains a large pool of hijacked routers and IoT devices, then leases or shares access to that infrastructure with other operators who route their own intrusion traffic through it. This model lets espionage-linked groups distance command-and-control activity from attributable state infrastructure, complicating both technical attribution and legal response.

Talos assesses UAT-7810 as most likely tasked specifically with building and maintaining this ORB capacity for use by associated secondary actors rather than conducting final-stage intrusions itself. The clearest documented downstream beneficiary is UAT-5918, a separate China-nexus actor that has used LapDogs-adjacent infrastructure in a sustained campaign against Taiwanese critical infrastructure entities since at least 2023, seeking persistent access within victim environments rather than immediate, disruptive impact.

Analysis & Assessment

The addition of an automated tamper-response wipe function to LONGLEASH indicates UAT-7810 is maturing its operational security discipline in direct response to sustained researcher attention on ShortLeash and the broader LapDogs network, an adaptation pattern consistent with a well-resourced, persistent state-linked development effort rather than opportunistic criminal tooling. The parallel investment in JARLEASH's administrative tooling and continued MIPS-platform testing via LEASHTEST both point to a group deliberately broadening the range of device types it can absorb into the proxy network, beyond the SOHO routers that made up the bulk of LapDogs at its June 2025 disclosure.

Because ORB infrastructure is shared rather than exclusive to one operator, the practical risk from UAT-7810's expansion extends well beyond its own activity. Every additional device pulled into LapDogs increases the routing capacity available to secondary actors such as UAT-5918, meaning defenders assessing exposure to Chinese state-linked intrusion sets should treat unpatched Ruckus and ASUS router fleets as a shared risk surface rather than a narrow, single-actor concern. Confidence in the assessed intent behind the infrastructure build-out is high, given Talos's direct visibility into server-side tooling; confidence in which specific future operations will draw on this expanded capacity remains moderate.