UAT-7810 is a China-nexus advanced persistent threat actor assessed with high confidence by Cisco Talos to be responsible for maintaining and expanding the LapDogs operational relay box (ORB) network. The group has been active since at least 2025 and appears to function primarily as an initial access and relay-capability provider for other China-aligned espionage actors, including UAT-5918, while remaining a distinct cluster. Talos assessed that UAT-7810 likely establishes ORB networks for use by secondary China-nexus threat actors against high-value targets. UAT-7810 develops custom tooling. Its malware arsenal includes SHORTLEASH and its newer successor LONGLEASH, both internally named ff-agent; DOGLEASH, a C-based passive Linux backdoor; JARLEASH, a Java-based backdoor; and LEASHTEST, a benign ELF test utility internally named iot-test. SHORTLEASH provides command-and-control communications, web server hosting, tunnel management, and operation as both a C2 server and client. LONGLEASH extends this with reverse shell capability, proxying and packet redirection for HTTP, DNS, SOCKS, TCP, ICMP, and UDP, SMTP server and client functionality, TLS/PKI connection handling, client authorization, tunnel management, routing through the proxy network, and self-removal if tampering or suspicious connections are detected. DOGLEASH is deployed via shell scripts on compromised Linux devices, modifies iptables to allow inbound TCP traffic, listens on a hardcoded local port, decodes incoming data with a hardcoded password, and can execute shell commands, read and rename files, close its listener, gather OS information, and execute code in memory. JARLEASH is used on both UAT-7810-controlled infrastructure and compromised systems where Java is present, and supports web-based file management, FTP, SFTP, and Netcat functionality. LEASHTEST is used to test core functionality on MIPS-based embedded and IoT platforms, and its presence is considered a high-confidence indicator of compromise. The actor’s operational methodology remains focused on exploiting known n-day vulnerabilities, especially in unpatched Ruckus wireless routers. Talos observed exploitation of CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. Talos also linked infrastructure associated with UAT-7810 to exploitation of ASUS AiCloud routers via CVE-2025-2492, suggesting attempts to broaden the ORB network. After compromise, UAT-7810 uses payload-hosting infrastructure to distribute malware for MIPS, ARM, and x64 platforms, with DOGLEASH predominating on newly identified servers. Talos also noted JARLEASH configuration comments in Simplified Chinese, indicating Chinese-speaking operators. Known alias in the provided content: uat_7810.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
15 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
5 malware families attributed to this actor across reporting.
4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.
Talos has observed UAT-7810 primarily exploit known vulnerabilities in unpatched Ruckus wireless routers, a tactic UAT-7810 has used since 2025. CVEs exploited include: CVE-2020-22653, CVE-2020-22658, CVE-2023-25717.
Talos has observed UAT-7810 primarily exploit known vulnerabilities in unpatched Ruckus wireless routers, a tactic UAT-7810 has used since 2025. CVEs exploited include: CVE-2020-22653, CVE-2020-22658, CVE-2023-25717.
Talos has observed UAT-7810 primarily exploit known vulnerabilities in unpatched Ruckus wireless routers, a tactic UAT-7810 has used since 2025. CVEs exploited include: CVE-2020-22653, CVE-2020-22658, CVE-2023-25717.
One of the IPs, “217.15.164[.]147”, was also used as infrastructure to conduct exploitation of ASUS’ AiCloud Routers in early 2026 — specifically CVE-2025-2492 — indicating that UAT-7810 or an associated threat actor likely attempted to expand their ORB network to AiCloud Routers.
90 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Maintains and expands the LapDogs ORB network, develops custom backdoors for compromised networking and IoT devices, and exploits known vulnerabilities in routers to build relay infrastructure that can support follow-on malicious operations against high-value targets.
China-nexus threat group acting primarily as an initial access and relay-network provider for larger state-aligned cyber espionage operations, expanding its ORB infrastructure and developing custom backdoors for compromised devices and attacker-controlled infrastructure.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.