Ghost Routes: How PRC-Nexus Hackers Use ORB Networks to Vanish in Plain Sight
Your firewall blocked a connection from a Vietnamese ISP. You logged it, flagged it, moved on. What you didn't see was that the actual operator sat in China, routing through a compromised Asus router in Ho Chi Minh City as a stepping stone into your network. That's the whole point. That's how Operational Relay Box (ORB) networks work. And as of this week, Cisco Talos published new research showing PRC-nexus actors are still building these networks with fresh malware and expanded targeting [1].
The July 7, 2026 Talos report tracks a group designated UAT-7810, assessed with high confidence to be a China-nexus actor that is most likely tasked with constructing ORB infrastructure for use by secondary APT groups, including UAT-5918 [1]. The group deploys an updated version of its SHORTLEASH backdoor (tracked as LONGLEASH), two new malware families (DOGLEASH and JARLEASH), and a testing utility (LEASHTEST) across MIPS, ARM, and x64 architectures, targeting everything from SOHO routers to enterprise-grade systems. This is not a static threat. It's an active, expanding operational pipeline.
What an ORB Network Actually Is
An Operational Relay Box network is a mesh of compromised or leased nodes used to proxy attacker traffic. Think of it as a VPN built from other people's hardware, without their knowledge.
These networks typically operate in two layers. The first layer consists of relay nodes: devices that accept incoming connections and forward them toward the target. The second layer consists of exit nodes that actually touch victim infrastructure. By chaining multiple hops together, the true source IP becomes nearly impossible to trace through standard forensic methods.
What separates ORB networks from simple proxy chains is scale and turnover. Mandiant's 2024 research identified ORB network operators (tracked as separate entities from the espionage actors who use them) managing networks that can be hundreds of thousands of nodes deep, with regular infrastructure rotation, where IP addresses can be cycled in as few as 31 days, to evade detection and complicate attribution [2]. The UAT-7810/UAT-5918 relationship documented by Talos follows this same pattern: one group builds and maintains the infrastructure, another group uses it for espionage operations [1].
The Low-Hanging Fruit: Edge Devices and SOHO Routers
PRC-nexus actors have clear preferences when building ORB infrastructure. The most commonly targeted device categories include:
- SOHO routers: Asus, TP-Link, Netgear, Ruckus, and MikroTik devices are frequent targets. Many run outdated firmware with known vulnerabilities and are rarely monitored by their owners.
- VPN appliances: Ivanti Connect Secure, Fortinet FortiGate, and Pulse Secure devices are known targets of PRC-nexus actors and are plausible candidates for ORB infrastructure recruitment.
- End-of-life NAS devices: NAS devices from vendors such as QNAP and Synology are plausible ORB targets given their Linux-based operating systems and frequent lack of patching, though specific targeting in ORB campaigns has not been publicly documented in open-source reporting.
- Leased VPS instances: Servers from cloud providers in jurisdictions with minimal abuse reporting add legitimacy to attacker traffic [2].
- Residential broadband modems: Traffic from a residential IP in a non-adversary country looks like a human user, not an attacker.
The Talos report from this week provides specific examples. UAT-7810 exploits known (n-day) vulnerabilities in Ruckus routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and ASUS AiCloud routers (CVE-2025-2492) [1]. One infrastructure IP, 217.15.164[.]147, was linked directly to exploitation of ASUS AiCloud routers via CVE-2025-2492 in early 2026 [1]. These aren't zero-days. They're well-known bugs in devices that simply never got patched.
Beyond Routers: Why Enterprise Servers and Workstations Are the Real Prize
SOHO devices get most of the press, but they have limitations as ORB nodes. They offer low bandwidth, limited processing power, and restricted functionality. An Asus router running a stripped-down Linux kernel can proxy traffic, but it can't run complex tooling, store exfiltrated data at scale, or blend into enterprise network traffic patterns.
Enterprise servers and workstations are a different story entirely. They provide:
Higher bandwidth and reliability. A compromised Windows Server 2022 box in a data center has gigabit connectivity, redundant power, and uptime guarantees. It can handle far more concurrent proxy sessions than a consumer router, and it won't randomly reboot when its owner power-cycles their home office.
Legitimate network context. Traffic originating from an enterprise server within a target's own network, or from a compromised third-party business partner, carries far more implicit trust than traffic from a random residential IP. Security tools and analysts are less likely to flag outbound connections from a known business server to a cloud service.
Richer tooling capabilities. Enterprise systems run full operating systems with standard libraries, package managers, and development toolchains. This makes them ideal for deploying complex implants. The Talos report documents UAT-7810 deploying payloads compiled for MIPS, ARM, and x64 architectures [1]. The x64 payloads are clearly aimed at standard servers and workstations, not embedded devices.
Persistence advantages. Enterprise systems often have extensive uptime requirements, meaning compromised nodes stay online for months or years. Contrast this with a home router that might get replaced, rebooted, or firmware-updated on a whim.
Access to internal resources. A compromised enterprise server doesn't just serve as a relay. It provides lateral movement opportunities, access to internal databases, credential stores, Active Directory, and other high-value targets. A single compromised server inside a telecom provider's network can serve simultaneously as an ORB relay node and an intelligence collection point.
The likelihood that PRC-nexus actors are incorporating enterprise systems into ORB infrastructure is high, and the evidence supports this assessment. Volt Typhoon's documented pre-positioning inside U.S. critical infrastructure relied on compromised network equipment and servers within those organizations [3]. Salt Typhoon's compromise of at least nine U.S. telecommunications providers required persistent access to internal enterprise systems [4]. These aren't just intelligence collection operations. We assess that the compromised systems also likely serve as relay infrastructure for further operations.
How They Get Inside Enterprise Networks
The techniques for compromising enterprise servers and workstations for ORB recruitment follow predictable patterns:
Exploiting internet-facing services. Web servers, mail servers, VPN concentrators, and remote access portals are the initial entry points. UAT-7810's exploitation of n-day vulnerabilities in network appliances [1] extends naturally to enterprise-grade systems running unpatched software. Exchange Server, SharePoint, Confluence, and similar applications are well-documented targets of PRC-nexus actors for initial access.
Shell script-based deployment. The Talos report documents UAT-7810 deploying DOGLEASH via shell scripts that download the binary, add iptables rules to allow TCP traffic on a specific port, and execute the backdoor on the compromised device [1]. Once a foothold is established on an internet-facing system, the attacker can deploy relay software at will.
Living-off-the-land techniques. Volt Typhoon became notorious for using built-in system tools (PowerShell, WMI, netsh, certutil) to avoid detection [3]. On enterprise Windows servers, this means using native port-forwarding capabilities, scheduled tasks for persistence, and legitimate remote administration tools as proxy mechanisms. No custom malware required.
Supply chain and trusted relationship abuse. Compromising a managed service provider or IT vendor gives access to dozens or hundreds of downstream enterprise networks simultaneously. Each compromised endpoint can be recruited into the ORB mesh.
UAT-7810's Malware Arsenal
The Talos research published July 7 identifies distinct malware tools deployed by UAT-7810, each serving a specific role in ORB construction [1]:
LONGLEASH is the evolution of a prior tool called SHORTLEASH. It adds reverse shell access, multi-protocol proxying, SMTP capability, TLS/PKI support, self-removal functions, and intermediate C2 relay capability [1]. The multi-protocol proxying is significant: it means a single compromised node can relay traffic across multiple protocols, making network-level detection harder.
DOGLEASH is a lightweight C-based Linux backdoor deployed via shell scripts. On launch, it opens a listening TCP port and authenticates incoming requests using a hardcoded password. It supports shell command execution, file access, and arbitrary in-memory shellcode execution [1]. The in-memory execution capability is particularly notable for enterprise targets, as it allows deployment of secondary tooling without writing to disk.
JARLEASH is a JAR-based backdoor deployed on attacker infrastructure and compromised systems with Java available, enabling easy remote access to the system [1]. Java runs on virtually any enterprise system with a JRE installed, making this a highly portable tool for enterprise server compromise.
LEASHTEST is a testing utility used by UAT-7810 to verify functionality on compromised devices, particularly MIPS-based embedded devices. Its presence on a device is a reliable indicator of compromise [1].
Talos identified four new servers hosting payloads for MIPS, ARM, and x64 systems [1]. The x64 builds confirm that enterprise servers and workstations are explicit targets, not afterthoughts.
Known PRC-Nexus Actors Using ORB Infrastructure
Volt Typhoon remains the most publicly discussed. CISA, NSA, and FBI issued a joint advisory in February 2024 documenting Volt Typhoon's compromise of SOHO routers and use of living-off-the-land techniques to pre-position inside U.S. critical infrastructure, including electric utilities, water systems, communications providers, and transportation networks [3]. The U.S. intelligence community's working assessment is that Volt Typhoon has been building the capability to disrupt those sectors during a potential conflict over Taiwan [3].
