China-Linked Hackers Exploit Critical Ruckus Router Flaws
Key Takeaways A China-linked threat actor, UAT-7810, is actively exploiting known vulnerabilities in Ruckus wireless routers. The group is building a global network of compromised devices, known as...
Key Takeaways
- A China-linked threat actor, UAT-7810, is actively exploiting known vulnerabilities in Ruckus wireless routers.
- The group is building a global network of compromised devices, known as an Operational Relay Box (ORB) network or LapDogs, to conceal the origins of cyberattacks.
- New custom malware, including LONGLEASH, DOGLEASH, and JARLEASH, has been deployed to maintain long-term control over infected routers and other devices.
- Many Ruckus routers remain vulnerable due to unapplied firmware updates, providing an easy entry point for attackers.
- Immediate patching of Ruckus devices and robust network monitoring are critical to mitigate this ongoing threat.
A sophisticated hacking group, identified as UAT-7810 and linked to China, is systematically expanding a vast network of compromised internet devices. The group achieves this by exploiting well-known, yet often unpatched, security flaws in Ruckus wireless routers. This activity is part of a broader strategy to establish an “Operational Relay Box” (ORB) network, which serves to obscure the true source of subsequent cyberattacks.
Table Of Content
This method allows threat actors to route malicious traffic through ordinary consumer and business routers, effectively camouflaging their activities within legitimate network communications. This infrastructure, first identified as LapDogs by security researchers in 2025, has continued to grow significantly since its initial discovery.
UAT-7810 appears to specialize in the construction and maintenance of these extensive relay networks. This specialization suggests a division of labor within the cybercriminal ecosystem, where UAT-7810 provides the infrastructure that other threat actors can then leverage to launch attacks against high-value targets. Such a setup makes it considerably more difficult for defenders to trace an intrusion back to its ultimate perpetrator.
Analysts from Cisco Talos said in a report, which was shared with Cyber Security News (CSN), that they are closely monitoring the infrastructure and custom malware associated with UAT-7810. They categorize the group as an advanced persistent threat (APT) responsible for sustaining the LapDogs network. Talos also noted that UAT-7810 shares certain tools with another China-linked group, UAT-5918, although the two entities are tracked as distinct actors with separate operational objectives.
Exploiting Unpatched Ruckus Routers
The attackers predominantly rely on unpatched Ruckus routers for their initial access. They exploit existing, publicly known vulnerabilities rather than developing zero-day exploits. This strategy underscores the persistent risk posed by outdated firmware, which continues to be one of the most straightforward entry points into both residential and corporate networks. Once a device is compromised, UAT-7810 deploys an evolving suite of custom backdoors designed for persistent control over the infected hardware.
Evolving Malware Toolkit
Central to this campaign is a backdoor initially named SHORTLEASH. However, Talos reports that this is being superseded by a more advanced version called LONGLEASH. The upgraded LONGLEASH malware significantly enhances the attackers’ capabilities, allowing it to function as a proxy, host its own web server, manage encrypted tunnels, and even serve as an intermediate command server to relay instructions to other compromised devices. It incorporates code from open-source libraries and employs a Chrome browser identifier to blend its network traffic with typical web browsing activity.
In addition to LONGLEASH, Talos has uncovered two previously undocumented tools: DOGLEASH and JARLEASH, along with a minor testing utility named LEASHTEST. DOGLEASH operates as a lightweight backdoor, silently listening on infected Linux devices for specific commands, such as executing shell code or reading files. JARLEASH, developed in Java, provides attackers with a robust file management console and file transfer capabilities. Interestingly, its configuration file contains comments written in Simplified Chinese, further reinforcing the attribution to a China-linked entity.
Persistent Entry Points and Mitigation
Ruckus wireless routers remain a primary target due to the widespread presence of devices running outdated software in the field, as highlighted by the Talos report. Since 2025, Talos has identified three specific known vulnerabilities that UAT-7810 has exploited to gain unauthorized access to these devices. Once compromised, a router can be silently integrated into the ORB network, relaying traffic for extended periods without detection by the owner.
The group has also demonstrated an interest in expanding beyond routers. A server associated with the campaign was observed targeting ASUS AiCloud devices earlier this year. This indicates that UAT-7810 is not limiting its activities to a single vendor or device type as it continues to expand its relay infrastructure. Proactive measures such as promptly applying router firmware updates and replacing end-of-life hardware are simple yet highly effective steps to close these critical entry points.
What You Should Do
- Patch Immediately: Ensure all Ruckus wireless routers and other network devices are running the latest available firmware. Prioritize applying security updates as soon as they are released by the manufacturer.
- Replace End-of-Life Hardware: Replace any network hardware that no longer receives security updates from the vendor. These devices represent significant, unpatchable vulnerabilities.
- Network Segmentation: Implement network segmentation to isolate critical systems and sensitive data from less secure devices, such as guest networks or IoT devices. This limits the lateral movement of attackers if a router is compromised.
- Monitor Network Traffic: Regularly monitor network traffic for unusual connections, outbound communications to suspicious IP addresses, or unexpected data volumes, which could indicate a compromised device.
- Review Logs: Periodically review router and firewall logs for any unauthorized access attempts or configuration changes.
- Strong Passwords and MFA: Enforce strong, unique passwords for all administrative interfaces on network devices and enable multi-factor authentication (MFA) where available.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.