Chinese hacking group UAT-7810 has developed a new malware strain called LONGLEASH specifically designed to compromise internet-facing networking devices, according to BleepingComputer. The attackers are focusing their efforts on unpatched Ruckus wireless routers, using the malware to recruit these devices into an Operational Relay Box (ORB) network — a botnet infrastructure used for anonymizing malicious traffic.

The group's primary objective appears to be expanding the ORB network's reach, with Ruckus routers serving as the initial foothold. These devices are attractive targets due to their widespread deployment in enterprise and mesh network environments, combined with frequently delayed patching cycles. The campaign signals a shift from opportunistic scanning toward more targeted supply-chain exploitation.

Technical analysis reveals LONGLEASH establishes persistent access on affected routers, then communicates with command-and-control servers to receive further instructions. The malware likely exploits known vulnerabilities in older firmware versions, though BleepingComputer did not disclose specific CVE identifiers. Once compromised, the routers become relay nodes for routing malicious internet traffic, obscuring the source of attacks.

Mitigation remains limited to standard hygiene: administrators should immediately patch Ruckus routers to the latest firmware, disable remote management interfaces where possible, and monitor for unusual outbound connections. No vendor-specific advisory has been released addressing LONGLEASH directly. The group UAT-7810 has previously been associated with Chinese state-sponsored cyber espionage campaigns.

Attribution remains murky — while BleepingComputer links UAT-7810 to Chinese state sponsorship, independent threat intelligence firms may disagree on the group's precise affiliation. Broader implications suggest ORB networks are becoming critical infrastructure for advanced persistent threat (APT) groups seeking to evade geolocation-based detection.