UAT-7810, a Chinese APT group, is actively expanding its ORB (Operational Relay Box) network by deploying new malware called LONGLEASH to compromise internet-facing networking devices. Cisco Talos researchers identified the group as responsible for maintaining LapDogs, an ORB infrastructure first discovered in June 2025.
ORB networks function as intermediary command-and-control systems, allowing threat actors to mask their true origin and maintain persistent access to compromised networks. By targeting edge devices like routers and firewalls, UAT-7810 gains entry points that are often less heavily monitored than traditional endpoints.
LONGLEASH represents an evolution of UAT-7810's toolkit. The malware specifically targets internet-facing networking devices, which typically handle organizational traffic flows and serve as trust boundaries. Once compromised, these devices become nodes in the LapDogs network, creating distributed relay infrastructure for launching secondary attacks or harvesting data.
The group's focus on networking hardware reflects a strategic approach to establishing persistent footholds. Unlike endpoint malware that security teams actively hunt, compromised routers and firewalls often remain undetected for extended periods. Network devices also provide visibility into all traffic passing through them, making them valuable for espionage operations.
Organizations running internet-facing networking equipment face direct risk from this campaign. Administrative interfaces on routers, switches, and firewalls frequently suffer from weak credential hygiene or known vulnerabilities. UAT-7810 likely exploits both configuration weaknesses and unpatched CVEs to establish initial access.
The LapDogs network demonstrates how Chinese APT actors prioritize infrastructure resilience. Rather than relying on traditional compromised servers, relay networks distribute command-and-control functions across multiple device types, complicating takedown efforts.
Defense teams should immediately audit internet-facing