Salt Typhoon compromised at least nine U.S. telecommunications providers [4]. We assess that the scale of that operation likely required substantial relay infrastructure to maintain persistent access without triggering geo-based alerts.
UAT-5918 is identified by Talos as a consumer of ORB infrastructure built by UAT-7810 [1]. This division of labor, where one group builds infrastructure and another conducts espionage, mirrors the contractor model Mandiant described in its 2024 ORB research [2].
IOC Table
| Type | Value | Context |
|---|---|---|
| IP | 217.15.164[.]147 |
Linked to exploitation of ASUS AiCloud routers via CVE-2025-2492 [1] |
| Malware | LONGLEASH | ORB relay/backdoor with multi-protocol proxy, TLS, SMTP [1] |
| Malware | DOGLEASH | Lightweight Linux backdoor, deployed via shell scripts [1] |
| Malware | JARLEASH | Java-based backdoor for remote system access [1] |
| Malware | LEASHTEST | Testing utility, indicator of compromise [1] |
| Malware | SHORTLEASH | Prior-generation ORB relay tool [1] |
MITRE ATT&CK Mapping
| Technique ID | Name | Context |
|---|---|---|
| T1190 | Exploit Public-Facing Application | UAT-7810 exploits n-day vulns in Ruckus and ASUS routers [1] |
| T1090 | Proxy | Core ORB function: multi-hop traffic proxying [1][2] |
| T1090.002 | Proxy: External Proxy | Relay traffic through compromised devices in third-party networks [1][2] |
| T1071 | Application Layer Protocol | LONGLEASH supports SMTP, TLS, multi-protocol comms [1] |
| T1059.004 | Command and Scripting Interpreter: Unix Shell | DOGLEASH provides shell command execution on Linux; deployment via shell scripts [1] |
| T1620 | Reflective Code Loading | DOGLEASH supports arbitrary in-memory shellcode execution [1] |
| T1082 | System Information Discovery | DOGLEASH retrieves OS info from compromised hosts [1] |
| T1105 | Ingress Tool Transfer | Payload servers host binaries for MIPS, ARM, x64; shell scripts download DOGLEASH [1] |
| T1584.008 | Compromise Infrastructure: Network Devices | Compromised routers and appliances form ORB backbone [1][3] |
Detection and Hunting with Corelight and Splunk
ORB traffic is designed to blend in. That's the whole point. But it still leaves traces if you know what to look for. Here's how to hunt for ORB-related activity using Corelight network logs and host-level telemetry in Splunk.
Network-Level Hunting (Corelight/Zeek Logs)
Unusual outbound connections to SOHO device IP ranges. Enterprise systems should rarely initiate connections to residential ISP ranges or known SOHO device management ports. In Splunk with Corelight conn logs:
index=corelight sourcetype=corelight_conn id.resp_p IN (8080, 8443, 8888, 443)
| lookup residential_ip_ranges id.resp_h OUTPUT is_residential
| where is_residential="true"
| stats count by id.orig_h, id.resp_h, id.resp_p
| where count > 10
Build or subscribe to a residential IP range feed. Frequent connections from internal hosts to residential IPs on uncommon ports warrant investigation.
Long-duration, low-bandwidth connections. ORB relay sessions often maintain persistent connections with periodic small data transfers. In Corelight conn logs:
index=corelight sourcetype=corelight_conn duration>3600 orig_bytes<100000 resp_bytes<100000
| stats count avg(duration) as avg_dur by id.orig_h, id.resp_h, id.resp_p
| where count > 5 AND avg_dur > 7200
Connections lasting hours with minimal data transfer are characteristic of proxy keep-alive sessions.
TLS connections with unusual certificate properties. LONGLEASH uses TLS/PKI [1]. Corelight's SSL/TLS logs capture certificate details. Hunt for self-signed certificates, unusual issuers, or certificates with very short or very long validity periods:
index=corelight sourcetype=corelight_ssl validation_status!="ok"
| stats count by id.orig_h, id.resp_h, server_name, issuer
| where count > 3
DNS queries to dynamic DNS providers. ORB C2 infrastructure often uses dynamic DNS for domain rotation:
index=corelight sourcetype=corelight_dns query IN ("*.ddns.net", "*.no-ip.com", "*.duckdns.org", "*.dynu.com")
| stats count by id.orig_h, query
SMTP from non-mail servers. LONGLEASH includes SMTP capability [1]. Any SMTP traffic from servers that aren't designated mail infrastructure is a red flag:
index=corelight sourcetype=corelight_conn id.resp_p=25 OR id.resp_p=587
| where NOT [| inputlookup authorized_mail_servers | fields id.orig_h]
| stats count by id.orig_h, id.resp_h
Host-Level Hunting (Sysmon, EDR, Linux Audit Logs)
Java processes launching network listeners. JARLEASH is a JAR-based backdoor that provides remote access functionality [1]. Hunt for Java processes opening listening ports on enterprise systems:
index=sysmon EventCode=3 Image="*java*" Initiated="false"
| stats count by Computer, Image, DestinationPort
| where DestinationPort NOT IN (8080, 8443, 443)
Unexpected listening TCP ports. DOGLEASH opens a listening TCP port on compromised hosts [1]. On Linux systems:
index=linux_audit type=SYSCALL syscall=bind
| stats count by hostname, exe, a1
| where exe NOT IN (known_services_list)
Shell script-based backdoor deployment. DOGLEASH is deployed via shell scripts that download the binary and add iptables rules [1]. Hunt for suspicious shell script activity, curl/wget downloads followed by iptables modifications:
index=linux_audit type=SYSCALL (exe="/bin/bash" OR exe="/bin/sh")
| search (a0="*curl*" OR a0="*wget*") AND (a0="*iptables*")
| stats count by hostname, exe, a0
Also look for unexpected iptables rule additions:
index=linux_audit type=SYSCALL exe="*iptables*"
| stats count by hostname, a0, a1
Port forwarding via native tools. Volt Typhoon's living-off-the-land approach [3] means hunting for netsh, ssh, or socat port forwarding on enterprise systems:
index=sysmon EventCode=1 (CommandLine="*netsh*portproxy*" OR CommandLine="*ssh*-L*" OR CommandLine="*ssh*-R*" OR CommandLine="*socat*TCP*")
| table _time, Computer, User, CommandLine
Analysis
The UAT-7810 research from Talos confirms a maturation pattern in PRC cyber operations. ORB construction has become a specialized function with dedicated actors and purpose-built tooling. The LEASH malware family (SHORTLEASH, LONGLEASH, DOGLEASH, JARLEASH, LEASHTEST) represents a cohesive development effort aimed at building relay capability across every major processor architecture and operating system used in network infrastructure and enterprise environments [1].
The inclusion of x64 payloads and Java-based tools is telling. These aren't designed for embedded routers. They're designed for servers and workstations. Enterprise systems offer ORB operators better bandwidth, longer uptime, richer access, and the ability to blend traffic into legitimate business communications. A compromised Exchange server relaying traffic through LONGLEASH's SMTP capability looks, at the network level, like normal email flow.
Defenders face a compounding problem. Blocking known bad IPs provides temporary relief at best when ORB operators rotate infrastructure regularly [2]. Traditional perimeter defenses are built around the assumption that the attacker's traffic originates from identifiable adversary infrastructure. ORB networks break that assumption by routing through devices and networks that belong to legitimate organizations and individuals.
Red Sheep Assessment
Confidence: High
The division of labor between UAT-7810 (infrastructure builder) and UAT-5918 (operational consumer) described by Talos [1] mirrors the broader industrialization of PRC cyber operations. This isn't a handful of APT groups independently compromising routers. It's a supply chain, with specialized teams building relay infrastructure that multiple espionage units can consume as a service.
What the sources collectively suggest but don't explicitly state: the enterprise server angle is likely underreported. Talos documents x64 payloads and Java-based tooling [1], which have no purpose on embedded routers. These tools exist because enterprise servers are already part of the ORB mesh, or are slated for inclusion. The DOGLEASH backdoor's in-memory shellcode execution capability [1] is overkill for a MIPS router but makes perfect sense on a server where defenders are running EDR and file integrity monitoring.
The contrarian view would be that enterprise systems are too high-risk for ORB operators because they're more heavily monitored, and compromise risks burning more valuable access. This argument has merit in theory, but the Volt Typhoon and Salt Typhoon operations demonstrate that PRC actors are willing to accept that risk when the target justifies it [3][4]. The more likely operational model is a tiered ORB architecture: SOHO devices and residential modems form the outer layers, enterprise servers form the inner layers closer to the target, and the most sensitive relay nodes are placed inside the target network itself.
