Chinese Hackers Deploy LONGLEASH Malware to Expand Covert ORB Network
Chinese-Linked Threat Group Expands Covert ORB Network Using Novel LONGLEASH Malware
Key Details of LONGLEASH Malware
Cybersecurity analysts have identified a newly developed malware variant called LONGLEASH, attributed to the China-associated threat actor UAT-7810, which is being utilized to extend a hidden Operational Relay Box (ORB) infrastructure by infiltrating internet-connected networking hardware.
ORB Network and Attack Techniques
A report from Cisco Talos details that this campaign focuses on unpatched Ruckus and ASUS AiCloud routers. The ORB network operates as a secure intermediary framework, allowing China-aligned Advanced Persistent Threat (APT) groups to reroute malicious traffic through compromised regional devices. This technique obscures the origin of attacks, complicating detection and attribution efforts.
Evolution of LONGLEASH
Cisco Talos confirmed that LONGLEASH represents an enhanced iteration of the previously documented SHORTLEASH backdoor. Beyond existing functionalities such as command-and-control (C2) operations, web server interactions, and network tunneling, the updated malware introduces reverse shell capabilities, support for HTTP, DNS, SOCKS, TCP, ICMP, and UDP proxying, SMTP client and server operations, TLS and PKI integration, self-removal protocols, and the capacity to function as an intermediate C2 server between compromised systems.
Vulnerabilities Exploited
Attackers achieve initial access by exploiting documented vulnerabilities in exposed devices. These include CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 affecting Ruckus routers, alongside CVE-2025-2492 impacting ASUS AiCloud routers.
Supplementary Tools Deployed
Researchers also detected three supplementary tools deployed alongside LONGLEASH: DOGLEASH, JARLEASH, and LEASHTEST.
- DOGLEASH is a minimal Linux backdoor enabling remote command execution, file access, system data retrieval, and in-memory code execution via web shell deployment.
- JARLEASH serves as a Java-based administrative tool offering web-based file management, along with FTP, SFTP, and Netcat server functionalities.
- LEASHTEST evaluates compatibility of MIPS-based IoT devices with malware operations, aiding attackers in optimizing deployment strategies.
Expert Analysis and Recommendations
A security expert from Algoritha Security noted that LONGLEASH highlights the increasing complexity of cyber-espionage campaigns, where adversaries are constructing robust, scalable malware ecosystems to sustain extensive covert infrastructures rather than focusing solely on data exfiltration. The expert recommended organizations prioritize immediate patch application, continuous surveillance of internet-facing routers and IoT devices, and prompt remediation of identified vulnerabilities.
Cisco Talos Observations
Cisco Talos emphasized that UAT-7810 is actively expanding its ORB infrastructure by replacing the older SHORTLEASH malware with the more advanced LONGLEASH variant while simultaneously diversifying its malware arsenal. The research team has released Indicators of Compromise (IoCs) to assist security teams in identifying potential infections and reinforcing defensive measures.
