Return to Threats

China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware

thehackernews.com 2026-07-08 AI supply chain High

What Happened

A Chinese threat actor tracked as UAT-7810 is actively refining its bespoke malware to expand its Operational Relay Box (ORB) network by breaking into internet-facing networking devices. According to findings from Cisco Talos, UAT-7810 is an advanced persistent threat (APT) actor that's responsible for maintaining and proliferating LapDogs, an ORB network that first came to light in June 2025.

Why It Matters

Cisco Talos reports that the China-linked APT UAT-7810 is expanding its LapDogs Operational Relay Box (ORB) network using a new malware family called LONGLEASH, an evolution of the SHORTLEASH backdoor, alongside DOGLEASH, JARLEASH, and related tooling.[1][3][6] The actor compromises internet-facing networking devices, particularly unpatched Ruckus and ASUS AiCloud routers, to build covert relay infrastructure likely used to support broader China-nexus espionage operations.[3][4][5] From a RealGround perspective, this highlights a critical AI supply chain risk: AI agents and data pipelines that depend on edge routers, VPNs, or cloud-access gateways can have their traffic proxied or manipulated through such ORB networks, undermining model integrity, telemetry, and incident-response visibility. Organizations should treat networking and IoT infrastructure as part of the AI supply chain, apply strict patching and SBOM-based vulnerability management, and monitor for ORB-like relay behavior to prevent covert access paths into AI environments.

Healthcare Fintech SaaS SMB AI startups

RealGround Analysis

This signal maps to AI supply chain. Organizations using AI agents, LLM APIs, SaaS integrations, or sensitive data workflows should review whether this class of issue could create unauthorized tool execution, data leakage, weak approval gates, or unmanaged supply-chain exposure.

Recommended Actions

  • Restrict AI agent tool permissions and production write paths.
  • Review sensitive data access across prompts, logs, embeddings, memory, and SaaS integrations.
  • Add human approval workflows for high-impact or state-changing actions.
  • Run prompt injection and indirect prompt injection tests against affected workflows.
  • Document the owner, control gap, and remediation deadline for this risk class.

Source

https://thehackernews.com/2026/07/china-linked-uat-7810-expands-orb.html

Talk to AI CISO