UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware Activity
Summary
Hide ▲
Show ▼
Chinese threat actor UAT-7810 is actively refining its bespoke malware to expand the LapDogs ORB network by breaking into internet-facing networking devices. The activity now includes LONGLEASH, DOGLEASH, LEASHTEST, and JARLEASH, alongside abuse of router flaws including CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492. The tooling expands proxying, command relay, and server management capabilities across compromised infrastructure. The development suggests the operation remains active and focused on adding hijacked devices to relay traffic for associated attacks.
Related Happenings
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor Meta
H score29
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
How related:
The company said UAT-7810 maintained a long-running ORB network known as LapDogs, first exposed in 2025, and that its role was essentially to build infrastructure for others.
About this happening:
**UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor MetaHow related: The company said UAT-7810 maintained a long-running ORB network known as LapDogs, first exposed in 2025, and that its role was essentially to build infrastructure for others.
About this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 Operational Relay Box network-building campaign
Campaign
H score39
First: 08.07.2026 12:04
Last: 08.07.2026 12:04
Sources 1
How related:
UAT-7810 is most likely tasked with establishing Operational Relay Box (ORB) networks that can then be leveraged by associated secondary threat actors to conduct their own malicious attacks against high value targets,
About this happening:
An **ongoing UAT-7810 campaign** is expanding **Operational Relay Box (ORB) networks** by breaking into **internet-facing networking devices**, increasing relay capacity for downs...
UAT-7810 Operational Relay Box network-building campaign
CampaignHow related: UAT-7810 is most likely tasked with establishing Operational Relay Box (ORB) networks that can then be leveraged by associated secondary threat actors to conduct their own malicious attacks against high value targets,
About this happening: An **ongoing UAT-7810 campaign** is expanding **Operational Relay Box (ORB) networks** by breaking into **internet-facing networking devices**, increasing relay capacity for downs...
RondoDox botnet expands mining and DDoS capabilities
Malware Activity
H score31
First: 16.04.2026 20:52
Last: 16.04.2026 20:52
Sources 1
About this happening:
**RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
RondoDox botnet expands mining and DDoS capabilities
Malware ActivityAbout this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
H score19
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
KadNap Asus router proxy botnet
Malware Activity
H score22
First: 10.03.2026 18:00
Last: 10.03.2026 18:00
Sources 1
About this happening:
**KadNap** is a **proxy botnet** that compromises **Asus routers** and other edge devices, creating a stealth channel for malicious traffic from **over 14,000 infected devices**....
KadNap Asus router proxy botnet
Malware ActivityAbout this happening: **KadNap** is a **proxy botnet** that compromises **Asus routers** and other edge devices, creating a stealth channel for malicious traffic from **over 14,000 infected devices**....
Timeline
-
08.07.2026 17:30 3 articles · 1d ago
UAT-7810 expands the LapDogs ORB network with LONGLEASH, DOGLEASH, and JARLEASH
Technical Analysis UpdateCisco Talos said UAT-7810 is expanding its long-running LapDogs Operational Relay Box network with newly discovered custom malware, including LONGLEASH, an upgraded backdoor with proxying and command-relay features, DOGLEASH, a Linux backdoor that runs commands on compromised devices, and JARLEASH, a Java-based tool used to manage the group's servers. Talos also said the group has targeted Ruckus wireless router flaws since 2025 and began exploiting an ASUS router bug earlier this year to add more hijacked devices, while the tracked malware and servers remain active.
Show sources
- China-Linked APT Expands Proxy Network With New Malware — www.infosecurity-magazine.com — 08.07.2026 17:30
- China-Linked APT Expands Proxy Network With New Malware — www.infosecurity-magazine.com — 08.07.2026 17:30
- China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware — thehackernews.com — 08.07.2026 12:04