Your Edge Router Is Someone Else’s Exit Node. UAT-7810 Conscripts It With an n-Day, and the IOCs Have a 31-Day Shelf Life

The unpatched Ruckus AP in your branch closet isn’t a data-loss risk in the usual sense. It’s raw material. Cisco Talos published research on 2026-07-07 tracking UAT-7810, a China-nexus actor whose whole job is turning internet-facing edge devices into relay nodes — so that other China-nexus APTs can run operations that egress from residential ISP space in your own geography. What it’s after is your public IP and a device it can hide a proxy on. And the piece that makes this genuinely annoying to defend: per Mandiant, an IPv4 tied to the operational relay box (ORB) infrastructure this feeds can rotate out in as little as 31 days, so the payload-host IPs and cert hashes Talos just handed you may be half-dead before your SOC finishes pasting them into a watchlist.

TL;DR

  • China-nexus actor UAT-7810 uses n-day exploits on Ruckus APs (CVE-2020-22653/22658, CVE-2023-25717) — with UAT-7810-linked infrastructure also tied to ASUS AiCloud exploitation via CVE-2025-2492 — to plant LONGLEASH malware and conscript unpatched (often EOL/unsupported) edge devices into ORB relay nodes for other APTs.
  • The published network IOCs are disposable: per Mandiant, an ORB IPv4 can rotate out in as little as 31 days and the network is multi-tenant, so the payload-host IPs and cert hashes expire fast—only the file hashes (the long DOGLEASH SHA256 list) and Snort/ClamAV signatures have real shelf life.
  • LONGLEASH acts as an intermediate C2 server (modular relay over HTTP/DNS/SOCKS/TCP/ICMP/UDP), turning compromised routers into a multi-tier mesh rather than flat proxies—and it self-wipes on tamper, so capture memory and volatile network state before touching a suspected node.
  • Detection must be behavioral and network-based (Zeek/NetFlow, not EDR): flag an edge device showing fan-in plus fan-out—inbound external sessions plus outbound to other external hosts—and unexpected protocol diversity, with the main tuning cost being an allowlist of legitimate vendor-cloud management traffic.
  • The durable fix is inventory and segmentation (CM-8, SC-7, SA-22): know which internet-facing devices are unpatched or EOL, kill the four n-day CVEs, and default-deny egress—chasing IPs that can rotate out in a month is how you lose.

That’s the shape of the problem. Two vendors, two halves. Talos owns the LONGLEASH malware family and the initial-access story; Mandiant owns the ORB model and the “IOC extinction” framing. Keep them straight, because the defensive conclusion only makes sense when you hold both.

What UAT-7810 actually does to the box

Initial access is boring, and that’s the point. Talos ties UAT-7810 to n-day exploitation of known, patchable edge gear: CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 on Ruckus wireless access points, alongside generic MIPS IoT devices. Talos also links UAT-7810-associated infrastructure to early-2026 ASUS AiCloud exploitation via CVE-2025-2492, while stopping short of pinning that expansion on UAT-7810 itself versus an associated actor. Either way: no 0-day, no novel bug class — just appliances nobody re-imaged and a firmware train that stopped getting updates two support cycles ago.

Once in, the payload is LONGLEASH — an upgraded backdoor built on the same codebase as its predecessor SHORTLEASH (both internally named “ff-agent,” project codename “nz1.0”). SHORTLEASH was first documented by SecurityScorecard in 2025; LONGLEASH is the evolution. It’s modular (Base / Executor / Core), built with Boost.Asio, Nanopb, MbedTLS, and musl libc, and it spoofs a Chrome User-Agent on the wire. The capability list reads like a proxy Swiss Army knife: multi-protocol relaying over HTTP, DNS, SOCKS, TCP, ICMP, and UDP; reverse shells; packet redirection; SMTP client and server; TLS/PKI with client authorization; network-tunnel management; and self-removal on tamper detection.

