DOGLEASH is a lightweight C-based passive backdoor used by the China-nexus threat actor UAT-7810 as part of its LapDogs Operational Relay Box (ORB) infrastructure campaign. It is deployed on compromised Linux devices, including internet-facing networking equipment and routers, via shell scripts or web shell scripts. The deployment script modifies iptables to allow inbound TCP traffic to the port on which DOGLEASH binds and listens. Talos reported that UAT-7810 has used known vulnerabilities in unpatched Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, to compromise devices in this broader campaign, and related activity also involved ASUS AiCloud routers via CVE-2025-2492.
DOGLEASH listens quietly on infected Linux systems and waits for authenticated incoming requests, with reporting indicating it decodes received TCP data using a hardcoded password string. Its capabilities include executing shell commands, executing arbitrary shellcode or code in memory, reading files, renaming files, retrieving OS information, and closing its socket listener. Reporting also states it creates a new thread and performs actions based on received command codes and accompanying data. Researchers identified attacker-controlled infrastructure hosting multiple DOGLEASH variants for post-compromise operations, with payload-hosting and related indicators including 217.15.160.247, 194.233.92.26, 217.15.164.147, and 95.182.100.231, as well as URLs such as http://217.15.160.247:8088/, http://217.15.160.247:2222/, http://217.15.160.247:99/, http://194.233.92.26:8088/, http://194.233.92.26:2222/, http://217.15.164.147:99/, http://217.15.164.147:8088/, http://217.15.164.147:2222/, and http://95.182.100.231:2222/.
DOGLEASH is part of a broader UAT-7810 malware ecosystem that also includes LONGLEASH, JARLEASH, and LEASHTEST. Talos assessed UAT-7810 with high confidence as a China-nexus actor that builds and maintains ORB relay infrastructure and provides infrastructure support to other China-linked actors, including UAT-5918.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 | DogLeash is a C-based passive backdoor deployed via a shell script that also adds iptables rules allowing TCP traffic to a port that DogLeash binds and listens to.
UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 | DogLeash is a C-based passive backdoor deployed via a shell script that also adds iptables rules allowing TCP traffic to a port that DogLeash binds and listens to.
UAT-7810 mainly targets known vulnerabilities in Ruckus wireless routers, including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 | DogLeash is a C-based passive backdoor deployed via a shell script that also adds iptables rules allowing TCP traffic to a port that DogLeash binds and listens to.
Campaigns observed earlier this year have also singled out ASUS AiCloud Routers susceptible to CVE-2025-2492, indicating potential attempts to broaden the ORB network.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
DogLeash is a C-based passive backdoor deployed via a shell script that also adds iptables rules allowing TCP traffic to a port that DogLeash binds and listens to.
12 distinct techniques documented for this family, organized by ATT&CK tactic.
90 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A C-based passive backdoor deployed by shell script. It can execute commands, read and rename files, close its socket listener, retrieve OS information, and execute code in memory.
A previously unknown backdoor that executes commands on compromised Linux devices within the actor's hijacked-device network.
A passive backdoor used by UAT-7810 on compromised Linux devices that can execute arbitrary shellcode.
A lightweight Linux backdoor that passively listens for commands and can execute shellcode or read files on compromised systems.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.