UAT-7810 continues building ORB networks using new malware
UAT-7810, a China-nexus APT actor, continues to build Operational Relay Box (ORB) networks by exploiting n-day vulnerabilities in Ruckus and ASUS AiCloud routers. Talos identified four new malware families — LONGLEASH (an upgraded multi-protocol proxy backdoor), DOGLEASH (a passive C-based Linux backdoor), JARLEASH (a Java-based administrative backdoor), and LEASHTEST (a MIPS test binary) — deployed across MIPS, ARM, and x64 platforms. The actor uses at least four new servers to host payloads and deploy DOGLEASH via shell scripts that modify iptables rules on compromised devices.
- ip194[.]233[.]92[.]26UAT-7810 VPS server hosting DOGLEASH payloads; runs TLS server on port 99 with custom certificate fingerprint c2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15.
- ip217[.]15[.]160[.]247UAT-7810 VPS server hosting malicious payloads for download on ports 8088, 2222, and 99.
- ip217[.]15[.]164[.]147UAT-7810 VPS server hosting DOGLEASH payloads; also used for exploitation of ASUS AiCloud routers (CVE-2025-2492); runs TLS server on port 99 with same certificate fingerprint.
- ip95[.]182[.]100[.]231Fourth UAT-7810 server located in Hong Kong, hosting malicious payloads on port 2222; discovered via forensic analysis of compromised networking devices.
- sha2560352f3e338261d98895df4c7b7a76b296485b2290c72bce56603351d167d0601DOGLEASH backdoor variant.
- sha25603926e3da998f32ad898b640bd15cf145768f9e849e6f18d81350234254c424eDOGLEASH backdoor variant.
- sha25608701ed7975bf4f5688c2724d27ab497764200ad6f4dc53d3cc03b170378ced0DOGLEASH backdoor variant.
- sha2560a8555a71868749be8c905ed53296ce335af50a9262772b5e154ad3f9c35c2e4DOGLEASH backdoor variant.
- sha2560a8cae96e25e85c612b0736fe886f9b124ad70ec425bc2ec1a8a4135b25436baDOGLEASH backdoor variant.
- sha2560af4c52a1d13e4132a1843ce7727abcf0ddd4d1ca6a4b17cdf599ec3f355c241DOGLEASH backdoor variant.
- sha25613acadb3541e75af50e02d5be56c2238b93d8f154ce5514be1558e6ee59a1432DOGLEASH backdoor variant.
- sha2561660536f448b8b9f086ce9ea3ce4e9deefc59a76711ea53ee6d8f08fc8c1bb99DOGLEASH backdoor variant.
- sha25616971f9706d70ac4925651c7c8719b9d77aff63e4c0a618129efc32c2c46b989DOGLEASH backdoor variant.
- sha2561b5649b479fd625de5c8120873644b5eb669cc89cd504582c18e0ae350fd8823LEASHTEST binary (ELF), non-malicious test tool for MIPS platform functionality; presence on a device indicates likely compromise by UAT-7810.
- sha25620fcba222f74dd68aaeb1f0ad30cdf702a828ee164a182b30d05d600c35b72d9DOGLEASH backdoor variant.
- sha25629686c933cec1e274467e2dae264625ae6f754824bb7f550bc9c3131f625562cDOGLEASH backdoor variant.
- sha25629c7fccc6ef8cbfe4da9a169c7c74bacaea1fb515a1fddef91ab1b1522f76e4cDOGLEASH backdoor variant.
- sha2562e0e43776e2e1a37d882a1b2ebb7d337ee88950177e43831dae645a367824febDOGLEASH backdoor variant.
- sha2562ebc1b6cf543e2cb3f22d9a5b54b6676bb71dde98df7532f8791297734e44fddDOGLEASH backdoor variant.
- sha2563169a6dbcce684e2c5a2f166996b58ffa673df6e58b8edf2bdf3e66271c8c69eDOGLEASH backdoor variant.
- sha256323c3a91be60ebc3e06e942bad04899a15911cea23269e43d07829164b2ce5d4DOGLEASH backdoor variant.
- sha256324d95024fc8da5c92b5a1f4825aed5a2a91c9ca8fb6aa52abb332a4c9cf4257JARLEASH Java-based backdoor JAR package, deployed on attacker infrastructure and compromised Java-capable systems for administration (file management, FTP, SFTP, Netcat).
- sha25633c10b77e1da9f0679023d55fb3057879d15609db9c1d46ee5c3ff1240a3d052DOGLEASH backdoor variant.
- sha2563878dd5c8eba1e5b53ab2e07e7b5482e95a3fd3e98268bcd7861318bc9902376DOGLEASH backdoor variant.
- sha2563b89d183eb014e29d9d0d4e45fc2b784a7fcfcf31dd48fd3bde30f8d956383d1Configuration file for JARLEASH backdoor containing comments in Simplified Chinese.
- sha2563d296af7f29c0425655bd1cc0be48fe4aba52ee6760a89e805ca2589f4ef4d77DOGLEASH backdoor variant.
- sha2563fcaa3038e365b6ab0b121e2cd319c56b74e37381943a0da0e8dce407087cdb8DOGLEASH backdoor variant.
- sha2564130f49fa81a699a667cafdbd6d1f6e781edd686c947eb8ae27134f6dc2c43d7DOGLEASH backdoor variant.
- sha256425bf771c8c9f740b1ae9803dcb4fd45af4d6a6f171fcc72fc7d511095ca82ceDOGLEASH backdoor variant.
- sha25652b871429833e1dee348263844efb531f6a3fcd321f88dc8a876caaee912ceddDOGLEASH backdoor variant.
- sha256534a4a5bff2609a2d6e088cb87465c08c2d69c6aaa7d2ffcbcd491274b8505f1DOGLEASH backdoor variant.
- sha25653ac2b231c23d41234e55b1f7ed89f86234f785adbbe820959655d7b019d7df9DOGLEASH backdoor variant.
- sha25657bdab2ba4b05ec0338c06632599393d5b14227f31a43fe950ea8fdd47428715DOGLEASH backdoor variant.
- sha2565c3f190571645c4641dcff2c07a4c3ab9acad06aa9607350a385729d8d6139f1DOGLEASH backdoor variant.
- sha2565db2ce9acd50f96d566e8d139f6490abf2bbf7a9293b876eeb4598fd2c37c515DOGLEASH backdoor variant.
- sha2565dbfa033676b5caacfae902734ce462cd871181eefbe299250ca8ac7e139719eDOGLEASH backdoor variant.
- sha2565e225ea2648a8cba0fd94ec7fd8ce5315f5d0cc2922bafc9db3c8c41280e917cDOGLEASH backdoor variant.
- sha2565eab4c61baa67ae2838a36c2e6ff0476a8f2117b96a7027b830c8cb46ce78efcDOGLEASH backdoor variant.
- sha2565faea1650cac0f3ffd2dc1fb220182095a46e34158967d37c2a942e85e2ca97bDOGLEASH backdoor variant.
- sha256604b53f87d6c070bf387e80c70a6df8d272fa3fc143148d41f13e59d52ab1f13DOGLEASH backdoor (C-based, passive Linux backdoor that binds to a hardcoded port and executes shellcode/commands based on command codes).
- sha25662d4ec87ed21f0d15cb769b0b2a5577cab41fc2cdb1e7e796c5bdff09264dd9aDOGLEASH backdoor variant.
- sha2566366d59b573d50fd23ff650923c4a8c1c918518a02d0a56f12c23533c45f439dDOGLEASH backdoor variant.
- sha25665feba2c971c214e71303ad2e0fbf62b45ebcaa784cbf3d0dab62786cb4c0469DOGLEASH backdoor variant.
- sha25668445a37a9943a267a8b2100fba2678353d6ec88844505ccbba659e586c7a105DOGLEASH backdoor variant.
- sha2566917c0f9eafefe42e33e791b75a7e503ff8b081bc10a98449e4076787dfc6c16DOGLEASH backdoor variant.
- sha2566cda1e81667f869940401f05a55c8dea94dbdf3ceffb93b5f320a6462cfea44dDOGLEASH backdoor variant.
- sha2566dbd507ca7cecea861f9cf704b3c5c37f5bd5392886a8c2562088892b7703fa5DOGLEASH backdoor variant.
- sha256745538dea8ed9aec4466e67a9d0aecf9e7026ff16a792d1d6f306e8b67d3f34cDOGLEASH backdoor variant.
- sha256755fcee1337a252203002ecfdf673a08cfadeda8d738bef2d518a08e0626aa4fLONGLEASH backdoor (MIPS variant), upgraded version of SHORTLEASH with multi-protocol proxying and intermediate C2 capabilities.
- sha25676d9e2a2ff313f5b91cc67aab1127122baee1c3efbae1087e58a25bc5f1eb065DOGLEASH backdoor variant.
- sha2568459ff264a2c81c68a34c4ee6bc109d141ad28b96037d34ff112322a4c853739DOGLEASH backdoor variant.
- sha256880425fee707e9f42e0b8d60119ed639b1ad506ea29877d126bdebce379cd229DOGLEASH backdoor variant.
- sha25689f0a67bc595ab8bce02c2f95f9292ad06e1868207e809c76bd16f0cab800c06DOGLEASH backdoor variant.
- sha2568c104da0e66ef6384663309aaf8fb49f549f2785d835eec620b265f8aa11d9f0DOGLEASH backdoor variant.
- sha256912adea5339c73cb4a777a3e9f98bf3cb08da6622c9dd3b4cc9b083cb03d10a2DOGLEASH backdoor variant.
- sha2569a927c37a31b80975c5c5467f112b61478c9493c046281046443525358a5acb0DOGLEASH backdoor variant.
- sha2569b9e0e5a1eb469b8d20dc23351e08ff5d5731e1cedce0ddee9bbd00a76217f13DOGLEASH backdoor variant.
- sha2569d52cb4febf3342c34dcc8198dcaf453458be3699ab47dc08616aa7f18daa7faDOGLEASH backdoor variant.
- sha256ac8eae94d27122f4751bc96d9ea52d30000b7ca37569a2291b2710824ca3396fDOGLEASH backdoor variant.
- sha256b5969636eec376ad6c3ece2202b1722219955638e09b6f96d4cfc0598d3b1890DOGLEASH backdoor variant.
- sha256b8d247fd1fb85d24a17afeec3815906dfbcdc5359647910b4a153900ec999a0fDOGLEASH backdoor variant.
- sha256b9fe48bda9a6c8787981a24f8bbc723a6f6aa80cab5fa53481937382f3c6ce85DOGLEASH backdoor variant.
- sha256bafba443170e54ef7fd431ce7f1b5e202719f3fd022e4ef70788904f574d2cdfJARLEASH Java-based backdoor (second hash variant).
- sha256bf70c6f3a8e913f526ec57eeec50e1306f7b34b037915b7a1cf2968cc46acc58DOGLEASH backdoor variant.
- sha256c494c878e28284539419612616d964ab9224cbe27e57f42293d91d02d684e3dbDOGLEASH backdoor variant.
- sha256c7c9bfa9ffcd8fb6a2afe656f510c406ddc58ebff48ce1d0fd3fad951b46a36eDOGLEASH backdoor variant.
- sha256c92541f273eeb576d39235d0a5c6f18f2574b132a1022598edfa38065783ab98DOGLEASH backdoor variant.
- sha256d1f963b88672f3676a7da1580262ba0d4f367cc57a94b551754c20f77a670c43DOGLEASH backdoor variant.
- sha256d4861088161fc72b9922abf933b4ea664a807105ec1eab4a173253aa60bfe6d7DOGLEASH backdoor variant.
- sha256d5cf7315186a78ab6a7475c338bdf101bc6461930aaa7a012a02cf93f347c207DOGLEASH backdoor variant.
- sha256d81201d0fc19977e51104438a5b9cba861f4da20cea3ae9183edf16ab11d98f8DOGLEASH backdoor variant.
- sha256d871d76171504597bbda387689e12e7a5e354c360ff135f4df231cec68c761afDOGLEASH backdoor variant.
- sha256d973ad5a80c3d7468a9c392db4166857ed32b5d61cd6755766ba8922156dada3DOGLEASH backdoor variant.
- sha256dc4f25b2247cfdd6fc96848db30a178baa4419a4c854e86e315b465836102d14DOGLEASH backdoor variant.
- sha256dd0fc1a88180fde8367bec7086f99294f36b8332f12994293139ed532d2ebbacDOGLEASH backdoor variant.
- sha256e5d2de8ae98579bfb940290f60e59a502b3065345aaf765456387989c0488b20DOGLEASH backdoor variant.
- sha256e799d72929d7ccc7f6b6109742b8cc482838303207efc989543b6e1ca6d16e9cStartup script for JARLEASH backdoor; kills existing instances and spawns Java container with Spring configuration.
- sha256f235d2e044c2f7814e6bbcd835b9fd9f10f227dacfb9396185ec2013e7df4db4DOGLEASH backdoor variant.
- sha256f3fbf4481f30fd840f35568746f54be49eb92b2c9ac95597a7760abb171cb54bDOGLEASH backdoor variant.
- sha256f5a57dfae488d9dfe260b32460a1d947fb5af58ceaf2fb0139bc08b4bb79a966DOGLEASH backdoor variant.
- urlhxxp://194[.]233[.]92[.]26:2222/Payload download URL on UAT-7810 VPS server.
- urlhxxp://194[.]233[.]92[.]26:8088/Payload download URL on UAT-7810 VPS server.
- urlhxxp://217[.]15[.]160[.]247:2222/Payload download URL on UAT-7810 VPS server.
- urlhxxp://217[.]15[.]160[.]247:8088/Payload download URL on UAT-7810 VPS server.
- urlhxxp://217[.]15[.]160[.]247:99/TLS server URL on UAT-7810 VPS server with custom certificate.
- urlhxxp://217[.]15[.]164[.]147:2222/Payload download URL on UAT-7810 VPS server.
- urlhxxp://217[.]15[.]164[.]147:8088/Payload download URL on UAT-7810 VPS server.
- urlhxxp://217[.]15[.]164[.]147:99/TLS server URL on UAT-7810 VPS server with custom certificate.
- urlhxxp://95[.]182[.]100[.]231:2222/Payload download URL on UAT-7810 Hong Kong server.
Detection / Hunteropenrouter
What Happened
A sophisticated hacking group tracked as UAT-7810, believed to be based in China, is compromising internet routers and networking equipment to build a network of relay points. These relay points (called an ORB network) can then be used by other hacking groups to launch attacks while hiding their true location. The group exploits known security flaws in Ruckus and ASUS routers that have not been patched, then installs custom malicious software on the compromised devices. This software allows them to remotely control the devices, route traffic through them, and manage files. Organizations using affected router models should ensure they have applied all available security updates and monitor for unusual network traffic originating from their networking devices.
Key Takeaways
- UAT-7810 is a China-nexus APT actor building Operational Relay Box (ORB) networks using compromised networking devices, primarily Ruckus wireless routers and ASUS AiCloud routers.
- Four malware families disclosed: LONGLEASH (updated SHORTLEASH backdoor with proxying and intermediate C2 capabilities), DOGLEASH (passive C-based Linux backdoor), JARLEASH (Java-based administrative backdoor with FTP/SFTP/Netcat), and LEASHTEST (MIPS functionality test binary).
- UAT-7810 exploits known n-day vulnerabilities: CVE-2020-22653, CVE-2020-22658, CVE-2023-25717 in Ruckus routers, and CVE-2025-2492 in ASUS AiCloud routers.
- LONGLEASH uses a hardcoded Chrome 122 User-Agent string and internally named 'ff-agent' with project name 'nz1.0', supporting multiple proxy protocols (HTTP, DNS, SOCKS, TCP, ICMP, UDP) and self-destruct capability upon detecting tampering.
- JARLEASH configuration files contain comments in Simplified Chinese, supporting the assessment that operators are Chinese-speaking.
Affected Systems
- Ruckus wireless routers (vulnerable to CVE-2020-22653, CVE-2020-22658, CVE-2023-25717)
- ASUS AiCloud routers (vulnerable to CVE-2025-2492)
- MIPS-based embedded/IoT devices
- ARM-based embedded devices
- x64 Linux systems
- Linux systems with Java runtime environment
Vulnerabilities (CVEs)
| CVE | Product | Severity | Description |
|---|---|---|---|
| CVE-2020-22653 | Ruckus wireless routers | Known vulnerability in Ruckus wireless routers exploited by UAT-7810 for initial compromise of networking devices. | |
| CVE-2020-22658 | Ruckus wireless routers | Known vulnerability in Ruckus wireless routers exploited by UAT-7810 for initial compromise of networking devices. | |
| CVE-2023-25717 | Ruckus wireless routers | Known vulnerability in Ruckus wireless routers exploited by UAT-7810 for initial compromise of networking devices. | |
| CVE-2025-2492 | ASUS AiCloud routers | Vulnerability in ASUS AiCloud routers exploited using UAT-7810 infrastructure to expand the ORB network. |
Attack Chain
- Initial Access: UAT-7810 exploits n-day vulnerabilities (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) in unpatched Ruckus wireless routers, and CVE-2025-2492 in ASUS AiCloud routers to compromise networking devices.
- Execution: Shell scripts are deployed on compromised devices to download DOGLEASH from attacker-controlled VPS servers (194.233.92.26, 217.15.160.247, 217.15.164.147, 95.182.100.231) using ter_wget into /tmp/.
- Persistence and Defense Evasion: iptables rules are added to allow TCP traffic to DOGLEASH's hardcoded listening port; the deployment script self-deletes after execution.
- Command and Control: DOGLEASH passively listens on a local port for incoming TCP connections, decoding data with a hardcoded password; LONGLEASH actively contacts C2 and can act as an intermediate C2 server, proxying traffic via HTTP, DNS, SOCKS, TCP, ICMP, and UDP.
- Lateral Movement and Proxying: Compromised devices become ORB nodes, routing traffic for secondary threat actors (e.g., UAT-5918) through the LapDogs ORB network.
- Administration: JARLEASH is deployed on attacker infrastructure and Java-capable compromised systems for file management, FTP/SFTP, and Netcat access.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: Yes
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Snort, ClamAV
Snort SIDs 66433, 66432, 66430, 66431, and 301493 are available for network detection. ClamAV signatures (Unix.Backdoor.Agent-10059997-1, Unix.Backdoor.Agent-10059998-0, Unix.Backdoor.Agent-10059999-0, Java.Backdoor.Agent-10060000-0, and multiple platform-specific variants) are available for malware detection.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Low | Most compromised devices are networking equipment (Ruckus routers, ASUS AiCloud routers, MIPS/ARM embedded devices) that typically do not run EDR agents. JARLEASH on Java-capable Linux systems may be visible if EDR is deployed on those hosts. |
| Network Visibility | High | The attack involves HTTP downloads from known IPs, TLS on port 99 with a distinctive certificate (all 'exploit' subject DN fields), and multiple proxy protocols (HTTP, DNS, SOCKS, TCP, ICMP, UDP) that generate detectable network traffic patterns. |
| Detection Difficulty | Moderate | Network indicators (IPs, URLs, TLS fingerprint) are well-documented and Snort rules are available. However, the embedded device targeting means traditional endpoint detection is limited, and the LONGLEASH User-Agent mimics legitimate Chrome traffic, requiring deeper inspection. |
Required Log Sources
- Network firewall logs (outbound connections to known UAT-7810 IPs)
- NetFlow/PCAP data (traffic to ports 99, 2222, 8088 on attacker IPs)
- TLS certificate logs (fingerprint c2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15)
- Router/switch syslog (iptables rule modifications, process execution on network devices)
- DNS logs (LONGLEASH DNS proxy activity)
- Proxy/IDS logs (Snort SID alerts)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for outbound connections from networking devices or internal IPs to the known UAT-7810 server IPs on ports 99, 2222, or 8088, which would indicate payload download or C2 communication. | Firewall logs, NetFlow data, proxy logs | Initial Access / Execution | Low — these are non-standard ports and the IPs are identified as attacker infrastructure. |
| Consider hunting for TLS connections using the certificate fingerprint c2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15 or certificates with subject DN fields all set to 'exploit', which would indicate UAT-7810 infrastructure. | TLS inspection logs, Zeek SSL logs, network IDS | Command and Control | Very Low — the certificate subject DN is highly distinctive and unlikely to appear in legitimate traffic. |
| Consider hunting for iptables rule additions on Linux/networking devices that open arbitrary TCP ports via INPUT and PREROUTING chains, which may indicate DOGLEASH deployment. | Host-based logs, configuration management logs, network device syslog | Persistence | Medium — legitimate firewall rule changes may generate similar events; correlate with other indicators. |
| Consider hunting for Java processes launched with Spring configuration files via nohup on Linux systems, particularly with -Xms1g -Xmx1g flags, which may indicate JARLEASH deployment. | EDR process telemetry, auditd logs, bash history | Persistence / Execution | Medium — legitimate Spring Boot applications use similar launch patterns; focus on unusual file paths or configurations. |
| Consider hunting for the specific Chrome 122 User-Agent string originating from non-Windows devices (especially MIPS/ARM networking equipment), as LONGLEASH hardcodes this UA to mimic Windows Chrome traffic. | Web proxy logs, HTTP headers from network traffic analysis | Command and Control | Low to Medium — a Windows Chrome UA from a Linux-based router is anomalous, but some legitimate management interfaces may use hardcoded UAs. |
Control Gaps
- Traditional EDR coverage on embedded/networking devices (MIPS, ARM) is typically non-existent, allowing DOGLEASH and LONGLEASH to operate undetected on routers and IoT devices.
- Network devices often lack centralized logging and configuration monitoring, making iptables modifications and process execution difficult to detect.
- The ORB network architecture means traffic may appear to originate from legitimate residential or enterprise IP addresses, complicating IP-based blocking.
- LONGLEASH's multi-protocol proxying (DNS, ICMP, UDP) can bypass port-based firewall rules that only inspect standard web traffic.
Key Behavioral Indicators
- Process execution of /bin/sh -c from a process listening on a non-standard local port (DOGLEASH behavior)
- iptables INPUT and PREROUTING rule additions opening arbitrary TCP ports on networking devices
- ter_wget binary usage to download files to /tmp/ on embedded Linux devices
- Java process with Spring configuration launched via nohup with 1GB heap flags (JARLEASH)
- TLS certificate with subject DN fields all set to 'exploit' on port 99
- Chrome 122 User-Agent string originating from Linux-based networking devices
- Binary named 'ff-agent' or project artifacts named 'nz1.0' or 'iot-test' on MIPS devices
False Positive Assessment
Low — the TLS certificate with all 'exploit' subject DN fields is highly distinctive, the IPs are identified as dedicated attacker infrastructure, and the malware hashes are specific to custom UAT-7810 tooling. The main false positive risk is from the Chrome 122 User-Agent string, which is common in legitimate traffic but anomalous when originating from Linux-based networking devices.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the four identified UAT-7810 IP addresses (194.233.92.26, 217.15.160.247, 217.15.164.147, 95.182.100.231) at perimeter firewalls and proxy gateways.
- If applicable to your environment, consider deploying the referenced Snort SIDs (66433, 66432, 66430, 66431, 301493) and ClamAV signatures on network intrusion prevention and malware defense systems.
- Consider scanning network device inventories for the listed SHA256 hashes of DOGLEASH, LONGLEASH, JARLEASH, and LEASHTEST binaries, particularly on MIPS, ARM, and x64 Linux platforms.
