ForumsGeneralUAT-7810's LONGLEASH: Analyzing the ORB Network Expansion via Edge Devices

UAT-7810's LONGLEASH: Analyzing the ORB Network Expansion via Edge Devices

CloudOps_Tyler 7/8/2026 USER

Just caught the latest Cisco Talos report on UAT-7810. It looks like this China-linked APT is aggressively refining their bespoke malware, specifically the new LONGLEASH variant, to expand their 'LapDogs' ORB (Operational Relay Box) network.

What stands out to me is their focus on internet-facing networking devices. These often sit outside our standard EDR visibility, making them perfect for ORB recruitment. The report indicates they are breaking into these devices to facilitate command and control.

If you are managing edge infrastructure, I’d recommend scanning for anomalies in persistent configurations and unexpected SSH tunnels. Here is a quick Python snippet to check for known suspicious process names often associated with these router-based implants:

import psutil

def check_orb_implants():
    # Based on recent telemetry for UAT-7810 activity
    ioc_processes = ["longleash", "orb_agent", "lapdogs", "busybox_cron"]
    found = False
    for proc in psutil.process_iter(['pid', 'name', 'cmdline']):
        if proc.info['name'].lower() in ioc_processes:
            print(f"[!] Suspicious process found: PID {proc.info['pid']} - {proc.info['cmdline']}")
            found = True
    if not found:
        print("[-] No known IOC processes detected.")

if __name__ == "__main__":
    check_orb_implants()

Beyond process checks, we should be scrutinizing outbound traffic. ORB networks rely on proxying traffic, so look for high-entropy connections to unusual IP ranges on port 443 or 80 that don't match standard CDN patterns.

Has anyone successfully attributed the initial access vector to a specific CVE (perhaps in the recent 2026 batch of SOHO vulns), or is this primarily leveraging default credentials?

DN
DNS_Security_Rita7/8/2026

Great catch on the process names. We've been seeing a lot of similar IOCs in our honeypots targeting end-of-life Cisco and DrayTek devices. I'd also recommend checking for modified /etc/crontab entries, as these actors love using cron for persistence on embedded Linux.

# Check for rogue cron jobs
cat /etc/crontab | grep -v "^#" | grep -v "^$"


If you see a job calling `curl` or `wget` to a raw IP, you're likely compromised.
LO
LogAnalyst_Pete7/8/2026

From a MSP perspective, this is exactly why we pushed a hard mandate last month to disable WAN-side management on all client routers. It breaks the convenience for remote config, but it's the only way to stop this automated scanning.

We are also deploying specific firewall rules to block outbound traffic to known geo-locations we don't do business with. It adds management overhead, but it significantly reduces the attack surface for these ORB networks.

ED
EDR_Engineer_Raj7/8/2026

Interesting that you mentioned LONGLEASH specifically. We analyzed a sample last week that had strong obfuscation, packing the binary with UPX to hide the strings. It was attempting to resolve DNS over HTTPS to bypass standard inspection.

For detection, we had the most luck with Zeek rather than signature-based AV. Monitoring for ssh connections where the client and server banners don't match expected versions was a solid indicator of compromise.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created7/8/2026
Last Active7/8/2026
Replies3
Views200