Cisco Talos: UAT-7810 Evolves ORB Network with New Custom Malware for MIPS, ARM, and x64 Devices

Threat Actor UAT-7810 Expands Arsenal with New Backdoors: LONGLEASH, DOGLEASH, and JARLEASH

HIGH
July 8, 2026
5m read
Threat ActorMalwareThreat Intelligence

Related Entities

Threat Actors

UAT-7810

Organizations

Products & Tech

ASUS AiCloud

Other

SHORTLEASHLONGLEASHDOGLEASHJARLEASH

CVE Identifiers

Full Report

Executive Summary

Cisco Talos has uncovered continued development and operational activity from the threat actor tracked as UAT-7810. This group, known for compromising networking devices to build operational relay box (ORB) networks for anonymizing their traffic, has expanded its malware toolkit. Researchers have identified a new version of the SHORTLEASH backdoor, now dubbed LONGLEASH, as well as two entirely new malware families: a C-based backdoor named DOGLEASH and a Java-based backdoor named JARLEASH. This evolution demonstrates the actor's commitment to enhancing its capabilities and expanding its network of compromised devices, which includes various hardware platforms and routers like those from ASUS.


Threat Overview

  • Threat Actor: UAT-7810
  • Objective: To build and maintain a network of compromised networking devices (ORB network) to use as proxies for hiding malicious traffic and launching attacks.
  • Malware Arsenal:
    • SHORTLEASH: The original backdoor used by the group.
    • LONGLEASH: An updated, newer version of the SHORTLEASH backdoor.
    • DOGLEASH: A new, previously unknown C-based backdoor.
    • JARLEASH: A new, previously unknown Java-based backdoor.
  • Targeted Platforms: The malware is designed for cross-platform compatibility, with variants for MIPS, ARM, and x64 architectures, which are common in routers, IoT devices, and servers.

Technical Analysis

UAT-7810's methodology involves scanning for and exploiting vulnerabilities in internet-facing networking devices to implant its backdoors. Once a device is compromised, it becomes part of the ORB network.

Malware Details

  • LONGLEASH: As an evolution of SHORTLEASH, this backdoor likely includes enhanced persistence mechanisms, improved C2 communication protocols, and anti-analysis features.
  • DOGLEASH: Being C-based, this backdoor is likely compiled for various architectures (MIPS, ARM) to target a wide range of embedded devices and routers. It probably provides standard backdoor functionality like remote shell access and file transfer.
  • JARLEASH: The use of Java indicates the actor is also targeting devices and servers with a Java runtime environment. Java-based malware offers high portability across different operating systems.

Infrastructure

Talos identified four new servers used by UAT-7810 to host these malware payloads. These servers act as download cradles for newly compromised devices. Analysis of this infrastructure linked one of the IP addresses to the exploitation of CVE-2025-2492 in ASUS AiCloud Routers, confirming the actor's TTP of exploiting public-facing vulnerabilities (T1190 - Exploit Public-Facing Application).

Impact Assessment

The expansion of UAT-7810's ORB network poses a significant threat. By routing their attacks through a distributed network of compromised home and business routers, the threat actor can:

  • Obfuscate Their Origin: Make it extremely difficult for defenders and law enforcement to trace attacks back to the source infrastructure.
  • Launch Attacks at Scale: Use the combined bandwidth of the ORB network to conduct DDoS attacks or large-scale scanning.
  • Bypass Geofencing: Launch attacks that appear to originate from legitimate residential or corporate IP addresses, bypassing IP-based blocklists and security controls.

