Chinese Hackers Use LONGLEASH Malware to Expand ORB Relay Network
What happened
Chinese hackers tracked as UAT-7810 are expanding an Operational Relay Box network by compromising internet-facing networking devices, with unpatched Ruckus routers identified as a primary target. The ORB infrastructure is used as secure relay infrastructure for other China-aligned advanced persistent threat groups, including UAT-5918, allowing threat actors to proxy traffic through regional devices and make activity appear to originate from legitimate local infrastructure.
The group primarily gains access by exploiting known vulnerabilities in exposed routers. Reported targets include Ruckus router flaws tracked as CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, as well as CVE-2025-2492 in ASUS AiCloud routers. Once compromised, these devices can become part of a relay layer that helps attackers evade detection, hide command-and-control traffic, and complicate attribution.
Cisco Talos researchers identified several tools in the campaign, led by LONGLEASH, an upgraded version of the previously documented SHORTLEASH backdoor. LONGLEASH expands the older malware’s capabilities with reverse shell access, HTTP, DNS, SOCKS, TCP, ICMP, and UDP proxying, traffic redirection, SMTP client and server functionality, TLS and PKI support, self-removal when tampering is detected, and the ability to act as an intermediate command-and-control server between infected nodes.
The broader toolset also includes DOGLEASH, a lightweight Linux backdoor deployed through web shell scripts; JARLEASH, a Java-based administrative tool with web file management and FTP, SFTP, and Netcat server functions; and LEASHTEST, a utility used to check whether MIPS IoT devices can support malware-related functions. The activity suggests UAT-7810 is replacing or extending SHORTLEASH with LONGLEASH while continuing to broaden its malware ecosystem for router and IoT compromise.
Who is affected
Organizations using internet-facing Ruckus routers are directly affected if those devices remain unpatched against known vulnerabilities.
Users of ASUS AiCloud routers may also be affected if exposed devices are vulnerable to CVE-2025-2492.
The broader risk applies to organizations with unmanaged or poorly monitored edge devices, including routers, IoT systems, and network appliances that may not receive the same patching and logging attention as servers and endpoints.
Organizations in regions targeted by China-aligned APTs should pay particular attention because ORB infrastructure can make malicious traffic appear local, trusted, or harder to distinguish from legitimate regional activity.
Why CISOs should care
This campaign shows how routers and edge devices can become long-term infrastructure for advanced threat operations. The compromised device may not be the final target, but it can become part of the relay network that enables intrusions elsewhere.
For CISOs, the ORB model is especially important. Attackers can proxy traffic through legitimate local devices, making source-based blocking, geolocation filtering, and attribution less reliable.
The use of known vulnerabilities also reinforces a familiar but serious problem: internet-facing network devices often remain exposed long after patches are available. These systems can then be harvested into attacker infrastructure at scale.
LONGLEASH also shows why router compromise is difficult to treat as a minor issue. Its proxying, tunneling, reverse shell, C2 relay, and self-removal capabilities make compromised devices useful for stealth, persistence, and operational security across multiple campaigns.
3 practical actions
Patch and inventory exposed routers: Security teams should identify internet-facing Ruckus and ASUS AiCloud devices, confirm firmware versions, and prioritize fixes for CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492 where applicable.
Restrict management access to edge devices: Router administration interfaces should not be exposed broadly to the internet. CISOs should enforce trusted management paths, strong authentication, network segmentation, and access controls around edge infrastructure.
Hunt for ORB and proxy behavior: Defenders should monitor routers and IoT devices for unusual listening ports, web shells, reverse shells, unexpected proxy traffic, suspicious DNS, SOCKS, TCP, ICMP, UDP, or SMTP activity, and signs of devices relaying traffic between external hosts.
More in cybersecurity:


