Chinese hackers hijack unpatched routers to build a stealth relay network
A group Cisco Talos calls UAT-7810 is breaking into Ruckus and ASUS routers to hide the tracks of other China-linked spying crews.

Key points
- Cisco Talos has linked a Chinese hacking crew it calls UAT-7810 to a growing network of hijacked routers used to hide other China-aligned spies.
- The group breaks in through known, unpatched flaws in Ruckus routers and ASUS AiCloud routers, including CVE-2023-25717 and CVE-2025-2492.
- Researchers found four new pieces of malware tied to the campaign: LONGLEASH, DOGLEASH, JARLEASH and LEASHTEST.
- LONGLEASH is an upgraded backdoor that can proxy traffic, run reverse shells, and act as a middle-man command server.
- The relay network also supports UAT-5918, another China-aligned group known for targeting Taiwan.
A Chinese hacking crew is quietly turning home and office routers into a private smokescreen for other state-linked spies.
Cisco Talos, the research arm of Cisco, published new findings this week on a group it tracks as UAT-7810. The crew builds what security researchers call an Operational Relay Box network, or ORB. In plain terms, that is a web of hacked internet devices the attackers bounce their traffic through, so their activity looks like it is coming from an ordinary router in someone's office rather than from China.
The hackers do not build this network by writing clever new exploits. They walk in through the front door of routers that never got patched.
How did the hackers get in?
They used old, publicly known flaws in internet-facing routers that owners had not fixed.
Talos says UAT-7810 focuses on Ruckus routers, exploiting CVE-2020-22653, CVE-2020-22658 and CVE-2023-25717, a flaw that lets an attacker run commands on the device without logging in. The group also targets ASUS AiCloud routers through CVE-2025-2492, a bug that allows unauthenticated attackers to trigger functions they should not be able to reach.
None of these are zero-days, meaning brand new secret flaws. They are what the industry calls n-days: fixes exist, but plenty of owners never install them.
What the malware does
Once inside, the hackers drop a toolkit that Talos has now mapped in detail. First reported by BleepingComputer, the campaign centres on a backdoor called LONGLEASH.
LONGLEASH is an upgraded version of an older tool named SHORTLEASH. The new build can open a reverse shell, which is a hidden command line back to the attackers. It can also shuffle traffic through the infected router using a long list of network protocols, run as a mail server, handle encryption certificates, and wipe itself if it senses someone poking at it.
Most importantly for the ORB network, LONGLEASH can act as a middle-man command server, passing orders and stolen data between other infected devices. That is the piece that lets one hacked router quietly serve several spying operations at once.
The researchers found three other tools alongside it. DOGLEASH is a lightweight backdoor for Linux systems, dropped through web shell scripts and protected by a hardcoded password. JARLEASH is a Java-based admin panel that gives the attackers file management and file-transfer servers in the browser. LEASHTEST is a small utility the crew uses to check whether a given MIPS-based device, a common chip family in cheap routers and other internet-connected gear, can run their malware properly.
Who benefits from the relay network?
Other Chinese groups. Talos says the ORB network built by UAT-7810 is used by UAT-5918, a separate China-aligned crew known for going after organisations in Taiwan. Google's Mandiant unit documented this style of shared relay infrastructure last year, noting it makes attribution far harder because the traffic hitting a victim looks local and routine.
What ordinary users should do
If you own a Ruckus or ASUS router at home or in a small business, check the admin page for a firmware update and install it. If the device is years past support, replace it. A router that never gets patched is exactly the kind of box these groups are looking for.
Talos has published a full list of technical indicators for defenders in its report.



