<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ASUS AiCloud Routers - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/asus-aicloud-routers/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 10:03:15 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/asus-aicloud-routers/feed.xml" rel="self" type="application/rss+xml"/><item><title>UAT-7810 Expands ORB Networks with New Custom Malware: LONGLEASH, DOGLEASH, and JARLEASH</title><link>https://feed.craftedsignal.io/briefs/2026-07-uat-7810-orb-networks/</link><pubDate>Tue, 07 Jul 2026 10:03:15 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-uat-7810-orb-networks/</guid><description>China-nexus APT actor UAT-7810 is actively expanding its LapDogs Operational Relay Box (ORB) network by exploiting N-day vulnerabilities in Ruckus and ASUS routers to deploy new custom malware families including LONGLEASH, DOGLEASH, and JARLEASH, enabling advanced command and control capabilities for secondary threat actors.</description><content:encoded><![CDATA[<p>Cisco Talos has identified that the China-nexus APT actor UAT-7810 continues to evolve its custom malware arsenal and expand its LapDogs Operational Relay Box (ORB) network. Since 2025, UAT-7810 has been observed exploiting N-day vulnerabilities in unpatched Ruckus wireless routers and, more recently in early 2026, ASUS AiCloud routers, to establish persistent footholds. The group has developed new malware families, including LONGLEASH (an advanced version of SHORTLEASH), DOGLEASH (a C-based backdoor for Linux devices), and JARLEASH (a JAVA-based backdoor). These tools enable UAT-7810 to establish robust command and control, proxy traffic, and create a resilient ORB network. This network is then leveraged by secondary China-nexus APT actors, such as UAT-5918, to conduct their own malicious operations against high-value targets, making the affected devices critical infrastructure for broader APT campaigns.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: UAT-7810 exploits known N-day vulnerabilities (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, CVE-2025-2492) in unpatched Ruckus wireless routers and ASUS AiCloud routers to gain unauthorized access.</li>
<li><strong>Execution/Payload Delivery</strong>: A shell script is deployed to the compromised router, acting as an initial dropper or loader.</li>
<li><strong>Malware Download</strong>: The shell script downloads secondary malware payloads, such as DOGLEASH, LONGLEASH, or JARLEASH, from attacker-controlled servers (e.g., 194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147, 95.182.100[.]231).</li>
<li><strong>Persistence/Network Configuration</strong>: The shell script adds <code>iptables</code> rules to the compromised Linux-based device, allowing TCP traffic to a specific hardcoded port where DOGLEASH binds and listens for commands.</li>
<li><strong>Execution</strong>: DOGLEASH (a C-based ELF binary) is executed on the device, binding to its designated port. LONGLEASH (MIPS, ARM, x64 variants) or JARLEASH (JAVA-based) are also executed depending on the target architecture and operational needs.</li>
<li><strong>Command and Control (C2)</strong>: DOGLEASH listens for incoming TCP data, decodes it, and executes arbitrary shellcode. LONGLEASH, named &quot;ff-agent&quot; internally, establishes reverse shells, HTTP, DNS, SOCKS, TCP, ICMP, and UDP proxy servers, and can act as an intermediate C2 server, forwarding commands. JARLEASH provides file management, FTP, SFTP, and Netcat capabilities.</li>
<li><strong>Network Establishment</strong>: The compromised router becomes part of the LapDogs Operational Relay Box (ORB) network, providing resilient and covert infrastructure for command and control.</li>
<li><strong>Impact Operations</strong>: The established ORB network is subsequently leveraged by associated secondary threat actors to conduct their own malicious attacks, potentially involving data exfiltration, further lateral movement, or other objectives against high-value targets.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of UAT-7810's activities is the establishment and expansion of the LapDogs Operational Relay Box (ORB) network, which serves as critical infrastructure for other China-nexus APTs. Compromised routers, specifically Ruckus wireless and ASUS AiCloud devices, are transformed into C2 nodes and traffic relays, providing anonymity and resilience for subsequent attacks. This infrastructure facilitates a wide range of malicious operations against high-value targets, including government entities, critical infrastructure, and other sensitive organizations, potentially leading to widespread data breaches, espionage, and disruption. The exact number of victims is not specified, but the continuous development of sophisticated custom malware and active exploitation of N-day vulnerabilities indicate a significant, ongoing threat aimed at enabling broad-scale APT operations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch all Ruckus wireless routers and ASUS AiCloud routers against CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492 to mitigate initial access vectors.</li>
<li>Block inbound and outbound connections to the observed C2/payload distribution IP addresses 194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147, and 95.182.100[.]231 at the network perimeter.</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious Iptables Rule Modifications for DOGLEASH&quot; to your SIEM to identify <code>iptables</code> modifications indicative of DOGLEASH deployment on Linux-based network devices.</li>
<li>Enable comprehensive logging for process creation and command execution on all Linux-based networking devices, specifically focusing on <code>iptables</code> commands.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>apt</category><category>malware</category><category>backdoor</category><category>orb-network</category><category>router-exploitation</category><category>china-nexus</category><category>linux</category><category>embedded</category></item></channel></rss>