Listen to this Post

Introduction:
In a concerning escalation of cyber espionage tactics, the advanced persistent threat (APT) actor tracked as UAT-7810 is aggressively expanding its Operational Relay Box (ORB) network by exploiting known vulnerabilities in widely deployed networking equipment. This infrastructure, known as LapDogs, functions as a sophisticated anonymization mesh that allows China-aligned APT groups to route malicious traffic through compromised SOHO routers and IoT devices, effectively masking the true origin of their attacks against high-value targets worldwide. With over 1,000 infected nodes actively operating and a growing arsenal of custom malware including LONGLEASH, DOGLEASH, and JARLEASH, UAT-7810 represents a paradigm shift in how nation-state actors leverage edge devices for persistent, deniable operations.
Learning Objectives:
- Understand the technical architecture of Operational Relay Box (ORB) networks and how they differ from traditional botnets
- Identify the specific n-day vulnerabilities in Ruckus and ASUS routers being exploited by UAT-7810
- Learn to detect and investigate compromise indicators associated with the LapDogs campaign
- Master practical commands and techniques for hardening edge devices against ORB recruitment
- Develop threat-hunting strategies to identify ORB node behavior within enterprise networks
You Should Know:
- Understanding the ORB Network Architecture — A Hybrid of VPN and Botnet
Operational Relay Box networks represent an evolution in adversary infrastructure, combining the anonymity of VPNs with the distributed resilience of botnets. Unlike traditional botnets that feature relatively flat architectures where a controller communicates directly with infected bots, ORB networks establish a multi-layered mesh of relay nodes. Traffic passes through multiple compromised devices — each acting as an Operational Relay Box — before reaching its final destination, making attribution extremely difficult for defenders.
The LapDogs ORB network, first disclosed by SecurityScorecard in 2025, is built primarily from compromised Linux-based SOHO devices including Ruckus wireless routers, ASUS AiCloud routers, and various MIPS-based IoT devices. UAT-7810, assessed with high confidence as a China-1exus threat actor, maintains this infrastructure and provides relay capabilities to secondary APT groups such as UAT-5918. The network has been operational since at least September 2023 and has steadily grown to over 1,000 active nodes globally.
How ORB Networks Differ from Traditional Botnets:
| Feature | Traditional Botnet | ORB Network |
||-|-|
| Architecture | Flat (C2 → Bots) | Mesh (multi-hop relay) |
| Anonymity | Limited | High (traffic routed through multiple nodes) |
| Attribution | Easier to trace | Extremely difficult |
| Primary Targets | End-user machines | Edge devices (routers, IoT) |
| Persistence | Often temporary | Designed for long-term operation |
Key Technical Characteristics of LapDogs ORB:
- Self-signed TLS certificates spoofed with “LAPD” metadata — an apparent attempt to impersonate the Los Angeles Police Department and mislead analysts
- Multi-protocol proxying supporting HTTP, DNS, SOCKS, TCP, ICMP, and UDP
- Intermediate C2 capabilities allowing infected nodes to forward commands and data between peers
- Modular malware design with separate components for backdoor access, administration, and hardware testing
- The Vulnerability Arsenal — N-Day Flaws Powering Initial Access
UAT-7810 primarily gains initial access by exploiting known (n-day) vulnerabilities in unpatched internet-facing devices — a tactic that highlights the persistent danger of neglected firmware updates. The threat actor has demonstrated a preference for Ruckus wireless routers and ASUS AiCloud-enabled devices, with the following CVEs being actively exploited:
Ruckus Router Vulnerabilities:
| CVE | Affected Products | Description |
|–||-|
| CVE-2020-22653 | Ruckus ZoneDirector (versions 10.0.x and below) | Download of Code Without Integrity Check — allows attackers to execute arbitrary code |
| CVE-2020-22658 | Ruckus wireless products | Code Injection vulnerability enabling remote code execution |
| CVE-2023-25717 | Ruckus SmartZone and related products | Security vulnerability allowing unauthorized access |
ASUS AiCloud Vulnerability:
| CVE | Affected Products | Description |
|–||-|
| CVE-2025-2492 | ASUS routers with AiCloud feature enabled | Improper authentication control (CVSS 9.2) — allows unauthorized remote attackers to execute functions without authentication |
Critical Observation: All of these are known vulnerabilities with available patches. The fact that UAT-7810 continues to successfully exploit them underscores a massive gap in edge device security hygiene across organizations worldwide. According to Cisco Talos, the threat actor has been using these same Ruckus vulnerabilities since 2025, indicating that many devices remain unpatched years after fixes were released.