IOCs — Directly from Articles

The following IP addresses were identified as hosting malicious payloads for UAT-7810:

Type
ip_address_v4
Value
194.233.92.26
Description
VPS used as a malware download server.
Type
ip_address_v4
Value
217.15.160.247
Description
VPS used as a malware download server.
Type
ip_address_v4
Value
217.15.164.147
Description
VPS used as a malware download server. Linked to exploitation of CVE-2025-2492.
Type
ip_address_v4
Value
95.182.100.231
Description
Identified via forensics on a compromised device. Located in Hong Kong.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to detect UAT-7810 activity:

Type
network_traffic_pattern
Value
Outbound connections to known UAT-7810 IPs
Description
Monitor for any traffic from your network, especially from routers or IoT devices, to the IOC IPs listed above.
Type
process_name
Value
Unsigned binaries in /tmp or /var/tmp
Description
On Linux-based devices, look for unknown, unsigned executables running from temporary directories.
Type
command_line_pattern
Value
`curl [IP]/payload
Description
sh`
Type
log_source
Value
Router/Firewall logs
Description
Look for signs of compromise, such as unauthorized configuration changes, new firewall rules, or unexpected reboots.

Detection & Response

  1. Network Traffic Monitoring: Ingest firewall and NetFlow logs into a SIEM. Create rules to alert on any communication with the known UAT-7810 C2 IPs. Pay close attention to traffic originating from network infrastructure devices.
  2. Firmware Integrity: For critical networking devices, periodically check the integrity of the running firmware against the vendor's official versions to detect unauthorized modifications.
  3. Endpoint Monitoring on Devices: Where possible (e.g., on Linux-based routers with shell access), monitor for suspicious running processes, unexpected open ports, and unauthorized scheduled tasks (cron jobs).

Mitigation

  1. Patch Management for Network Devices (D3-SU: Software Update): The primary defense is to ensure all internet-facing networking devices (routers, firewalls, VPN concentrators) are running the latest firmware versions. This mitigates the initial access vector of exploiting known vulnerabilities like CVE-2025-2492. Reference MITRE M1051 - Update Software.
  2. Restrict Management Interface Access: The management interfaces of all networking devices should not be exposed to the internet. Access should be restricted to an internal, trusted management network. Reference MITRE M1035 - Limit Access to Resource Over Network.
  3. Change Default Credentials: Immediately change any default administrator passwords on networking devices. Use strong, unique passwords for each device. Reference MITRE M1027 - Password Policies.

Timeline of Events

1
July 8, 2026
This article was published

MITRE ATT&CK Mitigations

Regularly updating firmware on networking devices is crucial to prevent exploitation of known vulnerabilities.

Mapped D3FEND Techniques:

Do not expose device management interfaces to the internet. Restrict access to a trusted internal network.

Mapped D3FEND Techniques:

Change all default credentials on networking devices and enforce the use of strong, unique passwords.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

To detect and block the C2 communications of malware like LONGLEASH and DOGLEASH, organizations should implement strict Outbound Traffic Filtering. This involves creating firewall rules that block all outbound connections from network devices (routers, switches, IoT) to the internet by default. A specific allowlist should then be created for necessary traffic, such as NTP or vendor update servers. More importantly, threat intelligence feeds containing known malicious IPs, like the ones identified for UAT-7810, should be ingested into the firewall to create an explicit blocklist. Any attempted connection from an internal device to an IP on this list should trigger a high-priority alert, indicating a likely compromise.

The primary initial access vector for actors like UAT-7810 is the exploitation of known vulnerabilities in networking equipment, such as CVE-2025-2492 in ASUS routers. The most effective defense is a rigorous Software Update program for all network infrastructure. This requires maintaining a complete inventory of all internet-facing devices, actively monitoring vendor security advisories, and establishing a process for promptly testing and deploying firmware updates. For critical vulnerabilities, emergency patching procedures should be in place. Automating this process where possible can help ensure that the window of opportunity for attackers is minimized. This preventative measure is far more effective than trying to detect and respond to a compromise after it has occurred.

Sources & References

UAT-7810 continues building ORB networks using new malware
Cisco Talos (talosintelligence.com) July 7, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

UAT-7810Cisco TalosMalwareBackdoorLONGLEASHDOGLEASHJARLEASHORB Network

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.