UAT-7810 / LapDogs ORB Network Dissected: LONGLEASH Malware, Internet-Facing Device Compromise, and the Architecture of China’s Operational Relay Box Ecosystem
Every enterprise treats its Ruckus access points like furniture. You mount them, you forget them, and you never think of them as what they actually are: internet-reachable Linux hosts running a minimal MIPS distribution with root, a web management interface, and firmware nobody has patched since the day it shipped. UAT-7810 thinks about them constantly. In 2025, Cisco Talos published its teardown of a China-nexus operation, building on SecurityScorecard STRIKE’s initial public disclosure of the network, that has quietly turned more than a thousand of those forgotten boxes into a rentable relay mesh, and the implant at the center of it, LONGLEASH, is not a botnet zombie. It is a purpose-built intermediate command-and-control node.
That distinction is the whole story. This post is a full binary-and-network-level dissection of LONGLEASH and the LapDogs ORB network, and my argument throughout is simple: the interesting part of LapDogs is not the malware sophistication, which is competent but not exotic. It is the operating model. UAT-7810 builds infrastructure and other actors, like UAT-5918, drive it into critical targets. That decoupling is what makes it durable, and it is what most defenders are structurally unequipped to catch.
What an ORB Network Actually Is (and Why It Beats a Botnet)
An Operational Relay Box network is a mesh of compromised hosts, mostly small-office/home-office (SOHO) routers and IoT devices, blended with rented virtual private servers (VPS), used to proxy an attacker’s traffic so that it emerges from legitimate-looking regional infrastructure. Google Mandiant documented the category first. The label matters because it separates ORBs from the classic crimeware botnet in three ways that break most defensive assumptions.
First, the intent is laundering, not payload. An ORB node’s job is to route C2 and exfiltration traffic, not to ransom the device it lives on. The compromised router keeps serving its owner’s Wi-Fi during the entire campaign, which is exactly why an infected Ruckus AP in a university dorm never trips a helpdesk ticket.
Second, ORBs are frequently run as a service. The people who compromise and maintain the nodes are not necessarily the people who use them for espionage. LapDogs is the cleanest example of this “infrastructure provider” model we have on record. UAT-7810 does the recruitment; UAT-5918, a China-nexus actor linked to attacks on Taiwanese critical infrastructure since at least 2023, is one of the tenants.
Third, nodes rotate. IP-reputation blocking, geofencing, and threat-intel feeds all assume a somewhat stable indicator. When your relay is a residential ASUS AiCloud router in Osaka that cycles out of the mesh after a few weeks and self-deletes if it feels watched, indicator-based defense degrades to noise.
LapDogs sits in a crowded China-nexus ORB ecosystem alongside Volt Typhoon’s KV Botnet, Sekoia’s PolarEdge, and Storm-0940’s CovertNetwork-1658. We will come back to how it differs from those, because the differences are the point.

UAT-7810 and the LapDogs Timeline
SecurityScorecard’s STRIKE team surfaced LapDogs publicly in June 2025 as a previously unreported ORB network. Reconstruction of the infrastructure showed it had been operating since at least September 2023 and expanding continuously. At disclosure it comprised more than 1,000 SOHO devices, roughly 55 percent of them Ruckus access points, spread across the United States and Southeast Asia with heavy concentration in Japan, South Korea, Hong Kong, and Taiwan. Victim sectors skew toward real estate, IT, networking, and media.
Talos assesses UAT-7810 as China-nexus with high confidence, and the attribution is not just infrastructure geography. A configuration file for JARLEASH, the administrative backdoor, carried comments in Simplified Chinese. The startup script for SHORTLEASH, the predecessor implant, contained code comments in Simplified Chinese. Combined with the tenancy relationship to UAT-5918, the picture is a Chinese-speaking crew whose product is access.
The naming convention across the toolkit (“leash” everything) is a research artifact, not the operator’s own. Internally the codebase calls itself ff-agent, and the LONGLEASH project specifically is versioned nz1.0. Those two strings are gold for binary hunting, and we will use them.
Initial Access: N-Day Exploitation of Internet-Facing Devices
UAT-7810 does not burn zero-days on recruitment. It does not need to. The edge-device patch gap is so wide that known n-day vulnerabilities in networking hardware are a renewable resource. The exploited CVEs are documented and specific:
| CVE | Product | CVSS v3.1 | Notes |
|---|---|---|---|
| CVE-2020-22653 | Ruckus Wireless R310 firmware | 9.8 | Remote code execution class |
| CVE-2020-22658 | Ruckus Wireless R310 firmware | 9.8 | Remote code execution class |
| CVE-2023-25717 | Ruckus Unleashed / ZoneDirector | 9.8 | Unauthenticated RCE; on CISA KEV; exploited since 2023 |
| CVE-2025-2492 | ASUS AiCloud routers | 9.2 | UAT-7810 IP observed exploiting this |
CVE-2023-25717 is the workhorse. It is an unauthenticated remote code execution flaw reachable through the web interface, it has been actively exploited since 2023, and it sits on CISA’s Known Exploited Vulnerabilities catalog. If your Ruckus estate is exposed and unpatched, assume it is on someone’s target list.
The choice of Ruckus is not random. Ruckus dominates higher-education, hospitality, and healthcare networks, environments with sprawling wireless footprints and thin operational security budgets. The hardware itself is ideal: a minimal Linux userland on a MIPS RISC processor built for low power and high packet throughput. That is a networking-optimized CPU that happens to make a serviceable proxy relay, and it runs as root by default. The CVE-2025-2492 activity against ASUS AiCloud suggests UAT-7810 (or an associated actor) is actively probing to expand recruitment into consumer-grade hardware, widening the mesh’s geographic spread.
SHORTLEASH to LONGLEASH: The Evolution
SHORTLEASH was the first-generation implant. It was already capable: a backdoor that could reach out to an external server, host its own web server, and act as both C2 server and client. Its notable trick was operational deception. SHORTLEASH generated TLS certificates spoofed to appear signed by the Los Angeles Police Department, a deliberate attempt to send certificate-pivoting investigators down a dead end.
LONGLEASH is built on the same ff-agent codebase but is a different class of tool. Where SHORTLEASH was a backdoor with proxy features, LONGLEASH is a proxy framework with backdoor features. The capability delta:
| Capability | SHORTLEASH | LONGLEASH (nz1.0) |
|---|---|---|
| Reverse shell | Limited | Yes |
| Proxy protocols | Basic | HTTP, DNS, SOCKS, TCP, ICMP, UDP |
| SMTP client/server | No | Yes |
| TLS/PKI (x509) | Cert spoofing | Full MbedTLS stack |
| Intermediate C2 relay | No | Yes (core feature) |
| Self-removal/anti-forensics | Basic | Tamper-triggered wipe |
| Target architectures | Limited | MIPS, ARM, x64 |
The single most important addition is the intermediate C2 relay. LONGLEASH obtains commands and payloads from an upstream controller and forwards them to peer implants downstream. That one function is what upgrades a collection of infected routers from a flat proxy pool into a layered, hierarchical mesh where the true origin C2 is buried several hops deep. It is the architectural difference between a botnet and an ORB.
LONGLEASH Internals: Base, Executor, Core
The nz1.0 project is cleanly modular, which tells you something about the engineering discipline behind it. Three components:
Base handles logging and utilities, including Base58 and Base64 encoding and decoding routines. Base58 in particular is an unusual choice for a router implant and a useful hunting signal, since it is more associated with cryptocurrency address encoding than with C2 tooling.
Executor is the heart of the proxy engine. It manages network connections to upstream servers, handles TLS and PKI, tracks connected clients, sockets and URIs, authorizes clients, routes messages through the proxy network, manages basic network tunnels, and, critically, removes the implant and all traces from the host if it detects a suspicious connection or tampering. This is where the multi-protocol proxying (HTTP, DNS, SOCKS, TCP, ICMP, UDP) lives.
Core provides authorization and node identification, HTTP encoding, processing of protobuf-encoded messages, SHA integrity checks, and task scheduling. The command framing is protocol buffers, which is deliberate: protobuf is compact, schema-driven, and does not look like a typical text-based C2 protocol on the wire.
The library stack matters for detection, so here it is precisely:
- Boost.Asio for asynchronous I/O, used specifically in MIPS builds.
- Nanopb for protobuf message processing (a small-footprint protobuf implementation for embedded targets).
- MbedTLS for TLS, encrypted proxy transport, and x509 certificate management.
- musl libc instead of glibc, implementing C functions directly on top of Linux syscalls.
The Boost.Asio choice is a genuine engineering decision, not a default. On a constrained MIPS CPU, blocking I/O would stall the processor every time the implant waited on a socket. Asynchronous I/O lets a single relay juggle multiple concurrent proxy tunnels, C2 sessions, and TLS handshakes without stalling the core. The result is a relay that stays responsive on hardware with almost no processing headroom, which directly translates to higher-quality, lower-latency proxying for the tenant APT.
On top of that, LONGLEASH spoofs a modern Chrome User-Agent string on its HTTP traffic to blend with legitimate browser flows. Small detail, real impact against naive user-agent baselining.
Conceptually, the intermediate-relay message handling looks like this. Treat the pseudocode as illustrative of the mechanism, not a literal reproduction:
// Illustrative of the LONGLEASH executor relay path (nz1.0)
// Async, protobuf-framed, TLS-wrapped intermediate C2 forwarding
void on_upstream_message(const tls_session& up, const buffer& raw) {
// Core: decode protobuf command frame via Nanopb
Command cmd;
if (!nanopb_decode(raw, &cmd)) return;
// Core: verify integrity + authorize the issuing node
if (!sha_check(cmd.digest, cmd.body) || !authorize(cmd.node_id))
return; // silent drop on bad auth
switch (cmd.type) {
case RELAY_DOWNSTREAM:
// Executor: forward to a peer implant, hiding origin
for (auto& peer : downstream_peers(cmd.target_group))
async_write(peer.tls, reframe(cmd)); // non-blocking
break;
case OPEN_TUNNEL:
// Executor: spin up SOCKS/HTTP/DNS/ICMP/UDP proxy channel
open_proxy(cmd.proto, cmd.dst, cmd.dport);
break;
case SELF_DESTRUCT:
case TAMPER_DETECTED:
wipe_implant_and_traces(); // anti-forensic retirement
break;
}
}
The wipe_implant_and_traces() path is the retirement mechanism. When the executor sees a connection it does not trust, or an explicit destruct command, it removes the binary and its artifacts from the device. That is why forensic acquisition of a live LapDogs node is so hard: touch it wrong and it is gone.

DOGLEASH, JARLEASH, and LEASHTEST
LONGLEASH is the primary relay, but three supporting tools round out the arsenal.
DOGLEASH is a lightweight C-based passive backdoor, the workhorse of the staging phase. After compromising a device, UAT-7810 drops a shell script that downloads DOGLEASH and inserts an iptables rule to permit TCP traffic to a specific port. DOGLEASH binds and listens on that port, authenticates incoming connections against a hardcoded password, and supports shell command execution, file read/write, OS information retrieval, and arbitrary code execution directly in host memory. Incoming TCP data is decoded with the hardcoded password string. The documented deployment behavior maps directly to a hunting signal: an unexplained iptables -I INPUT ... -j ACCEPT on a router opening an atypical port.
JARLEASH is the Java/JAR administrative backdoor, deployed on at least one of the operation’s servers for management rather than on victim edge devices. It provides web-based file management plus FTP, SFTP, and Netcat server functionality. This is the operator’s admin console, and its config file is where the Simplified Chinese comments surfaced.
LEASHTEST is the most telling of the four. It is a non-malicious ELF binary that tests specific runtime functionality on MIPS embedded devices: thread creation, child process spawning, async timer behavior. UAT-7810 built and used it to validate that LONGLEASH’s primitives behave correctly on MIPS hardware. The existence of LEASHTEST tells you the actor developed a full-fledged framework but is still not fully confident of its behavior on MIPS, so it ships a compatibility harness. For defenders, LEASHTEST is a clean indicator of compromise: it does nothing harmful, so its presence on a device is otherwise inexplicable.