- If you have network flow visibility, consider hunting for historical connections to the identified IPs on ports 99, 2222, and 8088 to identify potentially compromised devices.
Infrastructure Hardening
- Evaluate whether Ruckus wireless routers in your environment are patched against CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717, and apply vendor updates where available.
- Evaluate whether ASUS AiCloud routers in your environment are patched against CVE-2025-2492, and apply vendor updates where available.
- Consider implementing network segmentation to isolate management interfaces of networking equipment from general network traffic.
- Where supported by your device management platform, consider enabling centralized syslog collection from routers and switches to detect configuration changes and unusual process execution.
- Consider implementing egress filtering to restrict outbound connections from networking devices to only required management destinations.
User Protection
- If your organization manages Ruckus or ASUS networking equipment, consider verifying firmware versions and applying security patches as a priority.
- Consider monitoring for unauthorized binaries in /tmp/ on Linux-based networking and IoT devices, as this is the deployment path for DOGLEASH.
- If Java is available on any Linux systems in your environment, consider monitoring for unexpected JAR executions with Spring configuration files.
Security Awareness
- Consider incorporating information about router/IoT firmware patching into existing security awareness programs, emphasizing that networking equipment is a high-value target for APT actors.
- If your organization has a network operations team, consider sharing the identified IOCs and CVE list with them to ensure they are aware of the threat to managed network devices.
- Consider adding the UAT-7810 threat profile and associated indicators to existing threat intelligence briefings for security operations and network operations staff.
MITRE ATT&CK Mapping
Initial Access
Execution
Defense Evasion
Command and Control
Additional IOCs
- Urls:
hxxp://217[.]15[.]160[.]247:8088/- Payload download URL on UAT-7810 VPS server.hxxp://217[.]15[.]160[.]247:2222/- Payload download URL on UAT-7810 VPS server.hxxp://217[.]15[.]160[.]247:99/- TLS server URL on UAT-7810 VPS server with custom certificate.hxxp://194[.]233[.]92[.]26:8088/- Payload download URL on UAT-7810 VPS server.hxxp://194[.]233[.]92[.]26:2222/- Payload download URL on UAT-7810 VPS server.hxxp://217[.]15[.]164[.]147:99/- TLS server URL on UAT-7810 VPS server with custom certificate.hxxp://217[.]15[.]164[.]147:8088/- Payload download URL on UAT-7810 VPS server.hxxp://217[.]15[.]164[.]147:2222/- Payload download URL on UAT-7810 VPS server.hxxp://95[.]182[.]100[.]231:2222/- Payload download URL on UAT-7810 Hong Kong server.
- File Hashes:
bafba443170e54ef7fd431ce7f1b5e202719f3fd022e4ef70788904f574d2cdf(SHA256) - JARLEASH Java-based backdoor (second hash variant).c92541f273eeb576d39235d0a5c6f18f2574b132a1022598edfa38065783ab98(SHA256) - DOGLEASH backdoor variant.29c7fccc6ef8cbfe4da9a169c7c74bacaea1fb515a1fddef91ab1b1522f76e4c(SHA256) - DOGLEASH backdoor variant.425bf771c8c9f740b1ae9803dcb4fd45af4d6a6f171fcc72fc7d511095ca82ce(SHA256) - DOGLEASH backdoor variant.ac8eae94d27122f4751bc96d9ea52d30000b7ca37569a2291b2710824ca3396f(SHA256) - DOGLEASH backdoor variant.dc4f25b2247cfdd6fc96848db30a178baa4419a4c854e86e315b465836102d14(SHA256) - DOGLEASH backdoor variant.3878dd5c8eba1e5b53ab2e07e7b5482e95a3fd3e98268bcd7861318bc9902376(SHA256) - DOGLEASH backdoor