A China-linked advanced persistent threat (APT) actor building an operational relay box (ORB) network for espionage has been updating its arsenal with new backdoors, Cisco’s Talos researchers warn.
As part of a prolonged espionage infrastructure campaign tracked as LapDogs, the APT infected over 1,000 small office/home office (SOHO) routers with the ShortLeash backdoor, SecurityScorecard reported last year.
Talos, which tracks the threat actor as UAT-7810, has discovered a newer version of the backdoor, dubbed LongLeash, as well as two other malware families the APT has been relying on, namely DogLeash and JarLeash.
UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, and was seen using payloads for multiple architectures, including MIPS, ARM, and x64.
Talos identified three IP addresses associated with VPS instances that UAT-7810 uses to download payloads, as well as four new servers the APT has been using to host malicious payloads such as DogLeash and accompanying shell scripts.