Defenders should assume that any internet-facing server is a candidate for ORB recruitment, not just edge appliances. Patch velocity on enterprise servers matters just as much as patching your firewalls.
Defender's Checklist
- ▢[ ] Hunt for DOGLEASH-style shell script deployment by searching for suspicious shell script activity involving downloads (curl/wget) followed by iptables rule modifications and binary execution on Linux systems. Use audit logs and EDR telemetry to identify these patterns.
- ▢[ ] Audit all internet-facing servers for known n-day vulnerabilities exploited by UAT-7810, specifically CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492 [1]. Prioritize Ruckus and ASUS devices but extend to all edge-facing services.
- ▢[ ] Monitor for unauthorized listening ports on enterprise servers using Corelight conn logs or host audit logs. DOGLEASH and JARLEASH both open listener ports [1]. Query:
index=corelight sourcetype=corelight_conn local_orig=true id.resp_p>1024 | stats dc(id.orig_h) as unique_sources by id.resp_h, id.resp_p | where unique_sources > 5 - ▢[ ] Baseline SMTP traffic sources and alert on any SMTP connections from hosts that aren't authorized mail servers. LONGLEASH's SMTP capability [1] makes this a concrete detection opportunity.
- ▢[ ] Block or alert on
217.15.164[.]147across all perimeter controls and hunt retrospectively in DNS, proxy, and firewall logs for any prior connections to this IP [1].
References
- Cisco Talos: UAT-7810 continues building ORB networks using new malware (July 7, 2026)
- Mandiant/Google Cloud: IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders (May 22, 2024)
- CISA: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (Volt Typhoon) (February 2024)
- CISA: Salt Typhoon Guidance for Communications Infrastructure (December 2024)
Visual Intelligence
Timeline (4 events)
Entity Graph (18 entities, 42 relationships)
Diamond Model
Competing Hypotheses
Multiple sources offer competing assessments on key analytic questions in this report. The body above reflects the assessed primary line; alternative hypotheses and the indicators that would shift the assessment are surfaced below for analyst review.
China
Question 1.
Primary assessment. Does the downgraded Taiwan invasion timeline reduce or increase the cyber threat?
Alternative hypothesis. View A: The IC assessment that China doesn't plan a 2027 invasion suggests reduced near-term military risk. Source: [22] | View B: The briefing argues (and sources support) that below-threshold cyber and influence operations may intensify as substitutes for kinetic action. Sources: [19], [22], [17]
Indicators that would shift assessment:
- New primary-source reporting that directly contradicts the primary assessment
- Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
- Public statement, indictment, or vendor advisory naming the alternative as authoritative
Question 2.
Primary assessment. Is Storm-1175 a state-directed Chinese APT or a financially motivated cybercriminal group?
Alternative hypothesis. View A: The Hacker News [12] labels Storm-1175 as 'China-Linked,' implying state nexus. The briefing places it alongside state-directed infrastructure pre-positioning activities. | View B: Microsoft's primary source describes Storm-1175 as a 'financially motivated cybercriminal' actor, which is distinct from state-directed espionage groups. Web verification confirms Microsoft's characterization.
Indicators that would shift assessment:
- New primary-source reporting that directly contradicts the primary assessment
- Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
- Public statement, indictment, or vendor advisory naming the alternative as authoritative
Question 3.
Primary assessment. Have PLA purges degraded China's military capabilities?
Alternative hypothesis. View A: The IISS assessed the purges left the military with 'serious deficiencies in its command structure' and PLA exercises took substantially longer to implement in 2025. Sources: [28], [14] | View B: The leadership purges have 'not significantly disrupted the PLA's normal functions or operations' and the effects are temporary, with some arguing the PLA may compensate with more aggressive activity. Sources: [28]
Indicators that would shift assessment:
- New primary-source reporting that directly contradicts the primary assessment
- Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
- Public statement, indictment, or vendor advisory naming the alternative as authoritative
Question 4.
Primary assessment. Why did PLAAF incursions into Taiwan's ADIZ decline in early 2026?
Alternative hypothesis. View A: Beijing may be trying to avoid escalating tensions ahead of the Trump-Xi summit (diplomatic signal). Sources: [17] | View B: The decline could relate to ongoing PLA leadership purges that have had a 'paralyzing effect' on the military (operational disruption). Sources: [17], [14], [28]
Indicators that would shift assessment:
- New primary-source reporting that directly contradicts the primary assessment
- Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
- Public statement, indictment, or vendor advisory naming the alternative as authoritative
Question 5.
Primary assessment. How many organizations has Salt Typhoon compromised?
Alternative hypothesis. View A: Source [10] and FBI officials cite 'at least 200 companies' worldwide (August 2025 figure). | View B: The Global Cyber Alliance and Nextgov/FCW (August 2025) report that 600+ organizations were notified by the FBI of Salt Typhoon interest in their systems, across 80+ countries, suggesting a much larger scope than 200 confirmed compromises.
Indicators that would shift assessment:
- New primary-source reporting that directly contradicts the primary assessment
- Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
- Public statement, indictment, or vendor advisory naming the alternative as authoritative
Question 6.
Primary assessment. Will the SCOTUS IEEPA ruling lead to reduced tariffs on China?
Alternative hypothesis. View A: The ruling invalidates all IEEPA tariffs, potentially leading to lower tariff rates on Chinese goods [24]. | View B: The President immediately imposed replacement tariffs under Section 122 of the Trade Act of 1974 (confirmed via web search), with administration officials stating the goal is 'virtually unchanged tariff revenue.' The briefing's Outlook scenario that 'the ruling leads to a reduction in tariffs' may already be overtaken by events.
Indicators that would shift assessment:
- New primary-source reporting that directly contradicts the primary assessment
- Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
- Public statement, indictment, or vendor advisory naming the alternative as authoritative
Question 7.
Primary assessment. What is the impact of PLA purges on China's cyber capabilities?
Alternative hypothesis. View A: Purges cause 'serious deficiencies' in PLA command structure that are 'likely to be a temporary disturbance' (IISS via [17]). | View B: Red Sheep assessment suggests purges may be motivated by operational security failures related to cyber operation exposure (I-Soon, Expedition Cloud leaks), which could lead to tighter compartmentalization. Source [16] quotes Xi on disloyalty but doesn't specify cyber-related concerns.
Indicators that would shift assessment:
- New primary-source reporting that directly contradicts the primary assessment
- Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
- Public statement, indictment, or vendor advisory naming the alternative as authoritative
Question 8.
Primary assessment. Has Salt Typhoon been remediated from major U.S. telecom networks?
Alternative hypothesis. View A: Salt Typhoon has NOT been fully remediated: Senate expert testimony, TechCrunch reporting, and FBI officials indicate hackers are 'likely still inside U.S. networks' [9][10]. The FBI's top cyber official said threats are 'still very much ongoing' (confirmed via web search from CyberScoop, Feb 2026). | View B: Major telecoms claim remediation: AT&T stated in late 2024 it detected 'no activity by nation-state actors' and Verizon claimed to have 'contained the cyber incident' (per web search results). However, both companies have refused to provide documentation to the Senate [9].
Indicators that would shift assessment:
- New primary-source reporting that directly contradicts the primary assessment
- Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
- Public statement, indictment, or vendor advisory naming the alternative as authoritative
Hunt Guide: PRC-Nexus ORB Networks — UAT-7810, Volt Typhoon, Salt Typhoon
Attribution: Detection logic below credits its original author. Rules adapted, ported, or quoted from a public source retain that source's author (e.g. SigmaHQ / Florian Roth, Elastic, Emerging Threats, Abuse.ch, or the cited vendor/researcher). Only rules explicitly marked RedSheep Security/Stone (original) were authored in-house. If you reuse a rule, preserve its stated attribution.
Hypothesis: If PRC-nexus actors (UAT-7810, Volt Typhoon, Salt Typhoon) are leveraging Operational Relay Box (ORB) networks through our environment, we expect to observe compromised edge devices or enterprise servers acting as relay nodes, characterized by unauthorized listening ports, shell-script-based malware deployment (DOGLEASH/LONGLEASH/JARLEASH), anomalous SMTP from non-mail servers, long-duration low-bandwidth proxy sessions, and connections to known ORB infrastructure IPs in Sysmon, Linux audit logs, Corelight/Zeek network telemetry, and firewall/proxy logs.