variant.9b9e0e5a1eb469b8d20dc23351e08ff5d5731e1cedce0ddee9bbd00a76217f13(SHA256) - DOGLEASH backdoor variant.57bdab2ba4b05ec0338c06632599393d5b14227f31a43fe950ea8fdd47428715(SHA256) - DOGLEASH backdoor variant.b8d247fd1fb85d24a17afeec3815906dfbcdc5359647910b4a153900ec999a0f(SHA256) - DOGLEASH backdoor variant.5e225ea2648a8cba0fd94ec7fd8ce5315f5d0cc2922bafc9db3c8c41280e917c(SHA256) - DOGLEASH backdoor variant.d5cf7315186a78ab6a7475c338bdf101bc6461930aaa7a012a02cf93f347c207(SHA256) - DOGLEASH backdoor variant.dd0fc1a88180fde8367bec7086f99294f36b8332f12994293139ed532d2ebbac(SHA256) - DOGLEASH backdoor variant.5c3f190571645c4641dcff2c07a4c3ab9acad06aa9607350a385729d8d6139f1(SHA256) - DOGLEASH backdoor variant.323c3a91be60ebc3e06e942bad04899a15911cea23269e43d07829164b2ce5d4(SHA256) - DOGLEASH backdoor variant.880425fee707e9f42e0b8d60119ed639b1ad506ea29877d126bdebce379cd229(SHA256) - DOGLEASH backdoor variant.e5d2de8ae98579bfb940290f60e59a502b3065345aaf765456387989c0488b20(SHA256) - DOGLEASH backdoor variant.2e0e43776e2e1a37d882a1b2ebb7d337ee88950177e43831dae645a367824feb(SHA256) - DOGLEASH backdoor variant.b5969636eec376ad6c3ece2202b1722219955638e09b6f96d4cfc0598d3b1890(SHA256) - DOGLEASH backdoor variant.1660536f448b8b9f086ce9ea3ce4e9deefc59a76711ea53ee6d8f08fc8c1bb99(SHA256) - DOGLEASH backdoor variant.65feba2c971c214e71303ad2e0fbf62b45ebcaa784cbf3d0dab62786cb4c0469(SHA256) - DOGLEASH backdoor variant.53ac2b231c23d41234e55b1f7ed89f86234f785adbbe820959655d7b019d7df9(SHA256) - DOGLEASH backdoor variant.33c10b77e1da9f0679023d55fb3057879d15609db9c1d46ee5c3ff1240a3d052(SHA256) - DOGLEASH backdoor variant.5faea1650cac0f3ffd2dc1fb220182095a46e34158967d37c2a942e85e2ca97b(SHA256) - DOGLEASH backdoor variant.62d4ec87ed21f0d15cb769b0b2a5577cab41fc2cdb1e7e796c5bdff09264dd9a(SHA256) - DOGLEASH backdoor variant.534a4a5bff2609a2d6e088cb87465c08c2d69c6aaa7d2ffcbcd491274b8505f1(SHA256) - DOGLEASH backdoor variant.5eab4c61baa67ae2838a36c2e6ff0476a8f2117b96a7027b830c8cb46ce78efc(SHA256) - DOGLEASH backdoor variant.0af4c52a1d13e4132a1843ce7727abcf0ddd4d1ca6a4b17cdf599ec3f355c241(SHA256) - DOGLEASH backdoor variant.d4861088161fc72b9922abf933b4ea664a807105ec1eab4a173253aa60bfe6d7(SHA256) - DOGLEASH backdoor variant.3d296af7f29c0425655bd1cc0be48fe4aba52ee6760a89e805ca2589f4ef4d77(SHA256) - DOGLEASH backdoor variant.f235d2e044c2f7814e6bbcd835b9fd9f10f227dacfb9396185ec2013e7df4db4(SHA256) - DOGLEASH backdoor variant.4130f49fa81a699a667cafdbd6d1f6e781edd686c947eb8ae27134f6dc2c43d7(SHA256) - DOGLEASH backdoor variant.0a8555a71868749be8c905ed53296ce335af50a9262772b5e154ad3f9c35c2e4(SHA256) - DOGLEASH backdoor variant.5dbfa033676b5caacfae902734ce462cd871181eefbe299250ca8ac7e139719e(SHA256) - DOGLEASH backdoor variant.20fcba222f74dd68aaeb1f0ad30cdf702a828ee164a182b30d05d600c35b72d9(SHA256) - DOGLEASH backdoor variant.912adea5339c73cb4a777a3e9f98bf3cb08da6622c9dd3b4cc9b083cb03d10a2(SHA256) - DOGLEASH backdoor variant.03926e3da998f32ad898b640bd15cf145768f9e849e6f18d81350234254c424e(SHA256) - DOGLEASH backdoor variant.16971f9706d70ac4925651c7c8719b9d77aff63e4c0a618129efc32c2c46b989(SHA256) - DOGLEASH backdoor variant.6917c0f9eafefe42e33e791b75a7e503ff8b081bc10a98449e4076787dfc6c16(SHA256) - DOGLEASH backdoor variant.c7c9bfa9ffcd8fb6a2afe656f510c406ddc58ebff48ce1d0fd3fad951b46a36e(SHA256) - DOGLEASH backdoor variant.b9fe48bda9a6c8787981a24f8bbc723a6f6aa80cab5fa53481937382f3c6ce85(SHA256) - DOGLEASH backdoor variant.f3fbf4481f30fd840f35568746f54be49eb92b2c9ac95597a7760abb171cb54b(SHA256) - DOGLEASH backdoor variant.6366d59b573d50fd23ff650923c4a8c1c918518a02d0a56f12c23533c45f439d(SHA256) - DOGLEASH backdoor