Linux Command to Check for Vulnerable Ruckus ZoneDirector Versions:
Check ZoneDirector firmware version via SNMP (if enabled) snmpget -v2c -c public <ROUTER_IP> 1.3.6.1.2.1.1.1.0 Alternative: Check via HTTP headers curl -I http://<ROUTER_IP> | grep -i "server" For Ruckus APs, check web interface version curl -s http://<ROUTER_IP>/ | grep -i "version"
Windows Command to Scan for Vulnerable ASUS AiCloud Devices:
Scan local network for ASUS devices with port 8080 (AiCloud default) nmap -p 8080 --open 192.168.1.0/24 Check for specific ASUS firmware version via SNMP snmpwalk -v2c -c public <ROUTER_IP> 1.3.6.1.2.1.1.1.0
- The Malware Arsenal — From SHORTLEASH to LONGLEASH and Beyond
UAT-7810 has developed a sophisticated, modular malware ecosystem designed for different stages of ORB network operations. Cisco Talos has identified at least four distinct malware families in the threat actor’s arsenal:
LONGLEASH (Evolution of SHORTLEASH)
The flagship malware of the LapDogs campaign, LONGLEASH represents a significant upgrade from its predecessor SHORTLEASH. Key capabilities include:
- Reverse shell access for remote command execution
- Multi-protocol proxying (HTTP, DNS, SOCKS, TCP, ICMP, UDP)
- SMTP client and server functionality for email-based C2 communication
- TLS and PKI support for encrypted communications
- Self-removal mechanisms that trigger upon detection of tampering or suspicious activity
- Intermediate C2 server capability — can forward commands and data between infected nodes, creating a resilient mesh
DOGLEASH (C-Based Linux Backdoor)
A lightweight backdoor deployed via shell scripts on compromised Linux systems:
- Opens a listening TCP port after modifying iptables rules to allow incoming traffic
- Uses a hardcoded password to authenticate incoming requests
- Supports shell command execution, file access, and arbitrary code execution in memory
JARLEASH (Java-Based Administrative Tool)
A JAR package providing administration capabilities:
- Web-based file management interface
- FTP, SFTP, and Netcat server functions
- Used for file management and maintaining persistence on compromised servers
LEASHTEST (MIPS IoT Testing Utility)
An ELF binary designed to test whether MIPS-based IoT devices can execute malware operations:
- Tests rudimentary functionality on MIPS embedded devices
- Its presence on a device indicates the device has likely been compromised
Indicators of Compromise (IoCs) to Hunt For:
According to Cisco Talos, the following IP addresses have been associated with UAT-7810 payload hosting:
194.233.92[.]26 217.15.160[.]247 217.15.164[.]147
Linux Command to Detect LONGLEASH/DOGLEASH Activity:
Check for unexpected listening ports (DOGLEASH opens TCP ports) ss -tulpn | grep -E "LISTEN.[0-9]+" Check for modified iptables rules (DOGLEASH modifies these) iptables -L -1 -v Look for unusual processes on MIPS/ARM devices ps aux | grep -E "(dogleash|longleash|jarleash)" Check for unexpected outgoing connections to known malicious IPs netstat -anp | grep -E "194.233.92|217.15.160|217.15.164"
Windows PowerShell Command for Network IOC Detection:
Monitor for connections to known malicious IPs
Get-1etTCPConnection | Where-Object {$_.RemoteAddress -match "194.233.92|217.15.160|217.15.164"}
Check for unusual scheduled tasks (persistence mechanism)
Get-ScheduledTask | Where-Object {$_.TaskName -match "leash|dog|java"}
Review firewall rules for unexpected inbound allowances
Get-1etFirewallRule | Where-Object {$<em>.Direction -eq "Inbound" -and $</em>.Action -eq "Allow"}
- Step-by-Step Guide: Detecting ORB Network Compromise in Your Environment
ORB networks present unique detection challenges because compromised nodes appear as legitimate residential or commercial broadband users. Traditional IOC-based blocking becomes less effective as ORB networks evolve. Here’s a comprehensive approach to detection:
Step 1: Establish a Baseline of Normal Edge Device Behavior
Linux: Record normal outbound connection patterns tcpdump -i eth0 -1 -c 1000 > normal_traffic_baseline.pcap Document normal listening ports ss -tulpn > normal_ports_baseline.txt Record normal process list ps aux > normal_process_baseline.txt
Step 2: Monitor for Behavioral Anomalies
ORB nodes typically exhibit:
- Unusual outbound connection patterns — devices making connections to multiple geographic regions
- Unexpected protocol usage — HTTP/DNS tunneling or ICMP exfiltration
