Infosecurity

China-Linked Hackers Build a Proxy Army: New Malware Fuels a Growing Relay Network

Published

on

The Relay Network That Keeps on Growing

A hacking group tied to China is quietly building a bigger, more dangerous network of hijacked devices. Researchers at Cisco Talos have been tracking a group they call UAT-7810, and what they’ve found is a sprawling mesh of compromised routers and other edge devices. The purpose? To let other hackers hide their tracks.

This is what security pros call an Operational Relay Box (ORB) network. Think of it as a botnet-for-hire, but instead of launching attacks, it routes traffic. Other threat actors pay — or trade favors — to bounce their malicious traffic through these boxes, making it nearly impossible to trace back to the source. Talos assesses with high confidence that UAT-7810 is a China-nexus advanced persistent threat (APT) group.

The network itself has a name: LapDogs. It was first exposed back in 2025, but it’s still alive and kicking. In fact, it’s getting bigger.

How They Break In: Old Bugs, New Victims

UAT-7810 doesn’t use sophisticated zero-days. Their playbook is simpler: scan for unpatched vulnerabilities in widely used hardware, then exploit them. It’s a low-effort, high-reward strategy that relies on one thing — organizations failing to apply security updates.

Since 2025, the group has been targeting flaws in Ruckus wireless routers. But earlier this year, they added a new trick: exploiting a bug in ASUS routers to fold those devices into the LapDogs network too. The choice of targets is telling. Routers sit at the edge of networks, often forgotten, rarely patched. They’re the perfect blind spot.

Talos researchers noted that the group’s infrastructure remains active. This isn’t a relic of past campaigns — it’s a live, breathing operation.

The Malware Arsenal: LONGLEASH, DOGLEASH, and JARLEASH

To manage and expand their proxy army, UAT-7810 has been developing a suite of custom malware. The centerpiece is an upgraded backdoor called LONGLEASH. It’s an evolution of an earlier tool, but with a crucial new capability: proxying. LONGLEASH can relay commands from one infected machine to another, turning each compromised device into a node in a larger relay chain.

But that’s not all. Talos uncovered two previously unknown backdoors:

  • DOGLEASH — a backdoor that runs commands on compromised Linux devices. It’s lightweight, designed for quick execution on routers and embedded systems.
  • JARLEASH — a Java-based tool used to manage the group’s command-and-control servers. Its configuration file contained comments written in Simplified Chinese, a strong indicator that the operators are Chinese-speaking.

The group also built a test program aimed at MIPS-based devices. That’s significant. MIPS architecture is common in older routers and IoT gear. By testing on MIPS, UAT-7810 signals they’re still refining their tools for the broadest possible range of hardware. They want every router they can get.

What This Means for Defenders

ORB networks like LapDogs are a growing headache for cybersecurity teams. They’re not just a problem for the owners of the hijacked devices — they’re a force multiplier for other attackers. A China-linked APT group targeting a high-value organization can route its espionage traffic through a dozen compromised home routers in three different countries. Good luck tracing that.

The takeaway here is brutally simple: patch your edge devices. Routers, firewalls, VPN concentrators — if it sits on the network boundary and has a web interface, it’s a target. UAT-7810 is exploiting known vulnerabilities, some of which have had patches available for months or years. The gap between a patch being released and an organization applying it is exactly the window these groups exploit.

For more context on how these relay networks operate, check out our earlier report on the LapDogs ORB network targeting US and Asia. And if you’re responsible for network security, now might be a good time to audit your router firmware versions.

Active and Adapting

Talos’s findings are based on direct tracking of the group’s malware and servers, which they confirm remain operational. UAT-7810 isn’t slowing down. They’re adding new exploits, developing new backdoors, and expanding their network of unwitting proxies. The LapDogs network may have been exposed in 2025, but it’s far from dead.

The lesson? In cybersecurity, the infrastructure that enables attacks is often more valuable than the attacks themselves. And right now, a China-linked APT is building infrastructure at scale.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version