Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1810+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware
China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware
NEWS

China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware

Cisco Talos researchers have identified new LONGLEASH malware deployed by Chinese APT group UAT-7810 to expand its Operational Relay Box network, targeting internet-facing networking devices to build stealthy proxy infrastructure.

Dylan H.

News Desk

July 8, 2026
4 min read

Overview

Cisco Talos has published new research on UAT-7810, a Chinese advanced persistent threat (APT) actor that is actively refining its bespoke malware arsenal to expand its Operational Relay Box (ORB) network. The actor has deployed a newly identified malware family called LONGLEASH, which targets internet-facing networking devices to build covert proxy infrastructure used to obfuscate the origin of cyberattack traffic.

What Is an ORB Network?

An Operational Relay Box (ORB) network is a technique increasingly favored by sophisticated state-sponsored threat actors — particularly those with China nexus. Rather than connecting directly to targets from infrastructure attributable to the attacker, threat actors compromise thousands of intermediate devices (routers, firewalls, VPNs, IoT devices) to route their traffic through a rotating chain of proxies.

The advantages of ORB infrastructure include:

  • Attribution obfuscation: Traffic appears to originate from legitimate residential or business IP addresses worldwide
  • Geographic flexibility: Attackers can route through devices in specific regions to blend with expected traffic
  • Persistence: The compromised relay nodes are often forgotten by their owners and remain active for extended periods
  • Resilience: Losing individual nodes doesn't disrupt operations — the pool is continuously replenished

UAT-7810 and LONGLEASH

UAT-7810 is an established Chinese APT group that Cisco Talos has been tracking as a significant ORB operator. The group now employs LONGLEASH, a purpose-built malware specifically engineered to:

  1. Compromise internet-facing network devices: Routers, VPN concentrators, and edge networking equipment are the primary targets
  2. Establish persistent relay nodes: Infected devices are enrolled in the ORB network to relay attacker traffic
  3. Evade detection: LONGLEASH is designed to operate quietly, mimicking legitimate device behavior to avoid triggering network anomaly detection
  4. Self-update: The malware includes mechanisms to receive updated configurations and capabilities from command-and-control infrastructure

Targeted Devices

UAT-7810 and LONGLEASH focus on internet-facing network infrastructure, including:

  • Edge routers from various vendors
  • VPN appliances and gateways
  • Network-attached storage (NAS) devices
  • Other internet-accessible networking hardware

These targets are attractive because they typically run embedded operating systems with limited security visibility, receive infrequent security updates, and are rarely subjected to the same scrutiny as endpoint workstations.

Broader China ORB Network Landscape

UAT-7810 operates within a broader ecosystem of Chinese ORB networks that have come under increased scrutiny from Western security researchers and governments. Similar infrastructure has been linked to other Chinese APT groups. Key characteristics of the China-linked ORB ecosystem include:

  • Scale: Individual ORB networks may encompass tens of thousands of compromised devices
  • Operational longevity: Nodes may remain active for months or years before discovery
  • Targeting: ORB networks are used to support espionage operations against government, defense, critical infrastructure, and technology organizations
  • Shared infrastructure: Evidence suggests some ORB infrastructure is shared across multiple Chinese threat actor groups

Detection and Defense

Organizations should take the following steps to reduce exposure to ORB-based attacks and LONGLEASH compromise:

For Network Device Owners

  1. Patch aggressively: Apply vendor security updates to all internet-facing network devices immediately upon release
  2. Disable unnecessary remote management: Turn off remote access services (Telnet, HTTP management, SSH) when not needed, or restrict to known management IPs
  3. Monitor device behavior: Look for unusual outbound connections, high network throughput at odd hours, or unexpected configuration changes
  4. Reboot regularly: For some ORB malware variants, a reboot clears the infection (though persistent variants survive reboots)
  5. Replace end-of-life hardware: Devices no longer receiving security updates are perpetual vulnerabilities

For Security Teams

  1. Network traffic analysis: Detect anomalous relay behavior by analyzing traffic flows for known ORB network indicators
  2. Threat intelligence feeds: Subscribe to feeds that track known ORB network IP ranges and update blocklists regularly
  3. Zero trust architecture: Assume network perimeter devices may be compromised — enforce strong authentication for internal access even from "trusted" network segments

Geopolitical Context

The expansion of Chinese ORB networks comes amid heightened geopolitical tensions and an increasing tempo of state-sponsored cyber operations. Western intelligence agencies — including CISA, NSA, the UK's NCSC, and Canada's CSE — have issued joint advisories in recent years specifically warning about Chinese ORB network infrastructure and urging network device owners to take immediate protective action.

UAT-7810's development of LONGLEASH represents continued investment by Chinese state-affiliated actors in persistent, scalable espionage infrastructure designed to operate below the detection threshold of most organizations.

References

  • The Hacker News — China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware
  • Cisco Talos Intelligence
#Malware#Cisco#APT#China#The Hacker News#Espionage#Network Security

Related Articles

Chinese Hackers Breach REDCap Servers, Steal Medical Research Data

A China-linked espionage campaign targeted exposed REDCap servers, deploying the InfiniteRed malware to steal sensitive medical research data from a North...

4 min read

Chinese APT UNC5221 Deploys Three New Malware Families to Maintain M365 Access

Chinese espionage group UNC5221 is actively using the Brickstorm backdoor alongside two newly discovered malware families — Plenet and AgentPSD — to maintain…

4 min read

China-Aligned Groups Ramp Up Attacks: Operation Dragon Weave Hits Czech Republic and Taiwan

Security researchers at Seqrite Labs have uncovered Operation Dragon Weave, a new China-aligned cyber espionage campaign targeting government, research…

6 min read
Back to all News