The ORB Node Lifecycle: Recruitment to Retirement
The mesh runs on a repeatable node lifecycle. Each stage has a distinct detection surface.
| Stage | Action | Detection surface |
|---|---|---|
| 1. Recon and exploit | Scan for exposed Ruckus/ASUS, fire n-day CVE | Inbound exploit attempts to /admin, /cgi-bin |
| 2. Payload staging | VPS servers host multi-arch DOGLEASH + scripts | Outbound wget/curl from an edge device |
| 3. Implant deployment | Dropper runs iptables + downloads DOGLEASH, then LONGLEASH | New iptables ACCEPT rule; new listener |
| 4. Active relaying | LONGLEASH proxies tenant traffic upstream/downstream | Anomalous outbound TLS, proxy tunnels |
| 5. Self-preservation / retirement | Tamper-triggered wipe; node rotates out | Sudden loss of artifacts; short-lived IPs |
Talos identified three IPs tied to VPS instances used for payload download and four new servers used to host the malicious payloads for MIPS, ARM, and x64 targets. The staging tier is intentionally disposable. The compromised routers keep serving normal traffic throughout, which is the single biggest reason detection and attribution stay elusive. There is no outage, no ransom note, no degraded service to prompt investigation.
C2 Traffic Routing Through the Relay Mesh
The topology is hierarchical, and the whole design goal is to put maximum distance and maximum protocol diversity between the tenant operator and the victim.
[Operator / true C2 origin]
| TLS + x509 PKI (MbedTLS)
[VPS staging servers] <- multi-arch payload hosting
|
[Tier-1 LONGLEASH node] compromised Ruckus AP (MIPS)
| intermediate C2 relay, protobuf-framed
[Tier-2 LONGLEASH node] another compromised edge device
| proxy channel: HTTP / SOCKS / DNS / ICMP / UDP
[DOGLEASH last-hop node] lightweight endpoint access
|
[Target network / victim]
Every hop can speak a different protocol. The executor’s proxy channels cover HTTP, DNS, SOCKS, TCP, ICMP, and UDP, so a single logical session can enter a node as HTTPS and leave it as a DNS tunnel or an ICMP covert channel. That protocol hopping defeats simple flow-signature detection and complicates any attempt to trace a session end to end.
Two artifacts are worth pinning on the wall. First, the SMTP client/server capability gives the operators a mail-shaped C2 channel that sails through most egress policies, since almost nobody blocks outbound 25/587 from infrastructure segments. Second, and most concrete for hunting: LONGLEASH has been observed serving TLS on non-standard ports, notably port 99, with a distinctive certificate. TLS on port 99 from a wireless access point is not a thing that happens in nature. That is your highest-fidelity network signal.

LapDogs vs KV Botnet vs PolarEdge
LapDogs invites comparison to Volt Typhoon’s KV Botnet, and the comparison flatters LapDogs.
| Dimension | LapDogs / UAT-7810 | KV Botnet / Volt Typhoon |
|---|---|---|
| Primary role | Infrastructure-as-a-service for other APTs | Operational cover for Volt Typhoon’s own intrusions |
| Target hardware | Enterprise Ruckus APs, ASUS AiCloud (n-day CVEs) | EOL SOHO Cisco, NETGEAR routers |
| Implant | Custom multi-arch ELF with intermediate C2 relay | Custom malware + LOTL, FRP tunnels |
| Proxy protocols | HTTP, DNS, SOCKS, TCP, ICMP, UDP | SOCKS5, FRP, netsh PortProxy |
| Attribution | China-nexus, distinct from consumers | Volt Typhoon (G1017), PRC state-sponsored |
| Disrupted? | Active as of 2025 | Disrupted by US law enforcement, early 2024 |
| Consumer APTs | UAT-5918 (Taiwan critical infra) | Volt Typhoon direct use (US critical infra, Guam) |
| Scale at discovery | 1,000+ nodes, ~55% Ruckus | Cisco/NETGEAR SOHO, mostly EOL |
KV Botnet leaned heavily on living-off-the-land and Fast Reverse Proxy clients on end-of-life devices, and it got disrupted by law enforcement in early 2024 after running from October 2022 through January 2024. LapDogs does three things KV Botnet did not. It ships a purpose-built multi-architecture implant instead of gluing together off-the-shelf tunneling. It builds an intermediate-relay hierarchy instead of a flat proxy pool. And it maintains an active development cycle, evidenced by LEASHTEST, SHORTLEASH-to-LONGLEASH evolution, and the AiCloud expansion. That combination is more resilient to takedown, because there is no single flat layer to sever.
