Back to Intelligence

LONGLEASH Malware and UAT-7810 ORB Network Expansion — Detection and Hardening Guide

SA
Security Arsenal Team
July 8, 2026
6 min read

The threat landscape for infrastructure continues to evolve in 2026. According to new intelligence from Cisco Talos, the China-aligned threat actor UAT-7810 is actively refining its operational security by expanding its Operational Relay Box (ORB) network. This campaign, targeting internet-facing networking devices, utilizes a bespoke malware strain dubbed LONGLEASH.

For defenders, this represents a critical shift. The target is no longer just the server or the workstation; it is the perimeter itself. When networking infrastructure—routers, firewalls, and gateways—is compromised to act as a relay (ORB), it provides the adversary with a robust platform to obfuscate their true origin and launch subsequent attacks. This compromises the integrity of your network traffic and undermines trust in your perimeter defenses. Immediate action is required to identify signs of LONGLEASH and harden internet-facing devices against this persistent intrusion set.

Technical Analysis

Threat Actor: UAT-7810 (China-nexus APT) Malware: LONGLEASH (Bespoke malicious software) Objective: Expansion and maintenance of the "LapDogs" ORB network.

Attack Vector and Methodology: UAT-7810 focuses on compromising internet-facing networking devices. While the specific vulnerability exploitation method (CVE) varies based on the device manufacturer, the actor's objective remains consistent: establishing a persistent presence on the device to facilitate traffic relay (ORB) capabilities.

  • Target Scope: Internet-facing networking devices (routers, edge firewalls, VPN concentrators).
  • Orchestration: The actor manages these compromised nodes via the "LapDogs" infrastructure, effectively turning victim infrastructure into proxy nodes for state-sponsored operations.
  • Malware Functionality (LONGLEASH): As a bespoke tool, LONGLEASH is designed to evade standard signature-based detection. It typically facilitates command and control (C2) and traffic relay functions. In the context of an ORB, the malware likely modifies network configurations or iptables/routing tables to pass traffic through the compromised device without alerting standard monitoring.

Exploitation Status: Cisco Talos has confirmed active exploitation in 2026. This is not theoretical; devices are currently being scanned and compromised to join the ORB network. The "LapDogs" ORB network was initially identified in June 2025 but has seen significant expansion and tool refinement (LONGLEASH) through mid-2026.

Detection & Response

Given that this threat targets the network edge, detection requires a two-pronged approach: analyzing logs forwarded from network devices (Syslog/CEF) and inspecting management jump hosts that may interact with these devices.

SIGMA Rules

YAML
---
title: Potential LONGLEASH Malware Execution on Linux-Based Infrastructure
id: 8a4b2c1d-9e6f-4a3c-8b5d-1e2f3a4b5c6d
status: experimental
description: Detects potential execution of LONGLEASH or suspicious binaries associated with ORB activity on Linux-based networking devices or management servers. Based on UAT-7810 TTPs.
references:
  - https://blog.talosintelligence.com/uat-7810-orb-network/
author: Security Arsenal
date: 2026/07/14
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_img:
    Image|endswith:
      - '/longleash'
      - '/orb'
      - '/busybox'
  selection_cli:
    CommandLine|contains:
      - 'longleash'
      - '--relay'
      - '--proxy'
  condition: 1 of selection_*
falsepositives:
  - Legitimate administration tools with similar names (rare)
level: high
---
title: Suspicious Outbound Network Connection from Network Device (ORB Indicator)
id: 9c5d3e2f-0a7b-4c8d-9e1f-2a3b4c5d6e7f
status: experimental
description: Detects potential ORB (Operational Relay Box) activity by identifying outbound connections from network infrastructure to non-internal destinations, often on non-standard ports.
references:
  - https://blog.talosintelligence.com/uat-7810-orb-network/
author: Security Arsenal
date: 2026/07/14
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
    DestinationIp|startswith: null # Negating private IPs logic requires explicit filtering in some engines, here we look for public IPs from network devices
  filter:
    DestinationPort:
      - 53
      - 443
      - 22
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
  # Logic: Look for public destination IPs NOT on standard ports from infrastructure hosts
  condition: selection and not filter
falsepositives:
  - Legitimate software updates
  - NTP/Sync services
level: medium

KQL (Microsoft Sentinel / Defender)

Hunt for configuration changes or suspicious process execution on Linux-based network devices forwarding logs to Sentinel.

