Cisco Talos has uncovered continued development and operational activity from the threat actor tracked as UAT-7810. This group, known for compromising networking devices to build operational relay box (ORB) networks for anonymizing their traffic, has expanded its malware toolkit. Researchers have identified a new version of the SHORTLEASH backdoor, now dubbed LONGLEASH, as well as two entirely new malware families: a C-based backdoor named DOGLEASH and a Java-based backdoor named JARLEASH. This evolution demonstrates the actor's commitment to enhancing its capabilities and expanding its network of compromised devices, which includes various hardware platforms and routers like those from ASUS.
UAT-7810's methodology involves scanning for and exploiting vulnerabilities in internet-facing networking devices to implant its backdoors. Once a device is compromised, it becomes part of the ORB network.
Talos identified four new servers used by UAT-7810 to host these malware payloads. These servers act as download cradles for newly compromised devices. Analysis of this infrastructure linked one of the IP addresses to the exploitation of CVE-2025-2492 in ASUS AiCloud Routers, confirming the actor's TTP of exploiting public-facing vulnerabilities (T1190 - Exploit Public-Facing Application).
The expansion of UAT-7810's ORB network poses a significant threat. By routing their attacks through a distributed network of compromised home and business routers, the threat actor can:
The following IP addresses were identified as hosting malicious payloads for UAT-7810:
194.233.92.26217.15.160.247217.15.164.14795.182.100.231Security teams may want to hunt for the following patterns to detect UAT-7810 activity:
Outbound connections to known UAT-7810 IPsUnsigned binaries in /tmp or /var/tmpRouter/Firewall logscron jobs).CVE-2025-2492. Reference MITRE M1051 - Update Software.Regularly updating firmware on networking devices is crucial to prevent exploitation of known vulnerabilities.
Mapped D3FEND Techniques:
Do not expose device management interfaces to the internet. Restrict access to a trusted internal network.
Mapped D3FEND Techniques:
Change all default credentials on networking devices and enforce the use of strong, unique passwords.
To detect and block the C2 communications of malware like LONGLEASH and DOGLEASH, organizations should implement strict Outbound Traffic Filtering. This involves creating firewall rules that block all outbound connections from network devices (routers, switches, IoT) to the internet by default. A specific allowlist should then be created for necessary traffic, such as NTP or vendor update servers. More importantly, threat intelligence feeds containing known malicious IPs, like the ones identified for UAT-7810, should be ingested into the firewall to create an explicit blocklist. Any attempted connection from an internal device to an IP on this list should trigger a high-priority alert, indicating a likely compromise.
The primary initial access vector for actors like UAT-7810 is the exploitation of known vulnerabilities in networking equipment, such as CVE-2025-2492 in ASUS routers. The most effective defense is a rigorous Software Update program for all network infrastructure. This requires maintaining a complete inventory of all internet-facing devices, actively monitoring vendor security advisories, and establishing a process for promptly testing and deploying firmware updates. For critical vulnerabilities, emergency patching procedures should be in place. Automating this process where possible can help ensure that the window of opportunity for attackers is minimized. This preventative measure is far more effective than trying to detect and respond to a compromise after it has occurred.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.