UAT-7810: How Chinese Hackers Are Turning Unpatched Routers Into a Spy Network
Cisco Talos has exposed a China-linked group that hijacks Ruckus and ASUS routers through known, unpatched vulnerabilities to build a hidden relay network for multiple state-aligned spying operations.

A Chinese hacking crew tracked as UAT-7810 is systematically compromising home and small-business routers to construct a covert traffic relay network, Cisco Talos confirmed in findings published this week.
The network is not just for UAT-7810's own operations. It is shared infrastructure that other China-aligned groups piggyback on to mask their intrusion traffic. That changes the stakes. A single unpatched router in a small office could be quietly serving several separate espionage campaigns at once.
How Attackers Got In
No novel exploits were needed. UAT-7810 walked through doors that security teams left open.
The group targeted Ruckus routers using three publicly known flaws: CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717. That last one lets an attacker execute commands on the device with no login required whatsoever. For ASUS AiCloud routers, the group used CVE-2025-2492, a flaw that allows unauthenticated access to privileged functions.
None of these are zero-day vulnerabilities. Patches existed for all of them. The attackers simply counted on owners never applying those patches, and they were right often enough to build a sprawling relay network.
The Malware Toolkit
Once inside a device, UAT-7810 deploys four newly documented tools.
LONGLEASH is the centrepiece. An upgraded successor to an older backdoor called SHORTLEASH, LONGLEASH opens a reverse shell back to the attackers, handles traffic proxying across multiple network protocols, can operate as a mail server, manages encryption certificates, and erases itself if it detects active analysis. Most critically, it can function as an intermediate command server, relaying instructions and data between other infected devices in the network. That capability is what makes one compromised router useful to several different spy groups simultaneously.
DOGLEASH is a lightweight Linux backdoor delivered through web shell scripts and locked behind a hardcoded password.
JARLEASH is a Java-based browser panel giving attackers file management and file-transfer capabilities without touching the command line.
LEASHTEST is a small diagnostic utility the crew runs first on MIPS-architecture devices, the chip family common in budget routers, to confirm the hardware can execute their payloads before they bother with the full installation.
Together, the four tools give UAT-7810 a modular, self-checking infection chain that is hard to detect and easy to scale.
Shared Infrastructure, Shared Risk
Talos identified a second Chinese-aligned group, UAT-5918, as a consumer of the relay network. UAT-5918 has a documented focus on organisations in Taiwan. The two groups share the same ORB, or Operational Relay Box, infrastructure, which routes their traffic through compromised routers so that victims see connections originating from ordinary broadband addresses rather than from known malicious IP ranges.
Shared relay infrastructure is not new in Chinese state-linked operations. Researchers at Google's Mandiant unit noted last year that this model deliberately complicates attribution, because the traffic hitting a victim looks local and routine. The practical consequence for defenders is that blocking a known bad IP address is no longer sufficient. The bad IP today is a neighbour's router.
The Control That Failed: Patch Management
The root failure here is elementary and painfully common. CVE-2023-25717 was disclosed in February 2023. CVE-2025-2492 was disclosed earlier this year. Both carried patches from their respective manufacturers. UAT-7810 did not need to invent anything. They needed routers that owners had not updated, and they found thousands of them.
This maps directly to what the Verizon 2024 Data Breach Investigations Report identified as one of the three primary paths into organisations: exploitation of vulnerabilities, which grew 180 percent year over year in 2023. Routers are a particularly soft target because they sit outside most endpoint detection coverage, run firmware that auto-update features rarely touch, and are frequently forgotten once installed.
The second failed control is network visibility. An ORB node, a router that is quietly proxying attacker traffic, will typically generate anomalous outbound connections, unexpected protocol use, or unusual volumes of encrypted traffic. Organisations with proper network monitoring and segmentation can catch this behaviour. Many small businesses and home offices run no such monitoring at all, which is precisely why UAT-7810 focuses on that class of device.
What This Incident Teaches Defenders
For security teams, the lesson is not just "patch your routers," though that is the immediate action. The deeper takeaway is that perimeter devices are now primary targets, not afterthoughts. Firmware update cycles need to be treated with the same urgency as operating system patches.
For anyone responsible for a distributed workforce or a network of branch offices, router inventory matters. Knowing which devices are on your network, what firmware version they run, and whether the manufacturer still issues updates is the starting point. A device past end-of-life support should be replaced, not simply monitored.
Training employees and IT staff to recognise that even hardware sitting in a cupboard represents an attack surface is part of closing this gap. When people understand that a router is a computer with privileges, not a box that just "does the internet," patching behaviour changes. That is exactly the kind of mindset shift that security-awareness training is designed to build, particularly in organisations where IT responsibilities are shared across non-specialist staff.
Finally, defenders should review Cisco Talos's published indicators of compromise for this campaign and run them against network logs. The group's tooling leaves detectable artefacts. Finding those artefacts is faster than most organisations assume, provided someone is looking.
Immediate Actions
If you manage Ruckus or ASUS AiCloud routers, check the manufacturer's admin interface today for pending firmware updates and apply them. Cross-reference your device list against CVE-2023-25717 and CVE-2025-2492. If any device in your environment is past its vendor support window, prioritise replacement. Enable logging on all perimeter devices and send those logs somewhere they will actually be reviewed.
How this could have been prevented
- Apply firmware updates to all perimeter devices on a scheduled cycle, treating router patches with the same priority as server and endpoint patches.
- Audit your network for devices past vendor end-of-life support and replace them before attackers find them.
- Build staff awareness so that anyone with IT responsibilities understands routers are computers with attack surfaces, not passive infrastructure.
Train2Secure helps organisations build that security-first mindset across technical and non-technical teams, without lengthy rollouts or complex setup.
Start free, no card requiredSources & further reading
Frequently asked questions
What is an Operational Relay Box (ORB) network and why is it dangerous?
An ORB network is a collection of compromised internet devices, often home or office routers, that attackers route their traffic through. It makes malicious connections appear to come from ordinary local IP addresses, which defeats IP-based blocking and complicates forensic attribution.
Which routers are affected by the UAT-7810 campaign?
Ruckus routers vulnerable to CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, and ASUS AiCloud routers vulnerable to CVE-2025-2492 are the confirmed targets. Patches for all four vulnerabilities are available from the respective manufacturers.
How do I know if my router has been compromised?
Look for unexpected outbound connections, unusual encrypted traffic volumes, unfamiliar processes in the device logs, or firmware that differs from the manufacturer's published version. Cisco Talos has published indicators of compromise that network defenders can run against their logs.
Is this only a risk for large enterprises?
No. UAT-7810 specifically targets home routers and small-business devices precisely because they receive less monitoring and are less likely to be patched promptly. Small offices and remote workers are a primary attack surface in this campaign.



