Full Report
Talos’ latest findings on UAT-7810 indicate that the threat actor continues to develop their custom-made malware.
Analysis Summary
# Threat Actor: UAT-7810
## Attribution & Identity
* **Identification:** UAT-7810 is an advanced persistent threat (APT) actor characterized as a "China-nexus" group.
* **Known Aliases:** Associated with the "LapDogs" Operational Relay Box (ORB) network.
* **Known Associations:** Provides infrastructure to secondary China-nexus APTs, specifically **UAT-5918** (which targets critical infrastructure in Taiwan). While tooling overlaps with UAT-5918, Cisco Talos currently tracks them as separate entities.
## Activity Summary
UAT-7810 is primarily responsible for establishing and proliferating **Operational Relay Box (ORB)** networks. These networks serve as an anonymizing proxy layer that secondary threat actors use to launch further attacks. Recent activity involves the exploitation of N-day vulnerabilities in small office/home office (SOHO) routers and the deployment of a custom suite of malware (the "LEASH" family) for network persistence and administration.
## Tactics, Techniques & Procedures
* **Exploitation of N-day Vulnerabilities:** Focuses on unpatched networking hardware.
* **Infrastructure Provisioning:** Specializes in building ORB networks to obfuscate the origin of attacks by secondary actors.
* **Cross-Platform Targeting:** Developing payloads for MIPS, ARM, and x64 architectures.
* **Persistence:** Use of shell scripts to automate the download and execution of backdoors on compromised routers.
* **MITRE ATT&CK IDs:**
* **T1190:** Exploit Public-Facing Application (Ruckus and ASUS routers)
* **T1059.004:** Command and Scripting Interpreter: Unix Shell
* **T1105:** Ingress Tool Transfer
* **T1090:** Proxy (ORB network construction)
## Targeting
* **Sectors:** Technology (SOHO router manufacturers), Critical Infrastructure (via proxying for secondary actors).
* **Geography:** Global (via ORB nodes); infrastructure identified in **Hong Kong**. Secondary actors using their infrastructure target **Taiwan**.
* **Victims:** Specifically users of **Ruckus wireless routers** and **ASUS AiCloud routers**.
## Tools & Infrastructure
### Malware Families
* **SHORTLEASH:** Initial custom backdoor capable of C2, tunneling, and hosting web servers.
* **LONGLEASH:** An evolved, more advanced version of SHORTLEASH currently under development.
* **DOGLEASH:** A C-based backdoor for Linux devices designed to execute arbitrary shellcode.
* **JARLEASH:** A Java-based (JAR) backdoor used for server administration (file management, FTP/SFTP, Netcat).
* **LEASHTEST:** A MIPS-based ELF binary used for functionality testing on embedded devices.
### Infrastructure
* **Download/Hosting Servers:**
* 194.233.92[.]26 (VPS)
* 217.15.160[.]247 (VPS)
* 217.15.164[.]147 (Used for ASUS AiCloud exploitation)
* 95.182.100[.]231 (Hong Kong-based)
* **TLS Certificate Fingerprint:** `c2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15` (Subject: CN=exploit).
## Implications
UAT-7810 represents a specialized "tier-one" logistical cell within the Chinese cyber-espionage ecosystem. By maintaining the "LapDogs" ORB network, they provide a layer of deniability and operational security for other high-profile APTs. The continuous development of the "LEASH" malware suite indicates a long-term commitment to maintaining this infrastructure despite public disclosure.
## Mitigations
* **Patch Management:** Prioritize patching SOHO and edge networking equipment, specifically addressing:
* CVE-2020-22653, CVE-2020-22658, CVE-2023-25717 (Ruckus)
* CVE-2025-2492 (ASUS AiCloud)
* **Network Monitoring:** Monitor for unusual outbound traffic from networking hardware, especially on non-standard ports (e.g., TLS on Port 99).
* **Infrastructure Defense:** Block known IOCs and monitor for the identified TLS certificate fingerprint within the environment.
* **Device Hardening:** Disable unnecessary services like remote management and AiCloud features on edge routers if not strictly required.