Intelligence Summary: Cisco Talos published research on July 7, 2026 detailing UAT-7810, a PRC-nexus actor that builds Operational Relay Box (ORB) infrastructure for use by secondary espionage groups including UAT-5918. UAT-7810 deploys the LEASH malware family (LONGLEASH, DOGLEASH, JARLEASH, LEASHTEST) across MIPS, ARM, and x64 architectures, targeting SOHO routers via n-day vulnerabilities (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, CVE-2025-2492) and enterprise servers/workstations. This ORB construction model mirrors the broader PRC cyber industrialization seen in Volt Typhoon and Salt Typhoon operations against U.S. critical infrastructure.
Confidence: High | Priority: Critical
Scope
- Networks: All internet-facing segments, DMZ, edge device subnets (routers, VPN concentrators, firewalls), enterprise server farms, critical infrastructure networks, and third-party/partner connection points. Special focus on SOHO router management networks and any segments housing Ruckus, ASUS, TP-Link, Netgear, MikroTik, Ivanti, or Fortinet devices.
- Timeframe: 90-day retrospective hunt window (April 2026 – July 2026) to cover the active exploitation period documented by Talos. Extend to 180 days for Salt Typhoon and Volt Typhoon TTP overlap. Ongoing monitoring recommended given ORB infrastructure rotation cycles of ~31 days.
- Priority Systems: 1) Internet-facing SOHO routers and VPN appliances (Ruckus, ASUS AiCloud, Ivanti, Fortinet) 2) Internet-facing enterprise servers (Exchange, SharePoint, Confluence, web servers) 3) Linux servers with Java runtime environments 4) Network boundary devices and firewalls 5) Enterprise systems in telecom, utilities, water, and transportation sectors 6) Managed service provider infrastructure 7) Any system with unpatched CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, or CVE-2025-2492
MITRE ATT&CK Techniques
T1190 — Exploit Public-Facing Application (Initial Access) [P1]
UAT-7810 exploits n-day vulnerabilities in internet-facing Ruckus routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and ASUS AiCloud routers (CVE-2025-2492) to compromise devices for ORB recruitment. This extends to enterprise-grade internet-facing services (Exchange, SharePoint, Confluence, VPN appliances).
Splunk SPL:
index=firewall OR index=ids sourcetype=*firewall* OR sourcetype=suricata OR sourcetype=snort (dest_port=443 OR dest_port=8443 OR dest_port=80 OR dest_port=8080) (src_ip="217.15.164.147" OR cve="CVE-2020-22653" OR cve="CVE-2020-22658" OR cve="CVE-2023-25717" OR cve="CVE-2025-2492") | stats count by src_ip, dest_ip, dest_port, signature | sort -count
Elastic KQL:
(source.ip:"217.15.164.147" OR vulnerability.id:("CVE-2020-22653" OR "CVE-2020-22658" OR "CVE-2023-25717" OR "CVE-2025-2492")) AND (destination.port:(443 OR 8443 OR 80 OR 8080))
Sigma Rule:
title: Exploitation Attempt Against Known ORB-Targeted CVEs
id: a8f3c1d2-7e4b-4a9f-b5c6-d8e9f0a1b2c3
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects potential exploitation attempts targeting CVEs used by UAT-7810 for ORB network construction
references:
- https://blog.talosintelligence.com/uat-7810/
logsource:
category: firewall
detection:
selection_ip:
src_ip: '217.15.164.147'
selection_cve:
signature|contains:
- 'CVE-2020-22653'
- 'CVE-2020-22658'
- 'CVE-2023-25717'
- 'CVE-2025-2492'
condition: selection_ip or selection_cve
falsepositives:
- Vulnerability scanners targeting your own infrastructure
level: high
tags:
- attack.initial_access
- attack.t1190
Attribution: RedSheep Security/Stone (original)
Focus on internet-facing Ruckus, ASUS, Ivanti, and Fortinet devices. Cross-reference with vulnerability scan results to identify unpatched assets. The IP 217.15.164.147 was directly linked to CVE-2025-2492 exploitation.
T1090 — Proxy (Command and Control) [P2]
ORB networks proxy attacker traffic through chains of compromised devices. LONGLEASH provides multi-protocol proxying capability. Compromised nodes maintain persistent connections with periodic small data transfers characteristic of proxy keep-alive sessions.
Splunk SPL:
index=corelight sourcetype=corelight_conn duration>3600 orig_bytes<100000 resp_bytes<100000 | stats count avg(duration) as avg_dur sum(orig_bytes) as total_orig sum(resp_bytes) as total_resp by id.orig_h, id.resp_h, id.resp_p | where count > 5 AND avg_dur > 7200 | sort -count | table id.orig_h, id.resp_h, id.resp_p, count, avg_dur, total_orig, total_resp
Elastic KQL:
event.dataset:"zeek.connection" AND event.duration:>3600 AND source.bytes:<100000 AND destination.bytes:<100000
Sigma Rule:
title: Long Duration Low Bandwidth Connection Indicative of ORB Proxy
id: b9a4d2e3-8f5c-4b0a-c6d7-e9f0a1b2c3d4
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects long-duration connections with minimal data transfer that may indicate ORB proxy relay keep-alive sessions
references:
- https://blog.talosintelligence.com/uat-7810/
- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
logsource:
category: network_connection
product: zeek
detection:
selection:
duration|gte: 7200
filter_high_bandwidth:
orig_bytes|gte: 100000
condition: selection and not filter_high_bandwidth
falsepositives:
- Legitimate long-lived connections such as monitoring or VPN tunnels
- Persistent WebSocket connections
level: medium
tags:
- attack.command_and_control
- attack.t1090
Attribution: RedSheep Security/Stone (original)
Tune thresholds based on environment. Legitimate VPN, monitoring, and WebSocket connections may trigger false positives. Consider enriching with GeoIP data to identify connections to residential ISP ranges or unusual geographies.
T1090.002 — Proxy: External Proxy (Command and Control) [P2]
ORB networks relay traffic through compromised devices in third-party networks, including SOHO routers on residential ISP ranges. Enterprise systems connecting to residential IP ranges on uncommon ports indicates potential ORB relay activity.
Splunk SPL:
index=corelight sourcetype=corelight_conn id.resp_p IN (8080, 8443, 8888, 4443, 9090, 1080, 1443) | lookup residential_ip_ranges id.resp_h OUTPUT is_residential | where is_residential="true" | stats count dc(id.resp_h) as unique_dest_ips by id.orig_h | where count > 10 | sort -count | table id.orig_h, unique_dest_ips, count
Elastic KQL:
event.dataset:"zeek.connection" AND destination.port:(8080 OR 8443 OR 8888 OR 4443 OR 9090 OR 1080 OR 1443) AND NOT destination.ip:(10.0.0.0/8 OR 172.16.0.0/12 OR 192.168.0.0/16)
Sigma Rule:
title: Enterprise Host Connecting to Residential IP on Uncommon Port
id: c0b5e3f4-9a6d-4c1b-d7e8-f0a1b2c3d4e5
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects internal enterprise systems establishing connections to residential IP ranges on ports commonly used by ORB relay nodes
references:
- https://blog.talosintelligence.com/uat-7810/
logsource:
category: network_connection
detection:
selection:
dst_port:
- 8080
- 8443
- 8888
- 4443
- 9090
- 1080
condition: selection
falsepositives:
- Legitimate proxy connections
- Developer testing against home lab environments
level: medium
tags:
- attack.command_and_control
- attack.t1090.002
Attribution: RedSheep Security/Stone (original)
Requires a residential IP range lookup table. Subscribe to commercial IP intelligence feeds (e.g., MaxMind, IPinfo) for residential classification. High false positive rate without IP enrichment.
T1071 — Application Layer Protocol (Command and Control) [P1]
LONGLEASH supports multi-protocol communications including SMTP and TLS. Using SMTP from non-mail servers allows ORB traffic to blend with legitimate email flow. This is a concrete detection opportunity when SMTP originates from unauthorized hosts.
Splunk SPL:
index=corelight sourcetype=corelight_conn (id.resp_p=25 OR id.resp_p=587 OR id.resp_p=465) | lookup authorized_mail_servers ip as id.orig_h OUTPUT is_authorized | where is_authorized!="true" | stats count values(id.resp_h) as dest_ips by id.orig_h | where count > 1 | sort -count | table id.orig_h, dest_ips, count
Elastic KQL:
event.dataset:"zeek.connection" AND destination.port:(25 OR 587 OR 465) AND NOT source.ip:("<mail_server_1>" OR "<mail_server_2>")
Sigma Rule:
title: SMTP Traffic from Non-Mail Server - Potential LONGLEASH Activity
id: d1c6f4a5-0b7e-4d2c-e8f9-a1b2c3d4e5f6
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects SMTP connections originating from hosts not designated as mail servers, which may indicate LONGLEASH backdoor SMTP relay capability
references:
- https://blog.talosintelligence.com/uat-7810/
logsource:
category: network_connection
detection:
selection:
dst_port:
- 25
- 587
- 465
filter_authorized:
src_ip:
- '<authorized_mail_server_1>'
- '<authorized_mail_server_2>'
condition: selection and not filter_authorized
falsepositives:
- Application servers with legitimate email send capabilities
- Monitoring systems sending alerts via SMTP
level: high
tags:
- attack.command_and_control
- attack.t1071
- attack.t1071.003
Attribution: RedSheep Security/Stone (original)
Requires maintaining an authorized_mail_servers lookup table. Update regularly. Applications that send email notifications (e.g., SIEM alerts, ticketing systems) will generate false positives — whitelist known senders.
