Multiple reports say a China-linked threat actor tracked as UAT-7810 is expanding its Operational Relay Box (ORB) network by developing and deploying new malware dubbed LONGLEASH. Cisco Talos reports that UAT-7810 is an advanced persistent threat (APT) actor that is maintaining and proliferating “LapDogs,” an ORB network first identified in June 2025. The activity described focuses on compromising internet-facing networking devices to extend access and relay capabilities associated with the ORB infrastructure.
Bleeping Computer similarly reports that UAT-7810 evolves LONGLEASH malware to broaden its ORB network and relies on attacks against externally reachable network equipment. It specifically highlights compromised unpatched Ruckus routers as a primary target in the observed activity. Both accounts describe the malware development and use as part of ongoing efforts to refine the ORB operation rather than a one-time intrusion.
The reports align on the actor attribution, the purpose of the malware (expanding the ORB network), and the general targeting of internet-exposed networking devices, with Ruckus routers emphasized in at least one outlet’s detail.