{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3oruckuswirelessscg200_firmware/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["UAT-7810"],"_cs_cpes":["cpe:2.3:o:ruckuswireless:r310_firmware:10.5.1.0.199:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:r500_firmware:10.5.1.0.199:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:r600_firmware:10.5.1.0.199:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:t300_firmware:10.5.1.0.199:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:t301n_firmware:10.5.1.0.199:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:t301s_firmware:10.5.1.0.199:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:scg200_firmware:*:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:sz-100_firmware:*:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:sz-300_firmware:*:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:vsz_firmware:*:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:zonedirector_1100_firmware:9.10.2.0.130:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:zonedirector_1200_firmware:10.2.1.0.218:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:zonedirector_3000_firmware:10.2.1.0.218:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:zonedirector_5000_firmware:10.0.1.0.151:*:*:*:*:*:*:*","cpe:2.3:a:ruckuswireless:ruckus_wireless_admin:*:*:*:*:*:*:*:*","cpe:2.3:o:ruckuswireless:smartzone_ap:*:*:*:*:*:*:*:*","cpe:2.3:o:commscope:ruckus_smartzone_firmware:*:*:*:*:*:*:*:*","cpe:2.3:o:commscope:ruckus_smartzone_firmware:6.1.0.0.935:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2020-22653"},{"cvss":9.8,"id":"CVE-2020-22658"},{"cvss":9.8,"id":"CVE-2023-25717"},{"id":"CVE-2025-2492"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ruckus Wireless Routers","ASUS AiCloud Routers"],"_cs_severities":["high"],"_cs_tags":["apt","malware","backdoor","orb-network","router-exploitation","china-nexus","linux","embedded"],"_cs_type":"threat","_cs_vendors":["Ruckus","ASUS"],"content_html":"\u003cp\u003eCisco Talos has identified that the China-nexus APT actor UAT-7810 continues to evolve its custom malware arsenal and expand its LapDogs Operational Relay Box (ORB) network. Since 2025, UAT-7810 has been observed exploiting N-day vulnerabilities in unpatched Ruckus wireless routers and, more recently in early 2026, ASUS AiCloud routers, to establish persistent footholds. The group has developed new malware families, including LONGLEASH (an advanced version of SHORTLEASH), DOGLEASH (a C-based backdoor for Linux devices), and JARLEASH (a JAVA-based backdoor). These tools enable UAT-7810 to establish robust command and control, proxy traffic, and create a resilient ORB network. This network is then leveraged by secondary China-nexus APT actors, such as UAT-5918, to conduct their own malicious operations against high-value targets, making the affected devices critical infrastructure for broader APT campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: UAT-7810 exploits known N-day vulnerabilities (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, CVE-2025-2492) in unpatched Ruckus wireless routers and ASUS AiCloud routers to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution/Payload Delivery\u003c/strong\u003e: A shell script is deployed to the compromised router, acting as an initial dropper or loader.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Download\u003c/strong\u003e: The shell script downloads secondary malware payloads, such as DOGLEASH, LONGLEASH, or JARLEASH, from attacker-controlled servers (e.g., 194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147, 95.182.100[.]231).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence/Network Configuration\u003c/strong\u003e: The shell script adds \u003ccode\u003eiptables\u003c/code\u003e rules to the compromised Linux-based device, allowing TCP traffic to a specific hardcoded port where DOGLEASH binds and listens for commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution\u003c/strong\u003e: DOGLEASH (a C-based ELF binary) is executed on the device, binding to its designated port. LONGLEASH (MIPS, ARM, x64 variants) or JARLEASH (JAVA-based) are also executed depending on the target architecture and operational needs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2)\u003c/strong\u003e: DOGLEASH listens for incoming TCP data, decodes it, and executes arbitrary shellcode. LONGLEASH, named \u0026quot;ff-agent\u0026quot; internally, establishes reverse shells, HTTP, DNS, SOCKS, TCP, ICMP, and UDP proxy servers, and can act as an intermediate C2 server, forwarding commands. JARLEASH provides file management, FTP, SFTP, and Netcat capabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Establishment\u003c/strong\u003e: The compromised router becomes part of the LapDogs Operational Relay Box (ORB) network, providing resilient and covert infrastructure for command and control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact Operations\u003c/strong\u003e: The established ORB network is subsequently leveraged by associated secondary threat actors to conduct their own malicious attacks, potentially involving data exfiltration, further lateral movement, or other objectives against high-value targets.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of UAT-7810's activities is the establishment and expansion of the LapDogs Operational Relay Box (ORB) network, which serves as critical infrastructure for other China-nexus APTs. Compromised routers, specifically Ruckus wireless and ASUS AiCloud devices, are transformed into C2 nodes and traffic relays, providing anonymity and resilience for subsequent attacks. This infrastructure facilitates a wide range of malicious operations against high-value targets, including government entities, critical infrastructure, and other sensitive organizations, potentially leading to widespread data breaches, espionage, and disruption. The exact number of victims is not specified, but the continuous development of sophisticated custom malware and active exploitation of N-day vulnerabilities indicate a significant, ongoing threat aimed at enabling broad-scale APT operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all Ruckus wireless routers and ASUS AiCloud routers against CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492 to mitigate initial access vectors.\u003c/li\u003e\n\u003cli\u003eBlock inbound and outbound connections to the observed C2/payload distribution IP addresses 194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147, and 95.182.100[.]231 at the network perimeter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious Iptables Rule Modifications for DOGLEASH\u0026quot; to your SIEM to identify \u003ccode\u003eiptables\u003c/code\u003e modifications indicative of DOGLEASH deployment on Linux-based network devices.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging for process creation and command execution on all Linux-based networking devices, specifically focusing on \u003ccode\u003eiptables\u003c/code\u003e commands.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T10:03:15Z","date_published":"2026-07-07T10:03:15Z","id":"https://feed.craftedsignal.io/briefs/2026-07-uat-7810-orb-networks/","summary":"China-nexus APT actor UAT-7810 is actively expanding its LapDogs Operational Relay Box (ORB) network by exploiting N-day vulnerabilities in Ruckus and ASUS routers to deploy new custom malware families including LONGLEASH, DOGLEASH, and JARLEASH, enabling advanced command and control capabilities for secondary threat actors.","title":"UAT-7810 Expands ORB Networks with New Custom Malware: LONGLEASH, DOGLEASH, and JARLEASH","url":"https://feed.craftedsignal.io/briefs/2026-07-uat-7810-orb-networks/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:o:ruckuswireless:scg200_firmware:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}