T1059.004 — Command and Scripting Interpreter: Unix Shell (Execution) [P1]
UAT-7810 deploys DOGLEASH via shell scripts that download the binary using curl/wget, add iptables rules to allow TCP traffic on specific ports, and execute the backdoor. This deployment pattern is detectable through Linux audit logs.
Splunk SPL:
index=linux_audit (type=EXECVE OR type=SYSCALL) (a0="*curl*" OR a0="*wget*" OR a1="*curl*" OR a1="*wget*") | transaction host maxspan=300s | search (a0="*iptables*" OR a1="*iptables*" OR a0="*chmod*" OR a1="*chmod*") | stats count by host, exe | table host, exe, count
Elastic KQL:
(process.name:("curl" OR "wget") AND event.dataset:"auditd.log") OR (process.name:"iptables" AND process.args:("--append" OR "-A" OR "INPUT" OR "ACCEPT"))
Sigma Rule:
title: Shell Script Based Backdoor Deployment - DOGLEASH Pattern
id: e2d7a5b6-1c8f-4e3d-f9a0-b2c3d4e5f6a7
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects shell script activity pattern associated with DOGLEASH deployment - download via curl/wget followed by iptables modification and binary execution
references:
- https://blog.talosintelligence.com/uat-7810/
logsource:
product: linux
category: process_creation
detection:
selection_download:
Image|endswith:
- '/curl'
- '/wget'
CommandLine|contains:
- 'http://'
- 'https://'
selection_iptables:
Image|endswith: '/iptables'
CommandLine|contains:
- '-A INPUT'
- '--append INPUT'
- 'ACCEPT'
condition: selection_download or selection_iptables
falsepositives:
- Legitimate system administration scripts
- Package manager operations
- Docker/container setup scripts
level: high
tags:
- attack.execution
- attack.t1059.004
- attack.persistence
Attribution: RedSheep Security/Stone (original)
High fidelity when curl/wget downloads are followed within 5 minutes by iptables rule additions on the same host. Correlate with new binary file creation. Containerized environments may generate false positives from setup scripts.
T1620 — Reflective Code Loading (Defense Evasion) [P2]
DOGLEASH supports arbitrary in-memory shellcode execution on compromised hosts. This fileless execution technique avoids disk-based detection by EDR and file integrity monitoring tools, making it particularly dangerous on enterprise servers.
Splunk SPL:
index=sysmon (EventCode=8 OR EventCode=10) SourceImage!="*svchost.exe" SourceImage!="*csrss.exe" SourceImage!="*lsass.exe" | where TargetImage!="*svchost.exe" | stats count by Computer, SourceImage, TargetImage, GrantedAccess | where count > 1 | sort -count
Elastic KQL:
event.code:("8" OR "10") AND NOT process.executable:(*svchost.exe OR *csrss.exe) AND winlog.event_data.GrantedAccess:("0x1F0FFF" OR "0x1FFFFF" OR "0x143A")
Sigma Rule:
title: Suspicious In-Memory Code Execution Indicative of DOGLEASH
id: f3e8b6c7-2d9a-4f4e-a0b1-c3d4e5f6a7b8
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects process injection patterns consistent with DOGLEASH in-memory shellcode execution capability
references:
- https://blog.talosintelligence.com/uat-7810/
logsource:
product: windows
category: create_remote_thread
detection:
selection:
EventID: 8
filter_legitimate:
SourceImage|endswith:
- '\svchost.exe'
- '\csrss.exe'
- '\services.exe'
- '\wininit.exe'
- '\wmiprvse.exe'
condition: selection and not filter_legitimate
falsepositives:
- Legitimate software using thread injection (security tools, debuggers)
level: high
tags:
- attack.defense_evasion
- attack.t1620
- attack.t1055
Attribution: RedSheep Security/Stone (original)
On Linux systems, monitor for mmap/mprotect syscalls with PROT_EXEC from unexpected processes. EDR telemetry is the best data source for this technique. Tune out known security tools that use injection.
T1105 — Ingress Tool Transfer (Command and Control) [P2]
UAT-7810 hosts payloads on staging servers for MIPS, ARM, and x64 architectures. DOGLEASH is downloaded via shell scripts using curl/wget. Monitoring for binary downloads from external IPs to internal hosts, especially edge devices, is critical.
Splunk SPL:
index=corelight sourcetype=corelight_http (resp_mime_types="application/x-executable" OR resp_mime_types="application/x-elf" OR resp_mime_types="application/octet-stream" OR resp_mime_types="application/java-archive") | stats count by id.orig_h, id.resp_h, host, uri, resp_mime_types | sort -count | table id.orig_h, id.resp_h, host, uri, resp_mime_types, count
Elastic KQL:
event.dataset:"zeek.http" AND (http.response.mime_type:("application/x-executable" OR "application/x-elf" OR "application/octet-stream" OR "application/java-archive"))
Sigma Rule:
title: Binary or JAR Download via curl/wget - Potential LEASH Payload Staging
id: a4f9c7d8-3e0b-4a5f-b1c2-d4e5f6a7b8c9
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects curl or wget downloading executable or JAR files which may indicate DOGLEASH or JARLEASH payload staging
references:
- https://blog.talosintelligence.com/uat-7810/
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/curl'
- '/wget'
CommandLine|contains:
- '.elf'
- '.jar'
- '.bin'
- '.sh'
filter_package_managers:
ParentImage|endswith:
- '/apt'
- '/yum'
- '/dnf'
- '/pip'
condition: selection and not filter_package_managers
falsepositives:
- Legitimate software updates and downloads
- CI/CD pipelines downloading build artifacts
level: medium
tags:
- attack.command_and_control
- attack.t1105
Attribution: RedSheep Security/Stone (original)
Correlate with subsequent file execution and iptables changes. Monitor for downloads to /tmp, /dev/shm, or other world-writable directories commonly used for staging.
T1082 — System Information Discovery (Discovery) [P3]
DOGLEASH retrieves OS information from compromised hosts to fingerprint the system. This is a standard reconnaissance step after initial compromise, informing the operator about the architecture and environment before deploying additional tooling.
Splunk SPL:
index=sysmon EventCode=1 (CommandLine="*uname*-a*" OR CommandLine="*cat*/etc/os-release*" OR CommandLine="*hostnamectl*" OR CommandLine="*lsb_release*") | stats count by Computer, User, ParentImage, CommandLine | where count > 2 | sort -count
Elastic KQL:
event.code:"1" AND process.command_line:(*uname* OR *os-release* OR *hostnamectl* OR *lsb_release*)
Sigma Rule:
title: Linux System Information Discovery Commands
id: b5a0d8e9-4f1c-4b6a-c2d3-e5f6a7b8c9d0
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects execution of system information discovery commands commonly used by DOGLEASH and similar implants after initial compromise
references:
- https://blog.talosintelligence.com/uat-7810/
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- 'uname -a'
- 'cat /etc/os-release'
- 'hostnamectl'
- 'lsb_release'
- 'cat /proc/cpuinfo'
- 'cat /proc/version'
condition: selection
falsepositives:
- System administrators
- Monitoring scripts
- Configuration management tools (Ansible, Puppet, Chef)
level: low
tags:
- attack.discovery
- attack.t1082
Attribution: RedSheep Security/Stone (original)
Low fidelity standalone — these are common admin commands. Prioritize when seen in correlation with other DOGLEASH indicators (curl/wget downloads, iptables changes, new listening ports).
T1584.008 — Compromise Infrastructure: Network Devices (Resource Development) [P2]
UAT-7810 compromises SOHO routers (Ruckus, ASUS, TP-Link, Netgear, MikroTik) and network appliances to build ORB infrastructure. These devices serve as relay nodes proxying attacker traffic. Volt Typhoon similarly compromised SOHO routers for pre-positioning in U.S. critical infrastructure.
