LONGLEASH is a custom backdoor used by the China-nexus threat actor UAT-7810 in its LapDogs operational relay box (ORB) campaign. Cisco Talos described it as an upgraded successor to the previously documented SHORTLEASH backdoor, built largely on the same codebase and internally named ff-agent. UAT-7810 appears to use LONGLEASH on compromised internet-facing networking devices, especially unpatched Ruckus wireless routers exploited via CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717; reporting also links related UAT-7810 infrastructure to exploitation of ASUS AiCloud routers via CVE-2025-2492. Payloads were observed for MIPS, ARM, and x64 architectures.
Based on the reporting, LONGLEASH retains SHORTLEASH capabilities including command-and-control communications, web server hosting, tunnel management, and operation as both a C2 server and client, while significantly expanding functionality. Reported capabilities include reverse shell access; proxying and packet redirection over HTTP, DNS, SOCKS, TCP, ICMP, and UDP; encrypted tunnel management; SMTP client and server functionality; TLS and PKI support; client authorization; management of network connections to other servers; and self-removal if tampering or suspicious connections are detected. It can also function as an intermediate command server, forwarding commands and data between the primary C2 and peer infected nodes, supporting UAT-7810’s role in building relay infrastructure for downstream espionage operations.
Talos reported that LONGLEASH contains code from open-source libraries including Nanopb and MbedTLS; the MIPS variant also uses Boost.Asio and a small musl libc implementation. The malware was reported to use the User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36" to disguise traffic as normal web browsing.
The malware is associated with UAT-7810, which Talos assessed with high confidence to be a China-nexus actor primarily focused on establishing and maintaining ORB infrastructure that can be used by other China-aligned groups, including UAT-5918, to mask espionage activity against high-value targets. Infrastructure and indicators reported in connection with this activity include IPs 194.233.92.26, 217.15.160.247, 217.15.164.147, and 95.182.100.231; associated HTTP services on ports 99, 2222, and 8088; and a TLS certificate fingerprint c2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15 with subject DN set to "exploit".
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 | Talos, which tracks the threat actor as UAT-7810, has discovered a newer version of the backdoor, dubbed LongLeash, as well as two other malware families the APT has been relying on, namely DogLeash and JarLeash.
UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 | Talos, which tracks the threat actor as UAT-7810, has discovered a newer version of the backdoor, dubbed LongLeash, as well as two other malware families the APT has been relying on, namely DogLeash and JarLeash.
UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 | Talos, which tracks the threat actor as UAT-7810, has discovered a newer version of the backdoor, dubbed LongLeash, as well as two other malware families the APT has been relying on, namely DogLeash and JarLeash.
Campaigns observed earlier this year have also singled out ASUS AiCloud Routers susceptible to CVE-2025-2492, indicating potential attempts to broaden the ORB network.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Talos, which tracks the threat actor as UAT-7810, has discovered a newer version of the backdoor, dubbed LongLeash, as well as two other malware families the APT has been relying on, namely DogLeash and JarLeash.
12 distinct techniques documented for this family, organized by ATT&CK tactic.
The recently identified LongLeash backdoor builds on the functionality previously observed in ShortLeash, such as command-and-control (C&C) communication
It borrows code from open-source libraries and uses a Chrome browser identifier to disguise its network traffic as normal web browsing.
The backdoor can function as an intermediate server, forwarding commands and data received from the C&C to other peers.
LONGLEASH can act as a proxy, run its own web server, manage encrypted tunnels, and even function as an intermediate command server that passes instructions along to other infected devices.
89 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A newer backdoor derived from ShortLeash that supports command-and-control communication, web server hosting, tunnel management, and can act as both C&C and client. It can also function as an intermediate server, forwarding commands and data from the C&C to other peers.
An upgraded backdoor used in the LapDogs ORB ecosystem that adds proxying capabilities and can relay commands to other infected machines.
A newer version of ShortLeash used by UAT-7810. It is a full-fledged backdoor framework with proxying over HTTP, DNS, SOCKS, TCP, ICMP, and UDP, network connection management, client authorization, anti-tamper cleanup, and the ability to act as an intermediate C2 relay between primary C2 and peers.
An upgraded custom backdoor that supports proxying, a built-in web server, encrypted tunnels, and intermediate command-server functionality to relay instructions across infected devices while disguising traffic as normal Chrome browsing.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.