The capability that matters most for understanding the mesh: LONGLEASH can act as an intermediate C2 server. It pulls commands and data from an upstream node and forwards to peers. That’s what turns a pile of compromised routers into a multi-tier relay network rather than a flat set of dumb proxies.

Around it sits a small tool suite, also per Talos. DOGLEASH is a passive C-based Linux backdoor dropped by shell scripts that also inject iptables rules, listening on a hardcoded port for shell commands, file ops, and in-memory code. JARLEASH is a Java admin tool doing web file management and FTP/SFTP/Netcat deployment (its config comments are in Simplified Chinese). LEASHTEST is a MIPS test binary, internally “iot-test,” for validating device compatibility before deployment. Talos assesses with high confidence this is China-nexus, partly because UAT-7810 supplies infrastructure to secondary groups like UAT-5918, which targets Taiwan critical infrastructure. Talos ties UAT-7810 to maintaining and proliferating the LapDogs ORB network (first disclosed by SecurityScorecard in 2025) — this is the named mesh those secondary actors relay through.

Why the IOC list is a trap

Talos did release detection content: Snort SIDs 66430–66433 and 301493, ClamAV signatures across MIPS/ARM/x64 variants, a long list of DOGLEASH file hashes, and four UAT-7810 infrastructure IPs it ties to payload hosting (194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147, 95.182.100[.]231, on ports 8088/2222/99 — three were VPS download locations, a fourth surfaced in forensics), plus a TLS cert fingerprint. Load them. The file hashes and Snort rules have real shelf life — a DOGLEASH hash is a DOGLEASH hash next quarter.

The network indicators are the trap. Mandiant’s ORB research is explicit about the mechanics that break blocklists here. An ORB network is a proxy mesh of leased VPS, compromised routers and IoT, and EOL edge gear, and the operators cycle a large share of it monthly as a deliberate competitive feature — Mandiant notes an IPv4 can be part of the network for as few as 31 days. Worse for correlation: an IP belongs to the ORB network, which is multi-tenant, so the same node serves several APTs at once and attribution to a single actor from the IP alone is basically dead. LONGLEASH-recruited routers are what Mandiant calls the non-provisioned type (compromised-device meshes like FLORAHOX/ORB2), as opposed to the flatter leased-VPS provisioned type (SPACEHOP/ORB3).

The prescription Mandiant lands on is the only one that survives contact with a 31-day rotation: track ORB networks as evolving entities the way you track APTs — fingerprint by port/service/hosting/ASN and cert patterns, attribute by TTP — and stop treating a scraped IP as durable ground truth. For a SOC that means the blocklist is a speed bump, and your engineering time belongs on behavior.

Detecting the relay, not the address

Here’s the operational wrinkle most teams hit first: you can’t put an EDR on a Ruckus AP. There’s no agent, no Sysmon, no Falcon sensor on a MIPS IoT box. So the detection lives in network telemetry — Zeek/Corelight if you have it, otherwise firewall and NetFlow. The appliance itself is the subject of the detection here. That only works if your telemetry can resolve a flow to the specific device, though: branch NAT collapses many devices behind one public IP, so this is strongest from a management-VLAN tap, firewall logs that preserve pre-NAT identity, or per-device flow telemetry.

The signature of a relay node is fan-in plus fan-out on the same device. A legitimate access point or SOHO router talks to your internal clients and phones home to a small, predictable set of destinations — its controller, an update server, DNS/NTP, maybe a firmware CDN. A conscripted one accepts inbound sessions from the internet and also originates outbound sessions to other external hosts. In Zeek conn.log, that’s one of your edge-device IPs showing up as the id.resp_h on inbound sessions from an external id.orig_h, and as the id.orig_h toward an external id.resp_h, inside the same window — the proxy-chain pattern external → your appliance → external, where the pivot is your own gear. Layer on protocol diversity: a device that suddenly speaks DNS, ICMP, and SOCKS tunneling when it has no business doing anything but management traffic. And hunt for unexpected inbound listeners on edge gear. Treat Talos’s 99/2222/8088 as infrastructure ports — pivot material for finding related nodes, distinct from the unnamed local port DOGLEASH binds on a compromised appliance — and expect them to rotate.