variant.3fcaa3038e365b6ab0b121e2cd319c56b74e37381943a0da0e8dce407087cdb8(SHA256) - DOGLEASH backdoor variant.bf70c6f3a8e913f526ec57eeec50e1306f7b34b037915b7a1cf2968cc46acc58(SHA256) - DOGLEASH backdoor variant.0352f3e338261d98895df4c7b7a76b296485b2290c72bce56603351d167d0601(SHA256) - DOGLEASH backdoor variant.52b871429833e1dee348263844efb531f6a3fcd321f88dc8a876caaee912cedd(SHA256) - DOGLEASH backdoor variant.5db2ce9acd50f96d566e8d139f6490abf2bbf7a9293b876eeb4598fd2c37c515(SHA256) - DOGLEASH backdoor variant.3169a6dbcce684e2c5a2f166996b58ffa673df6e58b8edf2bdf3e66271c8c69e(SHA256) - DOGLEASH backdoor variant.d871d76171504597bbda387689e12e7a5e354c360ff135f4df231cec68c761af(SHA256) - DOGLEASH backdoor variant.d1f963b88672f3676a7da1580262ba0d4f367cc57a94b551754c20f77a670c43(SHA256) - DOGLEASH backdoor variant.76d9e2a2ff313f5b91cc67aab1127122baee1c3efbae1087e58a25bc5f1eb065(SHA256) - DOGLEASH backdoor variant.8c104da0e66ef6384663309aaf8fb49f549f2785d835eec620b265f8aa11d9f0(SHA256) - DOGLEASH backdoor variant.c494c878e28284539419612616d964ab9224cbe27e57f42293d91d02d684e3db(SHA256) - DOGLEASH backdoor variant.08701ed7975bf4f5688c2724d27ab497764200ad6f4dc53d3cc03b170378ced0(SHA256) - DOGLEASH backdoor variant.0a8cae96e25e85c612b0736fe886f9b124ad70ec425bc2ec1a8a4135b25436ba(SHA256) - DOGLEASH backdoor variant.8459ff264a2c81c68a34c4ee6bc109d141ad28b96037d34ff112322a4c853739(SHA256) - DOGLEASH backdoor variant.68445a37a9943a267a8b2100fba2678353d6ec88844505ccbba659e586c7a105(SHA256) - DOGLEASH backdoor variant.29686c933cec1e274467e2dae264625ae6f754824bb7f550bc9c3131f625562c(SHA256) - DOGLEASH backdoor variant.d973ad5a80c3d7468a9c392db4166857ed32b5d61cd6755766ba8922156dada3(SHA256) - DOGLEASH backdoor variant.f5a57dfae488d9dfe260b32460a1d947fb5af58ceaf2fb0139bc08b4bb79a966(SHA256) - DOGLEASH backdoor variant.2ebc1b6cf543e2cb3f22d9a5b54b6676bb71dde98df7532f8791297734e44fdd(SHA256) - DOGLEASH backdoor variant.6dbd507ca7cecea861f9cf704b3c5c37f5bd5392886a8c2562088892b7703fa5(SHA256) - DOGLEASH backdoor variant.89f0a67bc595ab8bce02c2f95f9292ad06e1868207e809c76bd16f0cab800c06(SHA256) - DOGLEASH backdoor variant.d81201d0fc19977e51104438a5b9cba861f4da20cea3ae9183edf16ab11d98f8(SHA256) - DOGLEASH backdoor variant.9d52cb4febf3342c34dcc8198dcaf453458be3699ab47dc08616aa7f18daa7fa(SHA256) - DOGLEASH backdoor variant.9a927c37a31b80975c5c5467f112b61478c9493c046281046443525358a5acb0(SHA256) - DOGLEASH backdoor variant.6cda1e81667f869940401f05a55c8dea94dbdf3ceffb93b5f320a6462cfea44d(SHA256) - DOGLEASH backdoor variant.745538dea8ed9aec4466e67a9d0aecf9e7026ff16a792d1d6f306e8b67d3f34c(SHA256) - DOGLEASH backdoor variant.13acadb3541e75af50e02d5be56c2238b93d8f154ce5514be1558e6ee59a1432(SHA256) - DOGLEASH backdoor variant.
- File Paths:
/tmp/- Temporary directory where DOGLEASH is downloaded and executed on compromised Linux/networking devices.
- Command Lines:
- Purpose: Download, execute, and clean up DOGLEASH backdoor on compromised networking device | Tools:
ter_wget,chmod,iptables,rm| Stage: Execution and Persistence - Purpose: Kill existing JARLEASH instance and restart Java backdoor with Spring configuration | Tools:
java,nohup,kill| Stage: Persistence and Execution
- Purpose: Download, execute, and clean up DOGLEASH backdoor on compromised networking device | Tools:
- Other:
c2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15- TLS certificate fingerprint on port 99 of UAT-7810 servers (194.233.92.26 and 217.15.164.147); subject DN contains all 'exploit' fields.Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36- Hardcoded User-Agent string used by LONGLEASH backdoor to mimic Windows Chrome 122 traffic.