A China-linked hacking group has been observed expanding a network of hijacked devices used to disguise cyber-attacks, arming it with several newly discovered pieces of custom malware, researchers have found.
Cisco Talos said the actor, an advanced persistent threat (APT) group it tracks as UAT-7810, built what are known as Operational Relay Box (ORB) networks, meshes of compromised routers and other devices that other hackers rent to route their traffic through and hide their origin.
Talos assessed with high confidence that UAT-7810 is a China-nexus group.
A Relay Network for Other Hackers
The company said UAT-7810 maintained a long-running ORB network known as LapDogs, first exposed in 2025, and that its role was essentially to build infrastructure for others.
Once it had quietly taken over enough devices, separate China-nexus APT groups could use that relay network to mask their own espionage against high-value targets.
To grow the network, the group broke into edge devices using known but unpatched vulnerabilities, a low-effort tactic that relies on organizations failing to apply fixes.
The researchers said it had targeted flaws in Ruckus wireless routers since 2025 and, earlier this year, began exploiting a bug in ASUS routers to fold them into the network too.
Read more on the LapDogs ORB network: Chinese "LapDogs" ORB Network Targets US and Asia
A Growing Malware Toolkit
Talos said UAT-7810 is developing an upgraded backdoor called LONGLEASH, an evolution of an earlier tool that adds proxying features and can even relay commands to other infected machines.
It also uncovered two previously unknown backdoors: DOGLEASH, which ran commands on compromised Linux devices and a Java-based tool, JARLEASH, used to manage the group's servers.
A configuration file for JARLEASH contained comments in Simplified Chinese, which Talos said indicated Chinese-speaking operators. The firm also found a test program aimed at MIPS-based devices, a sign the group was still refining its tools for the varied hardware that made up its network.
The findings come from Talos's own tracking of the group's malware and servers, which it said remain active.