Splunk SPL:
index=corelight sourcetype=corelight_conn local_orig=true id.resp_p>1024 | stats dc(id.orig_h) as unique_sources values(id.orig_h) as source_ips by id.resp_h, id.resp_p | where unique_sources > 5 AND id.resp_p NOT IN (22, 80, 443, 3389, 8080, 8443) | sort -unique_sources | table id.resp_h, id.resp_p, unique_sources, source_ips
Elastic KQL:
event.dataset:"zeek.connection" AND destination.port:>1024 AND NOT destination.port:(22 OR 80 OR 443 OR 3389 OR 8080 OR 8443)
Sigma Rule:
title: Multiple Sources Connecting to Unusual High Port - Potential ORB Relay Node
id: c6b1e9f0-5a2d-4c7b-d3e4-f6a7b8c9d0e1
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects a host receiving connections from multiple sources on an unusual high port, which may indicate the host is acting as an ORB relay node
references:
- https://blog.talosintelligence.com/uat-7810/
- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
logsource:
category: network_connection
detection:
selection:
dst_port|gte: 1024
filter_common:
dst_port:
- 3306
- 5432
- 8080
- 8443
- 1433
condition: selection and not filter_common
falsepositives:
- Legitimate application servers
- Load balancers
- Custom enterprise applications
level: medium
tags:
- attack.resource_development
- attack.t1584.008
Attribution: RedSheep Security/Stone (original)
Requires aggregation — single connections are not meaningful. Look for hosts receiving connections from 5+ unique source IPs on the same non-standard port. Best used with network baselining to identify anomalies.
T1059.001 — Command and Scripting Interpreter: PowerShell (Execution) [P1]
Volt Typhoon uses living-off-the-land techniques including PowerShell for proxy setup, persistence, and lateral movement. Enterprise Windows servers in ORB networks may show netsh portproxy commands or PowerShell-based port forwarding.
Splunk SPL:
index=sysmon EventCode=1 (CommandLine="*netsh*interface*portproxy*" OR CommandLine="*netsh*portproxy*add*" OR CommandLine="*New-NetFirewallRule*" OR CommandLine="*ssh*-L*" OR CommandLine="*ssh*-R*" OR CommandLine="*ssh*-D*" OR CommandLine="*socat*TCP*") | table _time, Computer, User, ParentImage, Image, CommandLine
Elastic KQL:
event.code:"1" AND process.command_line:(*netsh*portproxy* OR *ssh*\-L* OR *ssh*\-R* OR *ssh*\-D* OR *socat*TCP*)
Sigma Rule:
title: Port Forwarding via Native Tools - ORB Relay Setup
id: d7c2f0a1-6b3e-4d8c-e4f5-a7b8c9d0e1f2
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects use of native port forwarding tools (netsh, ssh, socat) that may indicate ORB relay node configuration by Volt Typhoon or similar actors using living-off-the-land techniques
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://blog.talosintelligence.com/uat-7810/
logsource:
product: windows
category: process_creation
detection:
selection_netsh:
CommandLine|contains|all:
- 'netsh'
- 'portproxy'
selection_ssh_forward:
CommandLine|contains:
- 'ssh'
CommandLine|contains:
- ' -L '
- ' -R '
- ' -D '
selection_socat:
Image|endswith: '\socat.exe'
CommandLine|contains: 'TCP'
condition: selection_netsh or selection_ssh_forward or selection_socat
falsepositives:
- System administrators configuring legitimate port forwarding
- Development/testing environments
level: high
tags:
- attack.execution
- attack.t1059.001
- attack.command_and_control
- attack.t1090
Attribution: RedSheep Security/Stone (original)
netsh portproxy is a high-fidelity indicator on servers that don't require port forwarding. Correlate with account context — service accounts or SYSTEM executing these commands is more suspicious than admin accounts.
T1071.003 — Application Layer Protocol: Mail Protocols (Command and Control) [P1]
LONGLEASH includes SMTP capability, allowing ORB relay traffic to masquerade as legitimate email flow. A compromised Exchange server relaying traffic via LONGLEASH's SMTP capability appears as normal mail traffic at the network level.
Splunk SPL:
index=corelight sourcetype=corelight_smtp | lookup authorized_mail_servers id.orig_h as orig_h OUTPUT is_authorized | where is_authorized!="true" | stats count dc(id.resp_h) as unique_recipients values(mailfrom) as senders by id.orig_h | where count > 3 | sort -count | table id.orig_h, unique_recipients, senders, count
Elastic KQL:
event.dataset:"zeek.smtp" AND NOT source.ip:("<mail_server_ip_1>" OR "<mail_server_ip_2>")
Sigma Rule:
title: SMTP Connection from Unauthorized Host - LONGLEASH Indicator
id: e8d3a1b2-7c4f-4e9d-f5a6-b8c9d0e1f2a3
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects SMTP protocol usage from hosts not in the authorized mail server list, potentially indicating LONGLEASH SMTP relay capability
references:
- https://blog.talosintelligence.com/uat-7810/
logsource:
category: network_connection
detection:
selection:
dst_port:
- 25
- 587
- 465
filter:
src_ip|expand: '%authorized_mail_servers%'
condition: selection and not filter
falsepositives:
- Application servers sending notification emails
- Printers with scan-to-email
- Monitoring systems with SMTP alerting
level: high
tags:
- attack.command_and_control
- attack.t1071.003
Attribution: RedSheep Security/Stone (original)
Maintain an authoritative list of approved SMTP senders. Any SMTP from an unapproved host is worth investigating. Cross-reference with the host's primary function — a database server sending SMTP is more suspicious than a web application server.
T1543 — Create or Modify System Process (Persistence) [P2]
JARLEASH is a JAR-based backdoor deployed on systems with Java available. Java processes opening listening network ports on enterprise servers may indicate JARLEASH deployment. Enterprise Java applications normally listen on well-known ports; unexpected ports warrant investigation.
Splunk SPL:
index=sysmon EventCode=3 Image="*java*" Initiated="true" DestinationPort!=8080 DestinationPort!=8443 DestinationPort!=443 DestinationPort!=80 DestinationPort!=9090 DestinationPort!=1099 | stats count values(DestinationPort) as ports values(DestinationIp) as dest_ips by Computer, Image, User | sort -count | table Computer, Image, User, ports, dest_ips, count
Elastic KQL:
event.code:"3" AND process.name:"java" AND NOT destination.port:(8080 OR 8443 OR 443 OR 80 OR 9090 OR 1099)
Sigma Rule:
title: Java Process Network Listener on Unusual Port - JARLEASH Indicator
id: f9e4b2c3-8d5a-4f0e-a6b7-c9d0e1f2a3b4
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects Java processes establishing network connections on non-standard ports, which may indicate JARLEASH backdoor activity
references:
- https://blog.talosintelligence.com/uat-7810/
logsource:
product: windows
category: network_connection
detection:
selection:
Image|endswith: '\java.exe'
Initiated: 'true'
filter_standard_ports:
DestinationPort:
- 80
- 443
- 8080
- 8443
- 9090
- 1099
- 9200
- 9300
condition: selection and not filter_standard_ports
falsepositives:
- Custom Java applications on non-standard ports
- Development/test environments
level: medium
tags:
- attack.persistence
- attack.t1543
- attack.command_and_control
Attribution: RedSheep Security/Stone (original)
Baseline all legitimate Java applications and their expected ports. JARLEASH is portable to any system with a JRE. Check for unexpected .jar files in temp directories or user writable paths. On Linux: index=linux_audit type=SYSCALL syscall=bind exe="java"
T1573 — Encrypted Channel (Command and Control) [P2]
LONGLEASH uses TLS/PKI for encrypted communications. ORB relay traffic encrypted with self-signed or unusual certificates can be detected through TLS certificate inspection in Corelight/Zeek SSL logs.
Splunk SPL:
index=corelight sourcetype=corelight_ssl validation_status!="ok" | stats count dc(id.orig_h) as unique_clients values(issuer) as issuers values(subject) as subjects by id.resp_h, id.resp_p, validation_status | where count > 3 | sort -count | table id.resp_h, id.resp_p, validation_status, unique_clients, issuers, subjects, count
Elastic KQL:
event.dataset:"zeek.ssl" AND NOT tls.server.x509.issuer.common_name:* AND tls.established:true
Sigma Rule:
title: TLS Connection with Invalid or Self-Signed Certificate - Potential LONGLEASH
id: a0f5c3d4-9e6b-4a1f-b7c8-d0e1f2a3b4c5
status: experimental
author: RedSheep Security/Stone
date: 2026/07/09
description: Detects established TLS connections with validation failures that may indicate LONGLEASH TLS/PKI relay traffic using self-signed or improperly configured certificates
references:
- https://blog.talosintelligence.com/uat-7810/
logsource:
category: network_connection
product: zeek
detection:
selection:
validation_status|contains:
- 'self signed'
- 'unable to get local issuer'
- 'certificate has expired'
condition: selection
falsepositives:
- Internal services using self-signed certificates
- Development environments
- IoT devices with embedded certificates
level: medium
tags:
- attack.command_and_control
- attack.t1573
- attack.t1573.002
Attribution: RedSheep Security/Stone (original)
High volume in environments with many internal self-signed certs. Build a baseline of known internal certificate issuers and filter them. Focus on TLS to external IPs with self-signed certs from servers that normally use commercial CAs.
