UAT-7810 continues building ORB networks using new malware
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The China-linked APT group UAT-7810 is continuing to expand its LapDogs Operational Relay Box network with a toolkit of custom malware that includes LONGLEASH, DOGLEASH, and JARLEASH. The actor focuses on embedded devices and networking hardware to build proxy infrastructure that can later be leveraged by secondary threat actors. These operations rely in part on exploitation of known flaws in Ruckus and ASUS equipment.
Investigation
Cisco Talos examined the infrastructure and malware tied to UAT-7810 and identified updated versions of previously known tools along with two entirely new malware families. The analysis revealed use of specific VPS nodes and a custom TLS certificate fingerprint for command-and-control traffic. Researchers also connected the actor’s infrastructure to efforts aimed at extending the ORB network into ASUS AiCloud router environments.
Mitigation
Organizations should prioritize patching Ruckus wireless routers against known issues such as CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. Securing ASUS AiCloud routers against CVE-2025-2492 is also essential. Network segmentation that isolates IoT and embedded devices can further reduce the risk of those systems being repurposed as relay nodes.
Response
If the identified IP addresses or the internal name ff-agent are detected, incident responders should isolate the affected networking devices immediately. Forensic analysis should then check for LEASHTEST artifacts or unauthorized shell scripts. Network telemetry should also be reviewed for the Chrome user-agent string associated with the LONGLEASH implant.
Attack Flow
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has successfully gained initial access to the Linux target via a web vulnerability (leveraging CVE-2023-25717). To establish persistence and command-and-control (C2), they download a specialized backdoor from their infrastructure. Following the patterns of the UAT-7810 malware family, the attacker names the dropped binary
LEASHTESTto blend in with potential testing scripts, but the naming convention itself is a signature of this specific threat actor. The attacker then executes./LEASHTESTto initiate a reverse shell, which should trigger the detection rule based on the process name. -
Regression Test Script:
#!/bin/bash # Simulation script for UAT-7810 Malware Process Name Detection echo "[+] Starting Simulation: UAT-7810 Malware Backdoor" # 1. Create a dummy binary to simulate the malware # In a real scenario, this would be the actual malicious ELF file. echo "#!/bin/bash" > LEASHTEST echo "echo 'Simulated Malware Payload Executed'" >> LEASHTEST # 2. Make the file executable chmod +x LEASHTEST # 3. Execute the 'malware' to trigger the detection rule echo "[+] Executing LEASHTEST..." ./LEASHTEST echo "[+] Simulation Command Completed." -
Cleanup Commands:
# Cleanup simulation artifacts rm -f LEASHTEST echo "[+] Cleanup complete."