- Modified firewall rules — iptables changes to allow incoming connections
- Self-signed TLS certificates — especially those with “LAPD” in the issuer field
Step 3: Deploy Network Traffic Analysis
Monitor for DNS tunneling (common ORB C2 technique) tcpdump -i eth0 -1 port 53 -v | grep -E "TXT|MX|SRV" Detect unusual ICMP traffic (used by LONGLEASH for proxying) tcpdump -i eth0 -1 icmp -v | grep -E "echo request|echo reply" | wc -l Monitor for unexpected proxy protocol usage tcpdump -i eth0 -1 -v | grep -E "SOCKS|CONNECT|HTTP/1.1"
Step 4: Investigate Compromised Devices Using Behavioral Fingerprints
SecurityScorecard has published behavioral fingerprints for LapDogs targeting:
- Check for fake Nginx web servers (SHORTLEASH creates these to masquerade)
- Look for unexpected Java processes (JARLEASH deployment)
- Examine MIPS/ARM binaries for LEASHTEST signatures
Step 5: Implement Continuous Monitoring
Create a cron job for daily anomaly detection !/bin/bash /etc/cron.daily/orb-detection.sh echo "=== ORB Detection Scan $(date) ===" >> /var/log/orb_detection.log ss -tulpn | grep -vE "127.0.0.1|::1" >> /var/log/orb_detection.log iptables -L -1 -v >> /var/log/orb_detection.log ps aux | grep -vE "root|daemon|systemd" >> /var/log/orb_detection.log
- Mitigation and Hardening — Protecting Edge Devices from ORB Recruitment
Given that UAT-7810 exploits known, patched vulnerabilities, the most effective defense is proactive patch management. However, a multi-layered approach is essential:
Immediate Actions:
1. Patch Ruckus Devices:
- Update ZoneDirector to version 10.0.1.0.93 or higher (for CVE-2020-22653)
- Apply all security updates for CVE-2020-22658 and CVE-2023-25717
- Check Ruckus security bulletins for the latest patches
2. Patch ASUS AiCloud Devices:
- Update firmware to versions addressing CVE-2025-2492 (CVSS 9.2 — critical)
- Disable AiCloud functionality if not required
- Review ASUS security advisories for additional fixes
3. Network Segmentation:
- Isolate IoT and SOHO devices from critical networks
- Implement VLANs to limit lateral movement
Linux Hardening Commands:
Disable unnecessary services on Linux-based routers systemctl disable --1ow telnet systemctl disable --1ow ftp systemctl disable --1ow snmpd Implement strict firewall rules (allow only necessary traffic) iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT SSH only iptables -A INPUT -p tcp --dport 443 -j ACCEPT HTTPS management Enable logging for dropped packets iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROPPED: " Save rules iptables-save > /etc/iptables/rules.v4
Windows (for network management systems) Hardening:
Disable unnecessary services on Windows-based management systems Set-Service -1ame "Telnet" -StartupType Disabled Set-Service -1ame "FTP Publishing" -StartupType Disabled Configure Windows Firewall to restrict management access New-1etFirewallRule -DisplayName "Block All Except SSH/HTTPS" -Direction Inbound -Action Block Enable advanced audit logging for network connections auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
Long-Term Security Measures:
- Implement asset inventory — many organizations lack accurate inventories of connected devices
- Adopt Zero Trust architecture — segment networks and enforce least-privilege access
- Deploy threat intelligence feeds — tag known ORB-associated IPs and ranges
- Shift from reactive IOC blocking to behavioral profiling
- Advanced Threat Hunting — Mapping ORB Activity to MITRE ATT&CK
Understanding how UAT-7810’s tactics map to the MITRE ATT&CK framework enables more effective threat hunting:
| Tactic | Technique | UAT-7810 Implementation |
|–|–||
| Initial Access | T1190 – Exploit Public-Facing Application | CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, CVE-2025-2492 |
| Persistence | T1505.003 – Server Software Component: Web Shell | DOGLEASH backdoor deployment |
| Defense Evasion | T1070 – Indicator Removal | LONGLEASH self-removal mechanisms |
| Command & Control | T1090.003 – Proxy: Multi-hop Proxy | ORB mesh routing through compromised nodes |
| Exfiltration | T1048 – Exfiltration Over Alternative Protocol | Multi-protocol proxying (HTTP, DNS, SOCKS, etc.) |
Threat Hunting Query for SIEM Deployment:
-- Splunk/ELK query for potential ORB activity
index=network_traffic
(source_ip IN (194.233.92., 217.15.160., 217.15.164.) OR dest_ip IN (194.233.92., 217.15.160., 217.15.164.))