KQL — Microsoft Sentinel / Defender
// Hunt for LONGLEASH indicators and suspicious binary execution on Linux infrastructure
Syslog  
| where SyslogMessage contains "longleash" 
   or SyslogMessage contains "ORB" 
   or SyslogMessage contains "relay"
| project TimeGenerated, Computer, ProcessName, SyslogMessage, Facility
| extend timestamp = TimeGenerated

// Union with DeviceProcessEvents if management servers are monitored by MDE
union DeviceProcessEvents
| where ProcessName contains "longleash" 
   or ProcessName contains "orb"
   or CommandLine contains "--relay"
| project TimeGenerated, DeviceName, ProcessName, CommandLine, InitiatingProcessAccountName
| order by TimeGenerated desc

Velociraptor VQL

Use VQL to hunt for the specific malware artifacts or suspicious persistence mechanisms on Linux-based appliances.

VQL — Velociraptor
-- Hunt for LONGLEASH binaries or suspicious persistence on Linux systems
SELECT 
  FullPath, 
  Size, 
  ModTime, 
  Mode
FROM glob(globs="/*")
WHERE 
  Name =~ "longleash" 
  OR Name =~ "orb" 
  OR FullPath =~ "/tmp/.*"
  OR FullPath =~ "/var/tmp/.*"

-- Check for suspicious running processes indicative of proxy/relay activity
SELECT 
  Pid, 
  Name, 
  CommandLine, 
  Cwd, 
  Username
FROM pslist()
WHERE 
  Name =~ "longleash" 
  OR CommandLine =~ "relay" 
  OR CommandLine =~ "proxy"

Remediation Script (Bash)

This script aids in the identification of suspicious processes and basic hardening for Linux-based network appliances.

Bash / Shell
#!/bin/bash
# Remediation and Hardening Script for UAT-7810 / LONGLEASH Threat
# Run with elevated privileges on Linux-based network devices

echo "[+] Hunting for LONGLEASH related processes..."
ps aux | grep -i "longleash" | grep -v grep
ps aux | grep -E "(relay|proxy)" | grep -v grep | grep -v "systemd"

echo "[+] Checking for suspicious binaries in /tmp and /var/tmp..."
find /tmp -type f -executable -ls 2>/dev/null
find /var/tmp -type f -executable -ls 2>/dev/null

echo "[+] Auditing active network connections for non-standard ports..."
netstat -tulpen | grep -v "LISTEN" | awk '{print $4, $5}' | sort -u

echo "[+] Hardening: Ensuring unauthorized binaries are not in execution paths..."
# Note: Strictly review before killing processes
# pkill -f longleash

echo "[+] Remediation: Verify integrity of critical system files (rpm/deb verification)..."
if command -v rpm &> /dev/null; then
    rpm -Va
elif command -v dpkg &> /dev/null; then
    dpkg --verify
fi

echo "[+] Action Required: Review output above. If LONGLEASH is found, isolate the device immediately and rebuild from known-good firmware."

Remediation

  1. Immediate Isolation: If a device is suspected to be compromised with LONGLEASH, immediately disconnect it from the internet while maintaining internal connectivity if necessary for business continuity, or fully isolate it if the risk permits.

  2. Factory Reset and Firmware Re-image: The most effective remediation for a compromised networking device is a factory reset followed by a complete re-image using the latest, clean firmware from the vendor. Do not attempt to "clean" the device via manual file deletion, as malware often implants itself in non-volatile storage or boot sectors.

  3. Patch and Update: Apply the latest security patches provided by your networking hardware vendor. Since this is an active 2026 campaign, ensure your firmware version addresses vulnerabilities known to be exploited by APT groups targeting edge devices.

  4. Credential Rotation: Assume all credentials (SSH, HTTPS, SNMP, admin passwords) stored or used on the compromised device are compromised. Rotate all credentials for the device and any jump servers used to manage it.

  5. Network Segmentation: Ensure management planes of networking devices are not accessible from the internet. Restrict management access (SSH, HTTPS) to specific internal IP ranges via ACLs.

  6. Disable Unused Services: Disable Telnet, HTTP (in favor of HTTPS), and any other unused management interfaces on internet-facing devices.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionuat-7810longleash-malwareorb-networknetwork-securityapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.