The nearest sibling is PolarEdge, an IoT ORB network active since late 2023 and discovered by Sekoia. PolarEdge shares some infrastructure with LapDogs but diverges in TTPs and certificate management, which suggests either shared suppliers or parallel programs drawing from the same Chinese ORB ecosystem.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Where it shows up |
|---|---|---|---|
| Reconnaissance | Active Scanning | T1595 | Scanning for exposed Ruckus/ASUS interfaces |
| Resource Development | Acquire Infrastructure: Botnet | T1583.005 | The ORB mesh itself |
| Resource Development | Compromise Infrastructure: Botnet | T1584.005 | Recruiting SOHO/edge devices |
| Initial Access | Exploit Public-Facing Application | T1190 | CVE-2023-25717, CVE-2025-2492, etc. |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 | Dropper scripts |
| Execution | Native API / in-memory execution | T1106 | DOGLEASH memory code execution |
| Persistence | Server Software Component | T1505 | JARLEASH web/file admin backdoor |
| Defense Evasion | Impair Defenses: Disable/Modify System Firewall | T1562.004 | iptables ACCEPT rule insertion |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | Tamper-triggered self-wipe |
| Defense Evasion | Subvert Trust Controls: spoofed certs | T1553 | LAPD-spoofed TLS certs (SHORTLEASH) |
| Defense Evasion | Masquerading (Chrome UA) | T1036 | Spoofed User-Agent |
| Credential/Command | Encrypted Channel: Asymmetric | T1573.002 | MbedTLS/x509 C2 |
| Command and Control | Proxy: Multi-hop | T1090.003 | The intermediate C2 relay mesh |
| Command and Control | Protocol Tunneling | T1572 | DNS/ICMP/UDP tunnels |
| Command and Control | Non-Standard Port | T1571 | TLS on port 99 |
| Command and Control | Application Layer Protocol: Mail | T1071.003 | SMTP C2 channel |
Detection Lab: Hunting ORB Relay Nodes
The detection strategy has to accept one hard truth: you will rarely get to run an EDR agent on the compromised device, because it is an appliance. That means your leverage is almost entirely at the network layer and in host artifacts you can pull during a firmware audit.
YARA (binary/firmware artifacts)
The nz1.0 and ff-agent internal strings, plus the unusual library combination (Nanopb + MbedTLS + musl on a networking device), give you a workable static signature. Illustrative rule:
rule LONGLEASH_ff_agent_nz10 {
meta:
description = "UAT-7810 LONGLEASH / ff-agent nz1.0 relay implant"
reference = "Cisco Talos / SecurityScorecard STRIKE, 2025"
author = "GenXCyber"
strings:
$proj1 = "nz1.0" ascii
$proj2 = "ff-agent" ascii
$lib1 = "nanopb" ascii nocase
$lib2 = "mbedtls" ascii nocase
$mode = "Executor" ascii
$mode2 = "SELF_DESTRUCT" ascii
$ua = "Mozilla/5.0" ascii // Chrome UA spoof context
condition:
uint32(0) == 0x464c457f // ELF magic
and ( (($proj1 or $proj2) and 2 of ($lib1,$lib2,$mode,$mode2))
or all of ($proj1,$proj2) )
}
A companion rule keyed on LEASHTEST’s thread/fork/async-timer test strings is worth deploying because that binary is a pure IoC with no benign explanation.
Sigma (host log anomalies)
The DOGLEASH deployment pattern (firewall modification plus payload download) is a clean behavioral signal if you can ship shell history or syslog off the device.