OR (protocol IN ("http","dns","socks","tcp","icmp","udp") AND bytes_out > 1000000 AND dest_port NOT IN (80,443,53))
| stats count by source_ip, dest_ip, protocol
| where count > 100
What Undercode Say:
- Key Takeaway 1: The LapDogs campaign demonstrates that nation-state APTs are increasingly commoditizing edge device infrastructure — UAT-7810 functions as a “relay-as-a-service” provider for other China-aligned espionage groups, creating a layered deniability structure that complicates attribution.
-
Key Takeaway 2: The reliance on n-day vulnerabilities (not zero-days) is a critical wake-up call — organizations that fail to maintain rigorous patch management for networking equipment are effectively providing free infrastructure to sophisticated adversaries.
Analysis:
The UAT-7810 campaign represents a fundamental shift in how state-sponsored cyber operations are conducted. By creating a shared infrastructure layer that multiple APT groups can leverage, the operator achieves economies of scale while distributing operational risk. The ORB network model is particularly insidious because it weaponizes devices that organizations often overlook — SOHO routers, IP cameras, and other edge devices that lack enterprise-grade security monitoring.
The modular malware architecture (LONGLEASH, DOGLEASH, JARLEASH, LEASHTEST) reveals a mature development operation that tests against multiple hardware architectures including MIPS, ARM, and x64. This cross-platform capability ensures the threat actor can compromise virtually any internet-connected device, regardless of processor architecture.
Perhaps most concerning is the self-sustaining nature of ORB networks — each compromised node becomes both a victim and an attacker, routing traffic for other malicious operations while remaining undetected as a legitimate residential IP address. This creates a “reputation laundering” effect where malicious traffic appears to originate from innocent home and business networks.
Prediction:
- +1 ORB networks will become the dominant infrastructure model for nation-state cyber operations within 24 months, with multiple APT groups adopting similar “infrastructure-as-a-service” models that decouple attack execution from infrastructure management.
-
-1 The average time-to-patch for SOHO and edge devices will remain critically high (>180 days), ensuring that UAT-7810 and copycat actors will have a steady supply of exploitable devices for the foreseeable future.
-
-1 Defenders will face increasing difficulty in attribution as ORB networks evolve to include more sophisticated obfuscation techniques, potentially leading to false flag operations and international misattribution incidents.
-
+1 The cybersecurity industry will develop new behavioral detection frameworks specifically designed for ORB network identification, shifting away from traditional IOC-based approaches toward machine learning-driven anomaly detection.
-
-1 Regulatory bodies will likely mandate stricter security requirements for consumer networking equipment, but enforcement will lag behind threat actor innovation, leaving a persistent gap between policy and practice.
-
+1 Threat intelligence sharing between ISPs and security vendors will improve as the industry recognizes that ORB networks represent a shared infrastructure problem that requires collective defense approaches.
This article is based on threat intelligence from Cisco Talos, SecurityScorecard, Team Cymru, and Mandiant, with technical analysis aligned to the MITRE ATT&CK framework and NIST Cybersecurity Framework.
▶️ Related Video (64% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Varshu25 China – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


