PROBABLYPWNED
Threat IntelligenceJuly 9, 20264 min read

China's UAT-7810 Deploys Three New Backdoors Targeting SOHO Routers

China-linked APT UAT-7810 expands LapDogs campaign with LongLeash, DogLeash, and JarLeash backdoors. Over 1,000 Ruckus and Asus routers compromised for espionage relay network.

Alex Kowalski

A China-linked threat actor designated UAT-7810 has expanded its toolkit with three new backdoors—LongLeash, DogLeash, and JarLeash—as part of an ongoing campaign to build operational relay infrastructure from compromised SOHO routers. Cisco Talos researchers documented the evolution, noting the group has infected over 1,000 small office/home office routers to create an anonymizing network for espionage operations.

The campaign, tracked as "LapDogs," primarily targets unpatched Ruckus wireless routers, though Asus AiCloud devices have also been compromised.

New Backdoor Arsenal

LongLeash builds on the earlier ShortLeash implant, expanding its peer-to-peer relay capabilities. The backdoor can function as an intermediate server, forwarding commands and data between command-and-control infrastructure and other infected devices. It uses the same underlying libraries as ShortLeash—Nanopb for protocol buffers and MbedTLS for encryption—suggesting iterative development rather than a ground-up rewrite.

DogLeash takes a different approach. This C-based passive backdoor deploys via shell script and provides standard remote access capabilities: command execution, file operations, OS information retrieval, and in-memory code execution based on C2 instructions. The passive design makes network-based detection more difficult since the backdoor doesn't initiate outbound connections until instructed.

JarLeash rounds out the trio with a Java-based implant offering broader functionality. Beyond basic remote access, it can host a web-based file management interface and run FTP and SFTP servers, plus netcat-style network utilities. The Java runtime requirement limits its deployment to devices with sufficient resources, but it provides the most complete feature set of the three.

The group has also developed LeashTest, a MIPS platform testing binary that serves as a potential indicator of ongoing infrastructure expansion targeting MIPS-based network devices.

Targeted Infrastructure

UAT-7810 exploits three known vulnerabilities in Ruckus wireless access points: CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. All three have public patches, but SOHO devices notoriously languish without updates. The targeting of Asus AiCloud routers, linked to a parallel campaign called Operation WrtHug, suggests the group actively scouts for additional vulnerable device classes.

The payloads support MIPS, ARM, and x64 architectures, covering the processor families found in most consumer and small business network equipment.

Building Relay Infrastructure

China-linked APT groups have increasingly favored operational relay box (ORB) networks that route attack traffic through legitimate residential and small business IP addresses. The Armored Likho campaign we covered last week used similar infrastructure-first approaches to disguise attack origins.

By compromising edge devices rather than endpoints, UAT-7810 gains several advantages. Router compromises persist through endpoint reimaging. Traffic passing through residential IP ranges attracts less scrutiny than known VPS providers. And defenders analyzing intrusions see the last-hop relay, not the actual attacker infrastructure.

Cisco Talos notes that UAT-7810 provides infrastructure support to UAT-5918, another China-linked group, suggesting shared resources across multiple Chinese espionage operations.

Why This Matters

SOHO router security remains an afterthought for most organizations. Devices get deployed, rarely patched, and forgotten until they fail. Firmware updates require manual intervention on most consumer equipment. Manufacturers often abandon support within a few years of release.

That neglect creates a persistent supply of compromisable devices for APT groups building anonymizing infrastructure. The three new backdoors indicate sustained investment in this capability—UAT-7810 isn't treating router compromise as a one-time project but as ongoing infrastructure development.

Recommended Mitigations

  1. Patch Ruckus devices immediately against CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717
  2. Audit network device firmware across your organization, including branch offices and remote workers
  3. Disable remote management interfaces on edge devices unless operationally required
  4. Monitor for unusual outbound connections from network equipment to unexpected destinations
  5. Consider device replacement for end-of-life equipment no longer receiving security updates

For teams tracking Chinese APT activity, the LapDogs campaign demonstrates continued focus on pre-positioning network infrastructure rather than immediate exploitation. These relay networks enable future operations while providing deniability—compromised legitimate devices are far harder to attribute than rented VPS infrastructure.

Related Articles