title: Edge Device Firewall Modification Opening Atypical Port
id: 8f2c1d4e-lapdogs-iptables
status: experimental
logsource:
product: linux
service: shell
detection:
iptables_open:
CommandLine|contains|all:
- 'iptables -I INPUT'
- '--dport'
- '-j ACCEPT'
payload_pull:
CommandLine|re: '(wget|curl).+(/tmp/\.|/dev/shm/)'
condition: iptables_open or payload_pull
level: high
tags:
- attack.defense_evasion
- attack.t1562.004
Snort / network signatures
The port-99 TLS artifact and non-browser Chrome UA give you two independent network hooks. Note that the |16 03| content match keys on the TLS record type and version bytes at the start of any TLS handshake, so on its own it will fire on all TLS traffic to port 99 and be noisy; treat it as a scoping trigger and pair it with the port anomaly and certificate context rather than as a standalone high-confidence signature:
alert tcp $HOME_NET any -> any 99 (msg:"LapDogs LONGLEASH TLS on port 99";
flow:established,to_server; content:"|16 03|"; offset:0; depth:2;
classtype:trojan-activity; sid:9781001; rev:1;)
alert tcp $EDGE_DEVICES any -> $EXTERNAL_NET any (msg:"Edge device outbound Chrome UA anomaly";
flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0"; http_header;
classtype:policy-violation; sid:9781002; rev:1;)
Netflow and hunting queries
Signatures are brittle against a rotating mesh, so lean on behavioral netflow analytics. The hunting priorities:
- Access points or routers initiating outbound TLS to internet IPs on non-standard ports (99, and anything that is not 443).
- Edge devices originating DNS, ICMP, or UDP flows with volume or timing profiles inconsistent with normal management traffic (tunneling signal).
- Devices talking to short-lived VPS IPs that appear and disappear within days.
- Long-lived, low-and-slow encrypted sessions from infrastructure segments that should never make outbound connections at all.
Frame it as a question: which of my network appliances is behaving like a workstation? An access point should be a near-silent sink of management traffic. The moment one starts acting like a proxy, it is one.
Defense and Hardening: Evicting LONGLEASH
The strategic fix is a mindset change: stop treating edge networking gear as appliances and start treating it as internet-facing Linux servers, because that is what it is. Concretely:
- Patch by exposure, not by CVSS alone. Any Ruckus device reachable from the internet running firmware vulnerable to CVE-2023-25717 is a priority-zero item. It is on CISA KEV and actively exploited. AiCloud routers exposed to CVE-2025-2492 follow immediately.
- Kill the management-plane exposure. No wireless controller, AP admin interface, or router web UI should be reachable from the public internet. Put them behind VPN or a jump host. This alone removes UAT-7810’s entire initial-access vector.
- Segment the appliance plane. Edge devices should sit in a network segment with tightly restricted egress. An AP has no legitimate reason to open outbound TLS to an arbitrary internet host on port 99, or to tunnel DNS/ICMP.
- Audit iptables and listeners on your edge fleet. Pull the running firewall ruleset and open-socket list. An unexplained
INPUT ... ACCEPTon an odd port, or a listener bound to a high TCP port, is the DOGLEASH signature. - Verify firmware integrity. Where the vendor supports signed-image verification, use it. Look for LEASHTEST or unexpected ELF binaries in
/tmp,/dev/shm, or persistence scripts. - Hunt the mesh, not the indicator. Because nodes self-wipe and rotate, chase behavior. Baseline what each appliance class is allowed to talk to and alert on deviation.
One caution on incident response: LONGLEASH’s executor wipes itself on tamper detection. If you find a live node, capture volatile network state and memory before you touch the filesystem or reboot, or you will lose the evidence.

Key Takeaways
- The model is the weapon. LapDogs’ durability comes from separating the crew that builds the mesh (UAT-7810) from the crews that use it (UAT-5918). You are defending against infrastructure-as-a-service, not a single actor.
- LONGLEASH is a relay, not a zombie. Its intermediate C2 capability, protobuf framing, MbedTLS transport, and six-protocol proxy engine make it a proper node in a hierarchical mesh, a real step up from KV Botnet’s flat LOTL approach.
- Your access points are Linux servers with root and no patches. Ruckus n-days (CVE-2023-25717 above all) plus internet-exposed management interfaces are the entire on-ramp. Close that and you close the campaign’s front door.
- Indicator-based defense loses here. Nodes rotate and self-wipe. Hunt behavior: appliances acting like proxies, TLS on port 99, tunneled DNS/ICMP/UDP from gear that should be silent.
- The best IoC is the innocent one. LEASHTEST does nothing malicious, which is exactly why finding it on a device means you have been recruited into someone’s relay mesh.
Related Tutorials
- Windows OS Architecture
- APT Profiling: Building an Adversary Profile with OSINT
- Cyber Threat Intelligence Fundamentals: Sources, Types, Lifecycle
- Red Team Lab Infrastructure: VMs and C2 Setup
- Windows APC Injection and Thread Hijacking