Rough shape of the query if you’re in Splunk against a firewall index: pull sessions where src_ip is in your edge-device asset group and dest_ip is external and not in your vendor-cloud allowlist, stats dc(dest_ip) dc(dest_port) by src_ip, and alert when a single appliance fans out to more distinct external destinations than a cloud-managed device ever should. Set the distinct-destination threshold low — single digits per day for gear that should only ever hit one controller — and expect to move it after tuning.

Because the first tuning pass will be about the vendor cloud. Cloud-managed edge gear maintains persistent outbound tunnels by design: Ruckus SmartZone/cloud, ASUS AiCloud, Meraki dashboard, a Draytek that checks firmware. Those all look like “edge device makes persistent outbound TLS to the internet,” which is exactly the raw pattern you’re keying on. So the false positives originate almost entirely from legitimate management-plane traffic, and round one is building the allowlist of real controller endpoints and update servers per device class. Get that wrong and you either drown the SOC or, more likely, someone silences the rule in week two and it never comes back. NTP, DNS to your resolver, and firmware-check CDNs are the other usual suspects.

The environment assumption that changes everything is your egress posture for edge devices. If your APs and IoT sit on a segmented management VLAN with default-deny egress through a proxy, this detection is nearly free — anything the device tries that isn’t on the allowlist is already an event. If those same devices sit on a flat branch /24 with unrestricted internet access (the SMB and retail reality), you’re starting from zero telemetry and the fastest win is segmentation, not a detection rule. FedRAMP and other regulated enclaves usually already segment; a 30-site retail chain running consumer-grade gear usually does not.

One forensics caveat that bites people: LONGLEASH self-removes on tamper detection. If you find a suspected node and start poking it live, you may trip the wipe and lose the volatile state. Capture memory and image the device — and snapshot the volatile network state (connection table, listening sockets, live iptables rules), which is often the only capture you’ll realistically get off a MIPS/ARM appliance — before you touch anything interactive.

Where it maps

Control What it covers here
CM-8, CM-2 Inventory and baseline of internet-facing routers/IoT/EOL appliances. You cannot defend the edge devices you don’t know are exposed, and this is the family that fails first.
SI-2, RA-5 Flaw remediation and vuln scanning for the named n-day CVEs; an actual EOL-device retirement policy behind it.
SA-22 Unsupported system components — devices on unsupported firmware trains need replacement rather than another scan finding.
SC-7, SC-7(4) Boundary protection; segment edge devices off trusted networks with managed egress interfaces. This is what makes the relay detectable at all.
SI-4, AU-12, AU-6 Behavioral relay/proxy detection and egress monitoring sourced from the network devices themselves — generating the audit records (AU-12, the part edge appliances do worst) and reviewing them to act on (AU-6).

SR-family provenance is adjacent — edge-device supply chain is a real concern — but this isn’t primarily a supply-chain compromise, so don’t stretch the mapping there.

The honest summary for a SOC lead: the blocklist Talos published is worth loading and worth expecting to expire. The thing that actually reduces your exposure is knowing which of your internet-facing devices are unpatched or EOL, killing the four n-day CVEs, and standing up one behavioral rule that catches an appliance acting like a proxy. UAT-7810 is betting you’ll do none of that and chase IPs instead. When the infrastructure can rotate out from under you in a month, chasing IPs is how you lose.

Sources


This post was engineered and validated through a multi-agent AI workflow — drafted, adversarially reviewed by several independent models, checked against primary sources, and given a human review before publishing. See an inaccuracy, or found this useful? Leave a comment below — corrections and feedback are read and shape what comes next.

Leave a comment