{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ruckus-routers/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["UAT-7810"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ruckus routers","ASUS routers","AirDrop","Quick Share","Tenda router firmware","Microsoft 365"],"_cs_severities":["high"],"_cs_tags":["China-nexus","APT","router-exploitation","ORB-network","backdoor","phishing-as-a-service","credential-theft","data-exfiltration","denial-of-service","n-day-vulnerability","active-exploitation"],"_cs_type":"threat","_cs_vendors":["Ruckus","ASUS","Apple","Google","Tenda","Microsoft"],"content_html":"\u003cp\u003eCisco Talos reports that the China-nexus threat actor UAT-7810 is actively expanding its Operational Relay Box (ORB) networks, which began around 2026, by exploiting known vulnerabilities in unpatched Ruckus and ASUS routers. This campaign involves the deployment of new custom malware, specifically the upgraded \u0026quot;LONGLEASH\u0026quot; and \u0026quot;DOGLEASH\u0026quot; backdoors, to establish covert infrastructure used by other APT groups to mask their origins and launch attacks against high-value targets. This brief also highlights other significant threats: the \u0026quot;ARToken\u0026quot; Phishing-as-a-Service platform targeting Microsoft 365 for credential theft and data exfiltration, critical vulnerabilities in Apple's AirDrop and Google's Quick Share allowing nearby attackers to crash services, and a hidden authentication backdoor discovered in Tenda router firmware granting administrative access. The continuous development of sophisticated, multi-platform tools by UAT-7810 underscores their investment in resilient and evasive infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUAT-7810 identifies and exploits known, unpatched vulnerabilities in internet-facing Ruckus and ASUS routers.\u003c/li\u003e\n\u003cli\u003eUpon successful exploitation, the threat actor gains unauthorized access and deploys custom malware, including \u0026quot;LONGLEASH\u0026quot; and \u0026quot;DOGLEASH\u0026quot; backdoors, onto the compromised router.\u003c/li\u003e\n\u003cli\u003eThe compromised routers are integrated into UAT-7810's Operational Relay Box (ORB) network, establishing a covert, decentralized proxy infrastructure.\u003c/li\u003e\n\u003cli\u003eThe ORB network is then utilized to mask the true origin of subsequent malicious traffic, significantly enhancing attacker anonymity and evasion.\u003c/li\u003e\n\u003cli\u003eMalicious traffic from various APT groups is routed through these seemingly innocuous ORB nodes, bypassing traditional perimeter defenses.\u003c/li\u003e\n\u003cli\u003eUAT-7810 provides this resilient infrastructure to other APT groups, enabling them to launch sophisticated, evasive attacks.\u003c/li\u003e\n\u003cli\u003eThese secondary threat actors leverage the ORB network to target high-value organizations for intelligence gathering, espionage, or other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe expansion of UAT-7810's ORB networks creates significant blind spots for defenders, allowing other APTs to mask their origins and route malicious traffic through seemingly benign infrastructure. This directly bypasses traditional perimeter defenses, making attribution and mitigation extremely difficult. If successful, organizations face severe consequences including data exfiltration, persistent unauthorized access, and potential further compromise from other APTs leveraging this infrastructure. Additionally, the ARToken Phishing-as-a-Service platform threatens Microsoft 365 users with widespread credential theft, email access, BEC operations, and SharePoint exfiltration, while AirDrop and Quick Share flaws can lead to denial-of-service on user devices, and the Tenda router backdoor grants full administrative control over network edge devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure all edge devices, specifically Ruckus and ASUS routers, are fully patched against known vulnerabilities that UAT-7810 exploits.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual proxying behavior or unauthorized connections on devices that typically lack complex services, leveraging insights from the Talos blog post on UAT-7810.\u003c/li\u003e\n\u003cli\u003eBlock the provided malware SHA256 hashes (e.g., \u003ccode\u003e9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507\u003c/code\u003e) at endpoint security solutions and network gateways.\u003c/li\u003e\n\u003cli\u003eImplement robust phishing detection and user education against sophisticated campaigns like those facilitated by the ARToken platform, focusing on Microsoft 365 environments.\u003c/li\u003e\n\u003cli\u003eApply security updates to Apple and Google devices to mitigate AirDrop and Quick Share vulnerabilities that could lead to crashes.\u003c/li\u003e\n\u003cli\u003eVerify firmware integrity and update Tenda routers to patched versions or consider alternative devices if no fix is available, given the hidden backdoor allows administrative access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T18:01:50Z","date_published":"2026-07-09T18:01:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-uat-7810-orb-networks-and-multi-threats/","summary":"The China-nexus threat actor UAT-7810 is expanding its Operational Relay Box (ORB) networks by exploiting known vulnerabilities in unpatched Ruckus and ASUS routers to deploy custom backdoors like LONGLEASH and DOGLEASH, while other threats include the ARToken Phishing-as-a-Service platform targeting Microsoft 365, critical flaws in AirDrop/Quick Share, and a backdoor in Tenda router firmware.","title":"UAT-7810 Expands ORB Networks with New Malware; ARToken Phishing-as-a-Service and Device Vulnerabilities Highlighted","url":"https://feed.craftedsignal.io/briefs/2026-07-uat-7810-orb-networks-and-multi-threats/"}],"language":"en","title":"CraftedSignal Threat Feed - Ruckus Routers","version":"https://jsonfeed.org/version/1.1"}