Cisco Talos published research on July 7 documenting UAT-7810, a China-state-linked threat cluster that has been building an Operational Relay Box network — dubbed LapDogs by Talos — by deploying a newly discovered family of modular backdoors to internet-facing networking devices. The flagship malware in the toolkit, LONGLEASH, targets unpatched Ruckus wireless routers and ASUS AiCloud routers, converting compromised devices into encrypted relay nodes that mask espionage traffic as legitimate regional internet activity.
LONGLEASH: An Evolved Backdoor with Multi-Protocol Relay and Self-Removal Capabilities
LONGLEASH is a substantially evolved successor to a previously documented backdoor named SHORTLEASH. The new version adds capabilities that reflect deliberate development investment: reverse shell access enabling direct interactive control of compromised devices, support for multiple proxy protocols including HTTP, DNS, SOCKS, TCP, ICMP, and UDP, SMTP client and server functionality, full TLS and PKI encryption for command-and-control communications, and a self-removal mechanism that activates when tampering is detected.
The multi-protocol proxy support is the capability most directly relevant to the LapDogs ORB network’s operational purpose. By routing traffic through different protocols, UAT-7810 can adapt to network environments that filter specific connection types and make C2 communications harder to isolate through traffic analysis.
DOGLEASH, JARLEASH, and LEASHTEST: A Multi-Language Toolkit for Broader Device Coverage
Cisco Talos documented three additional tools in the same release alongside LONGLEASH. DOGLEASH is a Linux backdoor complementing LONGLEASH’s capabilities on Linux-based networking hardware. JARLEASH is a Java-based administrative tool that provides a platform-independent C2 channel, extending UAT-7810’s ability to maintain access across device architectures that neither LONGLEASH nor DOGLEASH can reach. LEASHTEST is a testing utility supporting the toolkit’s deployment and validation workflow.
The multi-language composition of the toolkit — a native backdoor, a Linux companion, and a Java administrative tool — allows UAT-7810 to compromise and persist across a broader range of router and networking device architectures than a single-platform malware would support.
Ruckus and ASUS Devices as LapDogs ORB Relay Nodes
The LapDogs network’s primary targets are unpatched Ruckus wireless routers, exploited via CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, and ASUS AiCloud routers, exploited via CVE-2025-2492. Once LONGLEASH or DOGLEASH is installed on a compromised device, the device functions as a relay node in the LapDogs ORB network: espionage traffic from Chinese-nexus actors passes through the compromised device, appearing to originate from a legitimate residential or business IP address in the target region.
The practical effect is that network defenders relying on IP reputation or geolocation-based blocking to identify Chinese espionage traffic cannot distinguish LapDogs relay traffic from ordinary internet activity originating from regional endpoints. Standard defenses designed to detect traffic from known Chinese state infrastructure IP ranges do not apply when the traffic exits through a compromised university, SMB, or home router in the target country.
UAT-7810 as an Access Broker for Multiple Chinese Espionage Clusters
Cisco Talos assesses that UAT-7810 likely serves as an initial-access and relay-infrastructure provider for other China-nexus espionage actors rather than conducting end-target intrusions directly. The firm specifically connects UAT-7810 infrastructure to UAT-5918, a cluster with documented intrusion history against telecommunications, healthcare, and government targets in Taiwan.
This positions LapDogs as a shared infrastructure layer: multiple Chinese espionage clusters can route operations through UAT-7810’s relay network, multiplying the operational reach of each downstream actor without requiring each cluster to build and maintain its own compromised router network. For defenders, this means attribution of specific intrusions to a named downstream actor is complicated by the relay layer — network forensics at the target will show LapDogs relay IPs, not the IP infrastructure of the espionage cluster that ordered the intrusion.
The July 7 Cisco Talos publication represents the first public documentation of the LONGLEASH, DOGLEASH, JARLEASH, and LEASHTEST malware families. Organizations running Ruckus wireless routers or ASUS AiCloud routers should verify patch status against the CVEs listed in the Talos advisory, as unpatched devices remain viable targets for incorporation into the LapDogs relay network.
