A Chinese APT group is upgrading its malware to hijack routers and expand a hidden relay network. Learn how it works and how to protect your network.
A Chinese threat actor known as UAT-7810 is stepping up its game. This group is actively refining custom malware to break into internet-connected networking devices, expanding a hidden network called the Operational Relay Box (ORB). Think of it like a secret tunnel system that lets them move data without being seen.
According to Cisco Talos, UAT-7810 is an advanced persistent threat (APT) actor. They're the ones behind LapDogs, an ORB network that first popped up in June 2025. Since then, they've been busy upgrading their tools to infect more devices and stay one step ahead of defenders.
### What Is an ORB Network?
An ORB network is basically a botnet made up of compromised routers, switches, and other networking gear. Instead of using regular servers, attackers bounce their traffic through these hijacked devices. It makes them hard to track because the traffic looks like it's coming from a normal home or office router. For cybersecurity professionals, this is a nightmare to detect and shut down.
### How Does the New Malware Work?
The new malware, dubbed LONGLEASH, is designed specifically to infect internet-facing networking devices. Once inside, it gives the attackers remote control over the device. They can steal data, launch attacks on other systems, or just use the device as a relay point. The malware is constantly being updated to evade antivirus programs and firewalls.
- Targets routers, switches, and other edge devices
- Uses stealth techniques to avoid detection
- Can be updated remotely by the attackers
- Turns the device into a relay for malicious traffic
### Why Should You Care?
If you're running a business in the United States, this is a big deal. Many companies have networking devices that are exposed to the internet—like VPN concentrators, firewalls, and managed switches. If one of those gets infected, attackers could spy on your network traffic, steal login credentials, or launch attacks from your IP address. That could get you in trouble with law enforcement or hurt your reputation.
### What Can You Do?
Here's the good news: there are steps you can take to protect your network.
- **Keep firmware updated.** Manufacturers often release patches for known vulnerabilities. Apply them as soon as possible.
- **Change default passwords.** Don't leave your devices with admin/admin as the login.
- **Disable remote management.** If you don't need to access the device from outside your network, turn off that feature.
- **Monitor for unusual traffic.** Look for devices that are sending data to unknown IP addresses.
### The Bigger Picture
This isn't just one group. UAT-7810 is part of a larger trend where state-sponsored hackers are targeting networking gear. It's a cheap and effective way to build a massive attack platform. And because the devices are often forgotten about, they can stay infected for months or even years.
For cybersecurity pros, staying on top of these threats means constant vigilance. But by understanding how these attacks work, you can better defend your network. And if you see something weird, don't ignore it—investigate.
### Final Thoughts
UAT-7810 and their LONGLEASH malware are a reminder that the bad guys are always innovating. But so are we. By sharing this information and staying informed, we can make it harder for them to succeed. Keep your devices patched, your passwords strong, and your eyes open.