Find notable cyber news and cases, enriched with sources, timelines, and signals.

UAT-7810 Operational Relay Box network-building campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

An ongoing UAT-7810 campaign is expanding Operational Relay Box (ORB) networks by breaking into internet-facing networking devices, increasing relay capacity for downstream attacks against high-value targets. The operation uses ShortLeash, LONGLEASH, DOGLEASH, LEASHTEST, and JARLEASH while also abusing router vulnerabilities such as CVE-2020-22653 and CVE-2025-2492. The activity is built to support other operators with reusable infrastructure and broader access paths.

Related Happenings

UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH

Malware Activity
H score27 First: 08.07.2026 17:30 Last: 08.07.2026 17:30 Sources 1

How related: The latest findings indicate that UAT-7810 has continued to develop their custom malware dubbed ShortLeash with a newer version that's codenamed LONGLEASH.

About this happening: **Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...

UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure

Threat Actor Meta
H score29 First: 08.07.2026 17:30 Last: 08.07.2026 17:30 Sources 1

About this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...

DKnife Linux AitM malware activity targeting routers and edge devices

Malware Activity
H score30 First: 06.02.2026 16:56 Last: 06.02.2026 16:56 Sources 1

About this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...

UAT-7290 long-running telecom espionage campaign

Campaign
H score41 First: 08.01.2026 18:00 Last: 08.01.2026 18:00 Sources 1

About this happening: **UAT-7290** is running a **long-running cyber-espionage campaign** against **telecommunications providers** in South Asia, with recent expansion into Southeastern Europe. The ope...

UAT-7290's ORB Relay Role Expands China-Nexus Initial Access Operations

Threat Actor Meta
H score32 First: 08.01.2026 16:54 Last: 08.01.2026 16:54 Sources 1

About this happening: **UAT-7290** is being assessed as a **dual-role** China-nexus actor that combines **espionage intrusions** with **initial access** activity, expanding the threat ecosystem beyond...

Timeline

  1. 08.07.2026 12:04 2 articles · 1d ago

    UAT-7810 expands ORB network with LONGLEASH and new backdoors

    Campaign Scope Update

    UAT-7810 is expanding an Operational Relay Box network by breaking into internet-facing networking devices and using bespoke malware to support downstream attacks against high-value targets. The actor maintains LapDogs and has added LONGLEASH, DOGLEASH, LEASHTEST, and JARLEASH, while also abusing router vulnerabilities such as CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492.

    Show sources