China's UAT-7810 Deploys Three New Backdoors Targeting SOHO Routers
China-linked APT UAT-7810 expands LapDogs campaign with LongLeash, DogLeash, and JarLeash backdoors. Over 1,000 Ruckus and Asus routers compromised for espionage relay network.
A China-linked threat actor designated UAT-7810 has expanded its toolkit with three new backdoors—LongLeash, DogLeash, and JarLeash—as part of an ongoing campaign to build operational relay infrastructure from compromised SOHO routers. Cisco Talos researchers documented the evolution, noting the group has infected over 1,000 small office/home office routers to create an anonymizing network for espionage operations.
The campaign, tracked as "LapDogs," primarily targets unpatched Ruckus wireless routers, though Asus AiCloud devices have also been compromised.
New Backdoor Arsenal
LongLeash builds on the earlier ShortLeash implant, expanding its peer-to-peer relay capabilities. The backdoor can function as an intermediate server, forwarding commands and data between command-and-control infrastructure and other infected devices. It uses the same underlying libraries as ShortLeash—Nanopb for protocol buffers and MbedTLS for encryption—suggesting iterative development rather than a ground-up rewrite.
DogLeash takes a different approach. This C-based passive backdoor deploys via shell script and provides standard remote access capabilities: command execution, file operations, OS information retrieval, and in-memory code execution based on C2 instructions. The passive design makes network-based detection more difficult since the backdoor doesn't initiate outbound connections until instructed.
JarLeash rounds out the trio with a Java-based implant offering broader functionality. Beyond basic remote access, it can host a web-based file management interface and run FTP and SFTP servers, plus netcat-style network utilities. The Java runtime requirement limits its deployment to devices with sufficient resources, but it provides the most complete feature set of the three.
The group has also developed LeashTest, a MIPS platform testing binary that serves as a potential indicator of ongoing infrastructure expansion targeting MIPS-based network devices.
Targeted Infrastructure
UAT-7810 exploits three known vulnerabilities in Ruckus wireless access points: CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. All three have public patches, but SOHO devices notoriously languish without updates. The targeting of Asus AiCloud routers, linked to a parallel campaign called Operation WrtHug, suggests the group actively scouts for additional vulnerable device classes.
The payloads support MIPS, ARM, and x64 architectures, covering the processor families found in most consumer and small business network equipment.
Building Relay Infrastructure
China-linked APT groups have increasingly favored operational relay box (ORB) networks that route attack traffic through legitimate residential and small business IP addresses. The Armored Likho campaign we covered last week used similar infrastructure-first approaches to disguise attack origins.
By compromising edge devices rather than endpoints, UAT-7810 gains several advantages. Router compromises persist through endpoint reimaging. Traffic passing through residential IP ranges attracts less scrutiny than known VPS providers. And defenders analyzing intrusions see the last-hop relay, not the actual attacker infrastructure.
Cisco Talos notes that UAT-7810 provides infrastructure support to UAT-5918, another China-linked group, suggesting shared resources across multiple Chinese espionage operations.
Why This Matters
SOHO router security remains an afterthought for most organizations. Devices get deployed, rarely patched, and forgotten until they fail. Firmware updates require manual intervention on most consumer equipment. Manufacturers often abandon support within a few years of release.
That neglect creates a persistent supply of compromisable devices for APT groups building anonymizing infrastructure. The three new backdoors indicate sustained investment in this capability—UAT-7810 isn't treating router compromise as a one-time project but as ongoing infrastructure development.
Recommended Mitigations
- Patch Ruckus devices immediately against CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717
- Audit network device firmware across your organization, including branch offices and remote workers
- Disable remote management interfaces on edge devices unless operationally required
- Monitor for unusual outbound connections from network equipment to unexpected destinations
- Consider device replacement for end-of-life equipment no longer receiving security updates
For teams tracking Chinese APT activity, the LapDogs campaign demonstrates continued focus on pre-positioning network infrastructure rather than immediate exploitation. These relay networks enable future operations while providing deniability—compromised legitimate devices are far harder to attribute than rented VPS infrastructure.
Related Articles
Chinese Hackers Stole US Defense, AI Data for 14 Months Undetected
Google TAG exposes UNC6508 campaign that compromised US and Canadian medical, academic, and military research labs since September 2023 using custom INFINITERED malware.
Jun 16, 2026China-Linked OP-512 Deploys Cryptographic Web Shells on IIS Servers
ReliaQuest uncovers OP-512 threat cluster targeting Windows IIS servers with three-part web shell framework. Each deployment is unique, self-reporting, and timestamps itself to evade forensics.
Jun 12, 2026Phantom Taurus: Chinese APT Deploys NET-STAR Malware Suite
Unit 42 exposes Phantom Taurus, a China-aligned APT targeting governments and telecoms across Africa, the Middle East, and Asia with custom NET-STAR backdoors for IIS servers.
Jun 6, 2026Chinese APT Calypso Deploys Showboat and JFMBackdoor Against Telecoms
China-linked Calypso group targets telecoms across Middle East and Asia Pacific with new Linux and Windows malware. Showboat provides SOCKS5 proxy access; JFMBackdoor enables full system control.
May 22, 2026