Indicators of Compromise
| Type | Value | Context |
|---|---|---|
| ip | 217.15.164.147 |
Linked to exploitation of ASUS AiCloud routers via CVE-2025-2492 by UAT-7810 in early 2026. Used as infrastructure for ORB network construction. |
| filename | LONGLEASH |
Updated ORB relay/backdoor with multi-protocol proxy, TLS/PKI, SMTP, reverse shell, and self-removal capabilities. Evolution of SHORTLEASH. Deployed by UAT-7810. |
| filename | DOGLEASH |
Lightweight C-based Linux backdoor deployed via shell scripts. Opens listening TCP port, authenticates via hardcoded password, supports shell execution, file access, and in-memory shellcode execution. |
| filename | JARLEASH |
JAR-based backdoor deployed on systems with Java runtime. Provides remote access. Highly portable across any enterprise system with JRE installed. |
| filename | LEASHTEST |
Testing utility used by UAT-7810 to verify functionality on compromised devices, particularly MIPS-based embedded devices. Its presence is a reliable indicator of compromise. |
| filename | SHORTLEASH |
Prior-generation ORB relay tool. Predecessor to LONGLEASH. May still be present on older compromised nodes. |
IOC Sweep Queries (Splunk):
index=* (src_ip="217.15.164.147" OR dest_ip="217.15.164.147" OR src="217.15.164.147" OR dest="217.15.164.147" OR id.orig_h="217.15.164.147" OR id.resp_h="217.15.164.147" OR query="217.15.164.147" OR answer="217.15.164.147") | stats count min(_time) as first_seen max(_time) as last_seen values(sourcetype) as sources by src_ip, dest_ip, dest_port | sort -count | table first_seen, last_seen, src_ip, dest_ip, dest_port, sources, count
index=* (file_name="*longleash*" OR file_name="*LONGLEASH*" OR process_name="*longleash*" OR CommandLine="*longleash*") | stats count by host, file_name, file_path, source | table host, file_name, file_path, source, count
index=* (file_name="*dogleash*" OR file_name="*DOGLEASH*" OR process_name="*dogleash*" OR CommandLine="*dogleash*") | stats count by host, file_name, file_path, source | table host, file_name, file_path, source, count
index=* (file_name="*jarleash*" OR file_name="*JARLEASH*" OR file_name="*jarleash*.jar" OR CommandLine="*jarleash*") | stats count by host, file_name, file_path, source | table host, file_name, file_path, source, count
index=* (file_name="*leashtest*" OR file_name="*LEASHTEST*" OR process_name="*leashtest*" OR CommandLine="*leashtest*") | stats count by host, file_name, file_path, source | table host, file_name, file_path, source, count
index=* (file_name="*shortleash*" OR file_name="*SHORTLEASH*" OR process_name="*shortleash*" OR CommandLine="*shortleash*") | stats count by host, file_name, file_path, source | table host, file_name, file_path, source, count
YARA Rules
LEASH_Family_Strings — Detects strings and artifacts associated with the LEASH malware family (LONGLEASH, DOGLEASH, JARLEASH, SHORTLEASH, LEASHTEST) used by UAT-7810 for ORB network construction
rule LEASH_Family_Strings {
meta:
author = "RedSheep Security/Stone"
description = "Detects strings associated with the LEASH malware family used by UAT-7810 for ORB network construction"
reference = "https://blog.talosintelligence.com/uat-7810/"
date = "2026-07-09"
severity = "high"
strings:
$s1 = "LONGLEASH" ascii wide nocase
$s2 = "DOGLEASH" ascii wide nocase
$s3 = "JARLEASH" ascii wide nocase
$s4 = "SHORTLEASH" ascii wide nocase
$s5 = "LEASHTEST" ascii wide nocase
$proxy1 = "CONNECT %s:%d" ascii
$proxy2 = "HTTP/1.1 200 Connection established" ascii
$smtp1 = "EHLO" ascii
$smtp2 = "MAIL FROM" ascii
$iptables1 = "iptables -A INPUT" ascii
$iptables2 = "iptables --append" ascii
$shell1 = "/bin/sh" ascii
$shell2 = "/bin/bash" ascii
condition:
uint32(0) == 0x464C457F or
(filesize < 5MB and (any of ($s*) or (2 of ($proxy*, $smtp*, $iptables*, $shell*))))
}
Attribution: RedSheep Security/Stone (original)
DOGLEASH_Shell_Deployment — Detects shell scripts used to deploy DOGLEASH backdoor — identifies the download-and-execute pattern with iptables modification
rule DOGLEASH_Shell_Deployment {
meta:
author = "RedSheep Security/Stone"
description = "Detects shell script patterns used to deploy DOGLEASH backdoor with iptables modifications"
reference = "https://blog.talosintelligence.com/uat-7810/"
date = "2026-07-09"
severity = "high"
strings:
$dl1 = "curl -o" ascii
$dl2 = "curl -O" ascii
$dl3 = "wget -O" ascii
$dl4 = "wget -q" ascii
$ipt1 = "iptables -A INPUT -p tcp --dport" ascii
$ipt2 = "iptables -I INPUT -p tcp --dport" ascii
$ipt3 = "iptables --append INPUT" ascii
$exec1 = "chmod +x" ascii
$exec2 = "chmod 755" ascii
$exec3 = "chmod 777" ascii
$exec4 = "nohup" ascii
condition:
filesize < 10KB and
any of ($dl*) and
any of ($ipt*) and
any of ($exec*)
}
Attribution: RedSheep Security/Stone (original)
JARLEASH_Java_Backdoor — Detects JARLEASH Java-based backdoor artifacts in JAR files
rule JARLEASH_Java_Backdoor {
meta:
author = "RedSheep Security/Stone"
description = "Detects JARLEASH Java-based backdoor used by UAT-7810 for ORB network remote access"
reference = "https://blog.talosintelligence.com/uat-7810/"
date = "2026-07-09"
severity = "high"
strings:
$magic = { 50 4B 03 04 }
$java1 = "java/net/ServerSocket" ascii
$java2 = "java/net/Socket" ascii
$java3 = "Runtime.getRuntime" ascii
$java4 = "ProcessBuilder" ascii
$java5 = "/bin/sh" ascii
$java6 = "cmd.exe" ascii
$leash = "JARLEASH" ascii nocase
$net1 = "getInputStream" ascii
$net2 = "getOutputStream" ascii
condition:
$magic at 0 and
($leash or (2 of ($java*) and all of ($net*)))
}
Attribution: RedSheep Security/Stone (original)
Suricata Rules
SID 2026071001 — Detects outbound connection to UAT-7810 infrastructure IP 217.15.164.147 linked to CVE-2025-2492 exploitation
alert ip any any -> 217.15.164.147 any (msg:"ET TROJAN UAT-7810 ORB Infrastructure IP 217.15.164.147"; reference:url,blog.talosintelligence.com/uat-7810/; classtype:trojan-activity; sid:2026071001; rev:1; metadata:created_at 2026_07_09, updated_at 2026_07_09;)
Attribution: RedSheep Security/Stone (original)
SID 2026071002 — Detects inbound connection from UAT-7810 infrastructure IP 217.15.164.147
alert ip 217.15.164.147 any -> $HOME_NET any (msg:"ET TROJAN UAT-7810 ORB Infrastructure Inbound from 217.15.164.147"; reference:url,blog.talosintelligence.com/uat-7810/; classtype:trojan-activity; sid:2026071002; rev:1; metadata:created_at 2026_07_09, updated_at 2026_07_09;)
Attribution: RedSheep Security/Stone (original)
SID 2026071003 — Detects potential DOGLEASH backdoor shell script deployment via HTTP - curl/wget download of ELF binary
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential DOGLEASH ELF Binary Download"; flow:established,to_server; content:"GET"; http_method; content:".elf"; http_uri; reference:url,blog.talosintelligence.com/uat-7810/; classtype:trojan-activity; sid:2026071003; rev:1; metadata:created_at 2026_07_09, updated_at 2026_07_09;)
Attribution: RedSheep Security/Stone (original)
SID 2026071004 — Detects potential JARLEASH JAR backdoor download via HTTP
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential JARLEASH JAR Backdoor Download"; flow:established,to_server; content:"GET"; http_method; content:".jar"; http_uri; reference:url,blog.talosintelligence.com/uat-7810/; classtype:trojan-activity; sid:2026071004; rev:1; metadata:created_at 2026_07_09, updated_at 2026_07_09;)
Attribution: RedSheep Security/Stone (original)
SID 2026071005 — Detects SMTP traffic from non-standard source port ranges that may indicate LONGLEASH SMTP relay activity
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Connection to External Server - Potential LONGLEASH Relay"; flow:established,to_server; content:"EHLO"; nocase; reference:url,blog.talosintelligence.com/uat-7810/; classtype:policy-violation; sid:2026071005; rev:1; metadata:created_at 2026_07_09, updated_at 2026_07_09;)
