UAT-7810, a China-nexus hacking group, is expanding a global network of hijacked internet devices by exploiting security flaws in Ruckus wireless routers and rolling out new custom malware.
This activity feeds into what researchers call an Operational Relay Box network, a chain of compromised devices used to hide the true origin of cyberattacks.
The tactic lets attackers route their traffic through ordinary home and business routers, making malicious activity blend in with normal internet traffic.
The group’s efforts are not new. Security researchers first flagged this ORB network, known as LapDogs, back in 2025, but the infrastructure has kept growing since then.
UAT-7810 appears to specialize in building and maintaining these relay networks so that other threat actors can use them to launch attacks on valuable targets. This division of labor makes it harder for defenders to trace an intrusion back to its true source.
Analysts from Cisco Talos said in a report shared with Cyber Security News (CSN) that they are actively tracking the infrastructure and malware tied to UAT-7810, describing the group as an advanced persistent threat responsible for sustaining the LapDogs network.
Talos also found that UAT-7810 shares some tools with another China-linked group, UAT-5918, though the two are tracked as separate actors with their own goals.
Startup script for SHORTLEASH (Source – Cisco Talos)
The attackers rely heavily on unpatched Ruckus routers to gain their initial foothold, exploiting known but unaddressed vulnerabilities rather than discovering new ones.
This approach shows that outdated firmware remains one of the easiest paths into a home or office network. Once inside, the group deploys an expanding toolkit of custom backdoors designed to keep control over compromised devices for the long term.
China-Nexus Hackers Exploit Ruckus Routers
At the center of this campaign is a backdoor called SHORTLEASH, which Talos says is being replaced by an upgraded version named LONGLEASH that adds far more capability.
LONGLEASH can act as a proxy, run its own web server, manage encrypted tunnels, and even function as an intermediate command server that passes instructions along to other infected devices.
It borrows code from open-source libraries and uses a Chrome browser identifier to disguise its network traffic as normal web browsing.
JARLEASH core components (Source – Cisco Talos)
Talos also uncovered two previously unseen tools, DOGLEASH and JARLEASH, alongside a small testing program called LEASHTEST.
DOGLEASH is a lightweight backdoor that listens quietly on infected Linux devices and waits for specific commands, such as running shell code or reading files.
JARLEASH, written in Java, gives the attackers a file management console and file transfer tools, and its configuration file contains comments written in Simplified Chinese.
Ruckus Routers Remain the Entry Point
Ruckus wireless routers have become a favored target because many units in the field still run outdated software, according to the report.
Talos identified three known vulnerabilities that UAT-7810 has exploited to break into these devices since 2025.
Once compromised, a router can be silently folded into the ORB network and used to relay traffic for months without the owner noticing.
The group has also shown interest in expanding beyond routers, with one server tied to the campaign used to target ASUS AiCloud devices earlier this year.
This suggests UAT-7810 is not limiting itself to a single vendor or device type as it grows its relay infrastructure.
Applying router firmware updates promptly and replacing end-of-life hardware are simple but effective steps that can close off this entry point.
Organizations and everyday users alike are encouraged to check whether their routers are still receiving security updates from the manufacturer.
Segmenting home and office networks so that a compromised router cannot easily reach other devices adds another layer of protection.
Since these attacks rely on quiet, long-term access rather than immediate damage, regular monitoring of network traffic for unusual connections is also worthwhile.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionIP Address194.233.92[.]26VPS server used to host malicious payloads IP Address217.15.160[.]247VPS server used to host malicious payloads IP Address217.15.164[.]147VPS server also linked to ASUS AiCloud router exploitation IP Address95.182.100[.]231Hong Kong-based server hosting malicious payloads URLhttp[:]//217.15.160[.]247:8088/Payload hosting URL URLhttp[:]//217.15.160[.]247:2222/Payload hosting URL URLhttp[:]//217.15.160[.]247:99/Payload hosting URL URLhttp[:]//194.233.92[.]26:8088/Payload hosting URL URLhttp[:]//194.233.92[.]26:2222/Payload hosting URL URLhttp[:]//217.15.164[.]147:99/Payload hosting URL URLhttp[:]//217.15.164[.]147:8088/Payload hosting URL URLhttp[:]//217.15.164[.]147:2222/Payload hosting URL URLhttp[:]//95.182.100[.]231:2222/Payload hosting URL File Hash (SHA256)1b5649b479fd625de5c8120873644b5eb669cc89cd504582c18e0ae350fd8823LEASHTEST sample File Hash (SHA256)755fcee1337a252203002ecfdf673a08cfadeda8d738bef2d518a08e0626aa4fLONGLEASH sample File Hash (SHA256)e799d72929d7ccc7f6b6109742b8cc482838303207efc989543b6e1ca6d16e9cJARLEASH startup script File Hash (SHA256)3b89d183eb014e29d9d0d4e45fc2b784a7fcfcf31dd48fd3bde30f8d956383d1JARLEASH configuration file File Hash (SHA256)324d95024fc8da5c92b5a1f4825aed5a2a91c9ca8fb6aa52abb332a4c9cf4257JARLEASH sample File Hash (SHA256)bafba443170e54ef7fd431ce7f1b5e202719f3fd022e4ef70788904f574d2cdfJARLEASH sample File Hash (SHA256)604b53f87d6c070bf387e80c70a6df8d272fa3fc143148d41f13e59d52ab1f13DOGLEASH sample File Hash (SHA256)c92541f273eeb576d39235d0a5c6f18f2574b132a1022598edfa38065783ab98DOGLEASH sample File Hash (SHA256)29c7fccc6ef8cbfe4da9a169c7c74bacaea1fb515a1fddef91ab1b1522f76e4cDOGLEASH sample File Hash (SHA256)425bf771c8c9f740b1ae9803dcb4fd45af4d6a6f171fcc72fc7d511095ca82ceDOGLEASH sample TLS Certificate Fingerprintc2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15TLS server certificate on port 99, subject DN “exploit”
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
The post China-Nexus Hackers Exploit Ruckus Routers to Build Operational Relay Box Networks appeared first on Cyber Security News.



