Skip to content
Threat Feed
high threat

UAT-7810 Expands ORB Networks with New Malware; ARToken Phishing-as-a-Service and Device Vulnerabilities Highlighted

The China-nexus threat actor UAT-7810 is expanding its Operational Relay Box (ORB) networks by exploiting known vulnerabilities in unpatched Ruckus and ASUS routers to deploy custom backdoors like LONGLEASH and DOGLEASH, while other threats include the ARToken Phishing-as-a-Service platform targeting Microsoft 365, critical flaws in AirDrop/Quick Share, and a backdoor in Tenda router firmware.

Cisco Talos reports that the China-nexus threat actor UAT-7810 is actively expanding its Operational Relay Box (ORB) networks, which began around 2026, by exploiting known vulnerabilities in unpatched Ruckus and ASUS routers. This campaign involves the deployment of new custom malware, specifically the upgraded "LONGLEASH" and "DOGLEASH" backdoors, to establish covert infrastructure used by other APT groups to mask their origins and launch attacks against high-value targets. This brief also highlights other significant threats: the "ARToken" Phishing-as-a-Service platform targeting Microsoft 365 for credential theft and data exfiltration, critical vulnerabilities in Apple's AirDrop and Google's Quick Share allowing nearby attackers to crash services, and a hidden authentication backdoor discovered in Tenda router firmware granting administrative access. The continuous development of sophisticated, multi-platform tools by UAT-7810 underscores their investment in resilient and evasive infrastructure.

Attack Chain

  1. UAT-7810 identifies and exploits known, unpatched vulnerabilities in internet-facing Ruckus and ASUS routers.
  2. Upon successful exploitation, the threat actor gains unauthorized access and deploys custom malware, including "LONGLEASH" and "DOGLEASH" backdoors, onto the compromised router.
  3. The compromised routers are integrated into UAT-7810's Operational Relay Box (ORB) network, establishing a covert, decentralized proxy infrastructure.
  4. The ORB network is then utilized to mask the true origin of subsequent malicious traffic, significantly enhancing attacker anonymity and evasion.
  5. Malicious traffic from various APT groups is routed through these seemingly innocuous ORB nodes, bypassing traditional perimeter defenses.
  6. UAT-7810 provides this resilient infrastructure to other APT groups, enabling them to launch sophisticated, evasive attacks.
  7. These secondary threat actors leverage the ORB network to target high-value organizations for intelligence gathering, espionage, or other objectives.

Impact

The expansion of UAT-7810's ORB networks creates significant blind spots for defenders, allowing other APTs to mask their origins and route malicious traffic through seemingly benign infrastructure. This directly bypasses traditional perimeter defenses, making attribution and mitigation extremely difficult. If successful, organizations face severe consequences including data exfiltration, persistent unauthorized access, and potential further compromise from other APTs leveraging this infrastructure. Additionally, the ARToken Phishing-as-a-Service platform threatens Microsoft 365 users with widespread credential theft, email access, BEC operations, and SharePoint exfiltration, while AirDrop and Quick Share flaws can lead to denial-of-service on user devices, and the Tenda router backdoor grants full administrative control over network edge devices.

Recommendation

  • Ensure all edge devices, specifically Ruckus and ASUS routers, are fully patched against known vulnerabilities that UAT-7810 exploits.
  • Monitor network traffic for unusual proxying behavior or unauthorized connections on devices that typically lack complex services, leveraging insights from the Talos blog post on UAT-7810.
  • Block the provided malware SHA256 hashes (e.g., 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507) at endpoint security solutions and network gateways.
  • Implement robust phishing detection and user education against sophisticated campaigns like those facilitated by the ARToken platform, focusing on Microsoft 365 environments.
  • Apply security updates to Apple and Google devices to mitigate AirDrop and Quick Share vulnerabilities that could lead to crashes.
  • Verify firmware integrity and update Tenda routers to patched versions or consider alternative devices if no fix is available, given the hidden backdoor allows administrative access.

Indicators of compromise

4

hash_md5

4

hash_sha256

TypeValue
hash_sha2569f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
hash_md52915b3f8b703eb744fc54c81f4a9c67f
hash_sha256621c6d42409e8aa423684827b4375a35684c71c600f2dd9101f235e8ec633488
hash_md59b512ba139304c247ddd3d2c4b9179fd
hash_sha2569896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
hash_md538de5b216c33833af710e88f7f64fc98
hash_sha256afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638
hash_md5cc4d231df34e57f59eb970353c7d9de2