Find notable cyber news and cases, enriched with sources, timelines, and signals.

UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH

Malware Activity
First reported
Last updated
Happening score
H score 27
2 unique sources, 2 articles

Summary

Hide ▲

Chinese threat actor UAT-7810 is actively refining its bespoke malware to expand the LapDogs ORB network by breaking into internet-facing networking devices. The activity now includes LONGLEASH, DOGLEASH, LEASHTEST, and JARLEASH, alongside abuse of router flaws including CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492. The tooling expands proxying, command relay, and server management capabilities across compromised infrastructure. The development suggests the operation remains active and focused on adding hijacked devices to relay traffic for associated attacks.

Related Happenings

UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure

Threat Actor Meta
H score29 First: 08.07.2026 17:30 Last: 08.07.2026 17:30 Sources 1

How related: The company said UAT-7810 maintained a long-running ORB network known as LapDogs, first exposed in 2025, and that its role was essentially to build infrastructure for others.

About this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...

UAT-7810 Operational Relay Box network-building campaign

Campaign
H score39 First: 08.07.2026 12:04 Last: 08.07.2026 12:04 Sources 1

How related: UAT-7810 is most likely tasked with establishing Operational Relay Box (ORB) networks that can then be leveraged by associated secondary threat actors to conduct their own malicious attacks against high value targets,

About this happening: An **ongoing UAT-7810 campaign** is expanding **Operational Relay Box (ORB) networks** by breaking into **internet-facing networking devices**, increasing relay capacity for downs...

RondoDox botnet expands mining and DDoS capabilities

Malware Activity
H score31 First: 16.04.2026 20:52 Last: 16.04.2026 20:52 Sources 1

About this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...

AVRecon malware for Linux powering SocksEscort proxy network

Malware Activity
H score19 First: 12.03.2026 18:19 Last: 12.03.2026 18:19 Sources 1

About this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...

KadNap Asus router proxy botnet

Malware Activity
H score22 First: 10.03.2026 18:00 Last: 10.03.2026 18:00 Sources 1

About this happening: **KadNap** is a **proxy botnet** that compromises **Asus routers** and other edge devices, creating a stealth channel for malicious traffic from **over 14,000 infected devices**....

Timeline

  1. 08.07.2026 17:30 3 articles · 1d ago

    UAT-7810 expands the LapDogs ORB network with LONGLEASH, DOGLEASH, and JARLEASH

    Technical Analysis Update

    Cisco Talos said UAT-7810 is expanding its long-running LapDogs Operational Relay Box network with newly discovered custom malware, including LONGLEASH, an upgraded backdoor with proxying and command-relay features, DOGLEASH, a Linux backdoor that runs commands on compromised devices, and JARLEASH, a Java-based tool used to manage the group's servers. Talos also said the group has targeted Ruckus wireless router flaws since 2025 and began exploiting an ASUS router bug earlier this year to add more hijacked devices, while the tracked malware and servers remain active.

    Show sources