
A China‑linked APT tracked as UAT‑7810 has been observed extending its proxy relay infrastructure by deploying a newly identified piece of malware called LONGLEASH. Researchers at Cisco Talos first noted the activity in early July 2026, with the group adding fresh nodes to its Operational Relay Box network. The expansion suggests the actors are seeking to further obscure the origin of their campaigns.
The group builds its relay chain by compromising edge devices such as routers and then installing custom tools that forward traffic through multiple hops. According to reporting by Infosecurity Magazine, UAT‑7810 has previously targeted unpatched flaws in Ruckus and ASUS equipment, although no fresh CVE identifiers have been tied to this latest wave. By chaining hijacked devices, the actors can route malicious payloads while making attribution far harder for defenders.
The new LONGLEASH payload functions as a modular backdoor that can execute arbitrary commands, harvest credentials and open covert channels for data exfiltration. Alongside it, analysts have identified two related tools dubbed DOGLEASH and JARLEASH, each offering slightly different persistence mechanisms and communication protocols. Together these binaries give UAT‑7810 a flexible framework for maintaining long‑term access to compromised nodes.
Telemetry collected between 08 July 2026 09:56 UTC and 14:51 UTC shows a steady increase in the number of ORB nodes linked to the group, indicating an active expansion phase. Although the campaign does not appear to rely on any newly disclosed vulnerabilities, it continues to leverage known weaknesses in router firmware that remain unpatched in many networks. This pattern highlights how the actors prefer to recycle reliable entry points rather than chase zero day exploits.
The use of an Operational Relay Box network allows UAT‑7810 to mask the true source of its operations, complicating incident response and threat intelligence efforts. By bouncing traffic through compromised routers situated in diverse geographic locations, the group can evade simple IP‑based blocking and make attribution to a specific state sponsor more uncertain. Such tactics are increasingly favoured by actors seeking to operate under the guise of legitimate traffic.
Network administrators should prioritise firmware updates for Ruckus and ASUS devices, applying the latest security patches that address the flaws previously abused by the group. Monitoring for unusual outbound connections from internal routers to unknown external endpoints can help detect relay traffic, while disabling unused services reduces the attack surface. Enforcing strict segmentation between management interfaces and user networks limits the ability of malware to pivot laterally.
Security teams ought to hunt for indicators such as specific file hashes associated with LONGLEASH, DOGLEASH and JARLEASH, which have been shared in the Talos advisory, and update intrusion detection signatures accordingly. Sharing observed IOCs with trusted peers and participating in industry information‑exchange platforms improves collective defence against evolving proxy networks. Staying alert to changes in router behaviour and maintaining offline backups of configuration files further strengthens resilience.