UAT-7810 Operational Relay Box network-building campaign
Campaign
Summary
Hide ▲
Show ▼
An ongoing UAT-7810 campaign is expanding Operational Relay Box (ORB) networks by breaking into internet-facing networking devices, increasing relay capacity for downstream attacks against high-value targets. The operation uses ShortLeash, LONGLEASH, DOGLEASH, LEASHTEST, and JARLEASH while also abusing router vulnerabilities such as CVE-2020-22653 and CVE-2025-2492. The activity is built to support other operators with reusable infrastructure and broader access paths.
Related Happenings
UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware Activity
H score27
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
How related:
The latest findings indicate that UAT-7810 has continued to develop their custom malware dubbed ShortLeash with a newer version that's codenamed LONGLEASH.
About this happening:
**Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...
UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware ActivityHow related: The latest findings indicate that UAT-7810 has continued to develop their custom malware dubbed ShortLeash with a newer version that's codenamed LONGLEASH.
About this happening: **Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor Meta
H score29
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor MetaAbout this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware Activity
H score30
First: 06.02.2026 16:56
Last: 06.02.2026 16:56
Sources 1
About this happening:
Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware ActivityAbout this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
UAT-7290 long-running telecom espionage campaign
Campaign
H score41
First: 08.01.2026 18:00
Last: 08.01.2026 18:00
Sources 1
About this happening:
**UAT-7290** is running a **long-running cyber-espionage campaign** against **telecommunications providers** in South Asia, with recent expansion into Southeastern Europe. The ope...
UAT-7290 long-running telecom espionage campaign
CampaignAbout this happening: **UAT-7290** is running a **long-running cyber-espionage campaign** against **telecommunications providers** in South Asia, with recent expansion into Southeastern Europe. The ope...
UAT-7290's ORB Relay Role Expands China-Nexus Initial Access Operations
Threat Actor Meta
H score32
First: 08.01.2026 16:54
Last: 08.01.2026 16:54
Sources 1
About this happening:
**UAT-7290** is being assessed as a **dual-role** China-nexus actor that combines **espionage intrusions** with **initial access** activity, expanding the threat ecosystem beyond...
UAT-7290's ORB Relay Role Expands China-Nexus Initial Access Operations
Threat Actor MetaAbout this happening: **UAT-7290** is being assessed as a **dual-role** China-nexus actor that combines **espionage intrusions** with **initial access** activity, expanding the threat ecosystem beyond...
Timeline
-
08.07.2026 12:04 2 articles · 1d ago
UAT-7810 expands ORB network with LONGLEASH and new backdoors
Campaign Scope UpdateUAT-7810 is expanding an Operational Relay Box network by breaking into internet-facing networking devices and using bespoke malware to support downstream attacks against high-value targets. The actor maintains LapDogs and has added LONGLEASH, DOGLEASH, LEASHTEST, and JARLEASH, while also abusing router vulnerabilities such as CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492.
Show sources
- China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware — thehackernews.com — 08.07.2026 12:04
- China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware — thehackernews.com — 08.07.2026 12:04