China-linked APT expands ‘Leash’ backdoor toolkit
Cisco Talos reports UAT-7810 added LongLeash, DogLeash and JarLeash backdoors, targeting SOHO and Ruckus routers with MIPS, ARM and x64 payloads.
Cisco Talos researchers reported that a China-linked advanced persistent threat tracked as UAT-7810 has added three backdoor families-LongLeash, DogLeash and JarLeash-to its toolkit, linking the activity to a long-running espionage campaign Talos calls LapDogs.
The actor targets small office/home office and Ruckus routers by exploiting known vulnerabilities including CVE-2020-22653, CVE-2020-22658 and CVE-2023-25717. Talos observed payloads compiled for MIPS, ARM and x64 architectures.
Talos identified three IP addresses tied to virtual private server instances the actor used to download payloads, plus four additional servers hosting malware and shell scripts. One of the IPs also appeared in attacks against Asus AiCloud routers that Talos associates with an apparent operational relay box campaign called Operation WrtHug in November 2025. SecurityScorecard previously reported that an earlier ShortLeash backdoor infected more than 1,000 SOHO routers.
LongLeash is an evolution of ShortLeash and preserves functions for command-and-control communication, hosting a web server, managing tunnels and operating as both controller and client. Talos found LongLeash includes code from the open source Nanopb and MbedTLS libraries and can act as an intermediate server that forwards commands and data from a central C2 to other compromised peers.
DogLeash is a C-language passive backdoor typically deployed by a shell script that adds iptables rules to allow TCP traffic to the port DogLeash binds. Once active, it can run system commands, read and rename files, close its socket listener, report operating system details and execute code directly in memory based on instructions from the C2 infrastructure.
JarLeash is written in Java and is installed with a wrapper script that terminates other instances before launching a Java container to host the backdoor. The malware can present a web-based file management interface, run FTP and SFTP servers and start a netcat-style listener on a specified IP and port. Talos also observed the actor staging JarLeash on its own infrastructure for command access.
Researchers observed UAT-7810 developing a non-malicious test binary named LeashTest to validate functionality on MIPS devices. Talos noted the test binary is an indicator that the actor is actively testing MIPS builds and monitoring behavior on that platform.
Talos reported UAT-7810 provides infrastructure used by another China-linked group tracked as UAT-5918; the groups share tooling but are tracked separately. The additional backdoors and servers are part of an effort to build a distributed relay network that moves commands and data through compromised consumer and enterprise routers.