Attribution: RedSheep Security/Stone (original)
Data Source Requirements
| Source | Required For | Notes |
|---|---|---|
| Corelight/Zeek conn logs | T1090, T1090.002, T1071, T1071.003, T1584.008, T1573 | Required for network-level ORB detection. Ensure Corelight sensors are deployed at all network egress points and critical internal segments. Index as sourcetype=corelight_conn in Splunk. |
| Corelight/Zeek SSL logs | T1573 | Required for TLS certificate inspection to detect LONGLEASH TLS/PKI communications. Ensure JA3/JA3S hashing is enabled. |
| Corelight/Zeek DNS logs | T1090.002 | Required for dynamic DNS detection. Index as sourcetype=corelight_dns. |
| Corelight/Zeek SMTP logs | T1071.003 | Required for detecting unauthorized SMTP activity indicative of LONGLEASH. |
| Corelight/Zeek HTTP logs | T1105 | Required for detecting binary/JAR downloads indicative of LEASH family payload staging. |
| Sysmon (Windows) — EventID 1 | T1059.001, T1082, T1105 | Process creation with full command line logging. Essential for detecting living-off-the-land techniques (netsh portproxy, ssh forwarding, socat). |
| Sysmon (Windows) — EventID 3 | T1543, T1090 | Network connection logging. Required for detecting Java processes opening unexpected network listeners (JARLEASH indicator). |
| Sysmon (Windows) — EventID 8, 10 | T1620 | CreateRemoteThread and ProcessAccess events. Required for detecting in-memory code execution (DOGLEASH shellcode loading). |
| PowerShell ScriptBlock Logging (EventID 4104) | T1059.001 | Required for detecting PowerShell-based living-off-the-land techniques used by Volt Typhoon. |
| Linux Audit Logs (auditd) | T1059.004, T1082, T1543 | Required for detecting DOGLEASH deployment patterns on Linux systems. Ensure EXECVE, SYSCALL, and bind() auditing is configured. |
| Firewall/IDS Logs | T1190, T1584.008 | Required for IOC-based detection of known UAT-7810 infrastructure IPs and exploitation signatures. |
| Residential IP Intelligence Feed | T1090.002 | Required for residential_ip_ranges lookup table. Subscribe to MaxMind, IPinfo, or similar service for IP classification. |
| Authorized Mail Servers Lookup | T1071, T1071.003 | Maintain a curated lookup table of all authorized SMTP senders in the environment. Required for LONGLEASH SMTP detection. |
Mitigations & Recommendations
Curated baseline: Volt Typhoon; library archetype
The curated playbook comprehensively covers Volt Typhoon's LOLBin tradecraft, SOHO router relay egress, edge appliance CVE exposure, credential dumping, and covert eviction sequencing. The current incident adds net-new tradecraft around the broader ORB ecosystem: specifically UAT-7810 as an infrastructure-builder deploying custom Linux/embedded malware (LONGLEASH, DOGLEASH, JARLEASH) on Ruckus/ASUS/TP-Link/Netgear/MikroTik devices, SMTP-based C2 blending, and shell-script deployment patterns with iptables manipulation — none of which are addressed by the LOLBin-and-LOTL-focused baseline.
Established mitigations (curated):
- Eviction kickoff requires CISO approval and participation from: Identity team, AD team, Network team, EDR team, Exchange/M365 team, and edge-appliance vendor support.
- Simultaneously disable ALL compromised accounts (user + service). Revoke ALL sessions and tokens.
- krbtgt reset TWICE (12 hours apart). Required since attacker had NTDS access.
- Reset ALL domain passwords (force all users to change on next logon).
- Block ALL known Volt Typhoon infrastructure: CISA-published IPs, domains, KV Botnet relay ranges. Apply at perimeter, DNS, proxy.
- Isolate compromised hosts at EDR. Do NOT attempt in-place cleaning; they are rebuild targets.
Established detection guidance (curated):
- DO NOT alert the actor. No account disables, no password resets, no host isolation, no emails about the investigation on normal corporate channels. Use out-of-band comms only.
- Hunt Volt Typhoon signature LOLBin pattern: ntdsutil, wmic, reg save, netsh port proxy, tasklist, ipconfig, net user/group, whoami.
- Hunt for credential dumping via ntdsutil (DC database extraction).
- Look for netsh port proxy rules establishing attacker pivots.
- Egress to SOHO router / KV Botnet relay IPs. Check for authenticated sign-ins from ASNs associated with residential or small-business ISPs (Comcast, AT&T residential, various global ISPs).
- Review public-facing edge devices for CVE exposure matching known Volt Typhoon entry vectors (Fortinet FortiGuard, Ivanti Pulse/Connect Secure, Cisco, Versa Director).
Net-new from this incident:
- Treat ORB infrastructure builders (UAT-7810) as a distinct threat from the espionage consumers (Volt Typhoon, Salt Typhoon, UAT-5918) — detection logic should target the relay-node tradecraft (SMTP C2, iptables mods, curl/wget+chmod chains) independently of Volt Typhoon-specific LOLBin patterns.
- Expand SOHO/edge asset inventory beyond enterprise perimeter vendors to include Ruckus, ASUS, TP-Link, Netgear, and MikroTik — including shadow-IT and branch deployments, which are prime ORB recruitment targets.
- Add multi-architecture (MIPS/ARM/x64) malware hunting capability; current playbook is Windows-AD-centric and will miss LEASH-family implants on embedded and Linux hosts.
- Extend edge-appliance rebuild scope to include Ruckus, ASUS, TP-Link, Netgear, and MikroTik devices in the estate (branch offices, lab networks, guest infrastructure) — not just enterprise perimeter gear. (Why: T1584.008 / T1190 — UAT-7810 targets these specific SOHO vendors for ORB recruitment; curated playbook only covers Fortinet/Ivanti/Cisco/Versa.)
- Egress-block outbound SMTP from every host not on the sanctioned mail-relay allowlist at the perimeter firewall. (Why: T1071.003 — LONGLEASH SMTP C2. No equivalent control in curated playbook.)
- Remove attacker-added iptables rules and rebuild affected Linux hosts / appliances from clean images rather than in-place remediation. (Why: T1059.004 — DOGLEASH deployment persists via iptables rule additions on compromised nodes.)
- Detect: Hunt outbound SMTP (TCP/25, 465, 587) originating from non-mail servers — workstations, app servers, DCs, or any host not in the sanctioned mail relay inventory. (Why: T1071.003 — LONGLEASH uses SMTP as a C2 protocol to blend with legitimate email traffic. The curated playbook has no protocol-blend detection.)
- Detect: Hunt shell script execution chains on Linux/Unix hosts and network appliances that combine curl/wget download + iptables -A INPUT ACCEPT + chmod+x + execution of the downloaded binary. (Why: T1059.004 / T1105 — UAT-7810 deploys DOGLEASH via shell scripts using curl/wget with iptables rule additions.)
- Detect: Inventory Ruckus (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and ASUS AiCloud (CVE-2025-2492) devices reachable from the internet or bridging into corporate segments; check for exploit indicators. (Why: T1190 — UAT-7810 specifically exploits these CVEs. Curated playbook enumerates Fortinet/Ivanti/Cisco/Versa but not Ruckus/ASUS SOHO.)
- Detect: Hunt for periodic small-byte beacon patterns (heartbeat-sized flows at regular intervals) from internal hosts to residential ISP IP space on uncommon ports. (Why: T1090 — LONGLEASH ORB nodes maintain persistent connections with periodic small keepalive traffic.)
Sources
- Cisco Talos: UAT-7810 continues building ORB networks using new malware
- Mandiant/Google Cloud: IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders
- CISA: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (Volt Typhoon)
- CISA: Salt Typhoon Guidance for Communications Infrastructure