> Back to All Posts

LONGLEASH Malware Expands Chinese Hacker Router Network

LONGLEASH Malware

A Chinese state-linked hacking group has developed a new piece of malware that turns ordinary routers into hidden relay points for cyberattacks. Researchers at Cisco Talos have traced this activity to a group tracked as UAT-7810, and the tool at the center of it is called LONGLEASH. The LONGLEASH malware is not just another backdoor. It’s built to expand what security researchers call an ORB network, a form of proxy infrastructure that lets attackers bounce their traffic through compromised devices around the world.

This matters because ORB networks are fundamentally different from the botnets most people have heard of. A botnet usually gets used directly for attacks like spam or denial-of-service floods. An ORB network works more like a disguise. It hides where an attack is really coming from by routing it through legitimate-looking devices, including routers sitting in ordinary homes and small offices.

How LONGLEASH Malware Gets Onto Routers

UAT-7810 isn’t breaking new ground with sophisticated zero-day exploits. Instead, the group is exploiting known vulnerabilities that many device owners simply haven’t patched yet. Ruckus routers are a primary target, hit through flaws tracked as CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. ASUS routers running the AiCloud feature are also being targeted, this time through CVE-2025-2492.

Once a device is compromised, the LONGLEASH malware gets deployed as an upgrade to an earlier backdoor called SHORTLEASH, which security researchers first documented last year. The new version brings a longer list of capabilities. It can open a reverse shell for remote command execution, and it supports proxying across multiple protocols, including HTTP, DNS, SOCKS, TCP, ICMP, and UDP. It even includes SMTP client and server functions, along with TLS and PKI support for encrypted communications.

Perhaps most concerning is its self-removal feature. If LONGLEASH detects it’s been discovered, it can delete itself from the infected device, making it harder for defenders to trace the intrusion afterward.

A Growing Toolkit Beyond LONGLEASH

UAT-7810 hasn’t stopped at one piece of malware. Talos researchers identified several supporting tools working alongside the LONGLEASH malware to expand and maintain the group’s network.

DOGLEASH is a lightweight Linux backdoor deployed through a web shell. It requires password authentication and can run shell commands or execute code directly in a device’s memory, avoiding traces left on disk. JARLEASH, written in Java, functions as an administrative tool offering web-based file management along with FTP, SFTP, and Netcat server capabilities. A third tool, LEASHTEST, appears designed to check whether MIPS-based IoT devices can support the malware’s functions, suggesting the group is actively working to broaden LONGLEASH’s compatibility with a wider range of hardware.

Together, these tools point to an operation focused on scale. UAT-7810 isn’t just compromising individual devices. It’s building infrastructure that other Chinese state-linked groups can use, including one tracked as UAT-5918, which has reportedly relied on this same proxy network for its own operations.

Why Router Security Gets Overlooked

Most people rarely think about their router’s security beyond setting up Wi-Fi once and forgetting about it. That’s exactly what makes routers such an attractive target. Firmware updates go unapplied for months or years, and many devices sit quietly online with known, patchable vulnerabilities.

When a router becomes part of an ORB network, its owner typically notices nothing unusual. The device keeps working normally for home use while quietly forwarding traffic for someone else’s attacks in the background. This is part of why the LONGLEASH malware campaign is so effective. It doesn’t need to cause visible disruption to be useful to its operators.

Small businesses and home users running Ruckus or ASUS AiCloud-enabled routers should check for firmware updates immediately. Because the exploited vulnerabilities are already known and patched by the manufacturers, applying updates closes the door UAT-7810 is currently using to get in.

Final Thoughts

The discovery of LONGLEASH malware is a reminder that router security deserves far more attention than it typically gets. These devices sit at the edge of home and business networks, often ignored until something goes visibly wrong. UAT-7810’s approach shows how effective it can be to target overlooked infrastructure instead of chasing headline-grabbing exploits.

Anyone running a Ruckus router or an ASUS device with AiCloud enabled should prioritize firmware updates now. Beyond that, disabling remote management features when they aren’t needed, and regularly checking for unusual outbound traffic, can go a long way toward keeping a device out of networks like this one. As Chinese state-linked groups continue investing in proxy infrastructure, patched and monitored devices become one of the simplest defenses available.

Janet Andersen

Janet is an experienced content creator with a strong focus on cybersecurity and online privacy. With extensive experience in the field, she’s passionate about crafting in-depth reviews and guides that help readers make informed decisions about digital security tools. When she’s not managing the site, she loves staying on top of the latest trends in the digital world.