Expansion of Cyber Threat: China-Linked Hacking Group Develops Sophisticated Infrastructure
A detailed investigation has revealed that a hacking group linked to China is significantly enhancing its capabilities by expanding a network of hijacked devices designed to mask cyber-attacks. Researchers from Cisco Talos discovered several newly developed pieces of custom malware that this group employs to bolster their operations. The group in question is classified as UAT-7810, recognized as an advanced persistent threat (APT) and monitored for its increasingly sophisticated methodologies.
Cisco Talos has linked high confidence to the assertion that UAT-7810 is inherently connected to Chinese cyber operations. The group has established an intricate web of compromised devices known as Operational Relay Box (ORB) networks. These compromised routers and networked devices serve a dual purpose: they are rented out to other hackers who utilize them to obscure the origins of their cyber activities. By employing this strategy, UAT-7810 has created a lucrative infrastructure that facilitates various illicit operations in the cyber realm.
The Role of Relay Networks
UAT-7810 has maintained a long-standing ORB network referred to as LapDogs, which was first disclosed in 2025. The primary function of this network is to create an operational backbone not only for itself but also for other hacking entities. With its ability to commandeer a substantial number of devices, the group allows other China-linked APT factions to route their operations through this relay network. This strategy enables them to conduct espionage against high-value targets without revealing their actual locations or identities.
To expand this network further, UAT-7810 has been infiltrating edge devices—such as routers—by exploiting known vulnerabilities that remain unpatched. This method relies on the unfortunate reality that many organizations neglect to apply necessary updates and fixes to their hardware systems promptly. Researchers note that the group has specifically targeted flaws in Ruckus wireless routers since as early as 2025, and more recently, it has turned its focus towards exploiting vulnerabilities in ASUS routers to incorporate even more devices into its network.
Advancements in Malware
In addition to expanding its network, Talos has uncovered significant advancements in the malware toolkit employed by UAT-7810. The group is reportedly developing a new and improved backdoor known as LONGLEASH, which represents a refined evolution of a previous tool. This upgraded malware comes equipped with proxying features, allowing it to relay commands between infected machines efficiently. The capability to manage and execute commands remotely adds a new layer of complexity and effectiveness to their cyber operations.
Moreover, Talos identified two new backdoors that had not been previously documented. One, named DOGLEASH, enables the hackers to execute commands on compromised Linux devices, while the other, a Java-based tool called JARLEASH, is designed for managing the group’s server operations. The presence of comments written in Simplified Chinese within a configuration file associated with JARLEASH strongly suggests that the operators are Chinese-speaking individuals, thus reinforcing the attribution of this cyber-activity to Chinese hackers.
Continuous Refinement and Activity
The nature of UAT-7810’s operations indicates a focus on continuous refinement and development of their hacking tools. Talos’s findings reveal that the group is not only active but is also persistently evolving its methodologies to adapt to technological advancements. The researchers discovered a test program aimed at MIPS-based devices, highlighting the group’s commitment to refining its arsenal for the diverse hardware landscape that constitutes its network.
The overarching implications of these findings underscore a growing cyber threat that stakeholders across various sectors, especially in the United States and Asia, should take seriously. By establishing such a robust and expansive infrastructure, UAT-7810 and similar groups pose significant risks to national security and corporate interests.
As organizations become increasingly reliant on technology, the urgency for them to remain vigilant against these evolving threats cannot be overstated. Updating systems regularly, fortifying network defenses, and maintaining awareness of potential vulnerabilities are crucial steps in mitigating the risks posed by groups like UAT-7810. As the cyber landscape continues to evolve, so too must the strategies employed by those seeking to defend against such sophisticated threats.

