Summer usually means slower news cycles and shorter workweeks. Nation-state hackers didn’t get the memo. A new report out this week from Cisco Talos shows a China-linked threat actor actively upgrading its malware arsenal to grow one of the most persistent pieces of espionage infrastructure in the game today: an ORB network.

If that term is new to you, it’s worth understanding — because ORB networks are quietly becoming one of the biggest headaches for defenders trying to attribute and stop nation-state attacks.

What’s an ORB Network, and Why Should You Care?

Think of an ORB network as a nation-state’s private proxy service, built almost entirely out of other people’s hacked equipment. Instead of running attacks from obviously foreign infrastructure, threat actors compromise ordinary internet-facing devices — home and small-office routers, IoT gadgets, even smart devices — and route their traffic through them. The compromised device keeps working normally for its actual owner, who has no idea it’s secretly relaying espionage traffic in the background.

That’s what makes ORB networks so dangerous: the traffic looks like it’s coming from a legitimate residential or business connection, not a suspicious foreign server. It blends in. And unlike a traditional botnet used for a single noisy purpose like a DDoS attack, an ORB network can be leased or shared across multiple threat groups, each running their own separate campaigns through the same relay infrastructure.

The Latest Development: LONGLEASH

The threat actor behind this activity, tracked as UAT-7810, has been building out its ORB network primarily by compromising unpatched Ruckus routers, along with some ASUS AiCloud routers. According to Talos researchers, this ORB network infrastructure doesn’t just serve UAT-7810 — it’s also used by other China-aligned groups, including one tracked as UAT-5918.

The headline discovery is a new malware strain called LONGLEASH, an upgraded successor to a previously known backdoor called SHORTLEASH. Where SHORTLEASH could handle basic command-and-control communication and network tunneling, LONGLEASH adds a much broader toolkit:

  • Reverse shell access
  • Proxying across HTTP, DNS, SOCKS, TCP, ICMP, and UDP protocols
  • SMTP client and server functionality
  • TLS and PKI support for encrypted, legitimate-looking traffic
  • Self-removal capability if it detects tampering or investigation
  • The ability to act as a relay itself, forwarding commands between other infected devices

Talos also identified three companion tools rounding out the toolkit: DOGLEASH, a lightweight Linux backdoor deployed through web shell scripts; JARLEASH, a Java-based administrative tool with file management and FTP/SFTP capabilities; and LEASHTEST, a utility apparently used to test whether MIPS-based IoT devices can support the malware, suggesting the group is actively working to expand into new categories of embedded devices.

How They’re Getting In

None of this relies on flashy zero-days. UAT-7810 is exploiting known, already-patched vulnerabilities — CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717 in Ruckus routers, plus CVE-2025-2492 in ASUS AiCloud routers. In other words, this entire ORB network campaign runs on devices that simply never got updated.

That’s the part that should sting a little. This isn’t an unstoppable, cutting-edge attack — it’s a patching problem. Every device pulled into this ORB network was sitting there, unpatched and internet-facing, waiting to be found.

Why ORB Networks Are Becoming a Major Threat

ORB networks represent a shift in how nation-state actors conduct long-term espionage. By turning compromised consumer and small business devices into a resilient, distributed proxy layer, attackers gain plausible deniability and make attribution significantly harder. As more organizations adopt remote work and IoT solutions, the pool of potential ORB nodes continues to grow. This creates a perfect storm where ORB networks can quietly scale while remaining under the radar of traditional security tools.

Why “Summer is Heating Up”

This story lands alongside a string of other nation-state activity we’ve been tracking. Chinese state-linked operations have kept up a steady drumbeat this year — from large-scale SIM farm seizures tied to telecom infrastructure risk, to escalating debate over how the U.S. should respond to nation-state hacking with a more proactive offensive posture, to ongoing tension in the Middle East fueling Iranian cyber activity against U.S. targets. ORB networks like this one are the connective tissue underneath a lot of that activity: quiet, patient infrastructure-building that pays off months or years later when it’s time to launch an operation.

Nation-state actors don’t take a summer break, and campaigns like UAT-7810’s are proof they’re playing a long game — literally building out ORB network infrastructure now for operations that may not surface for months. If your organization runs any internet-facing routers, VPN appliances, or IoT devices, this is exactly the kind of campaign that can turn “we’ll patch it next quarter” into a serious liability.

What You Should Do Right Now

  1. Patch every internet-facing router and network appliance. Ruckus and ASUS AiCloud devices are the specific targets named in this campaign, but the lesson applies broadly: unpatched edge devices are the easiest door into an ORB network.
  2. Inventory your internet-facing devices. You can’t patch what you don’t know you have. Home-office routers, branch office equipment, and forgotten IoT devices are common blind spots.
  3. Monitor for unusual outbound proxying behavior. ORB network-related malware often shows up as unexpected traffic patterns — devices suddenly relaying traffic they have no business relaying.
  4. Don’t rely on IP-based blocklists alone. Because ORB network nodes are constantly rotating through compromised devices, static IP indicators of compromise age out fast. Behavior-based detection matters more here than a blocklist.
  5. Segment your network. If a router or IoT device does get compromised, proper segmentation limits how far an attacker can move from that foothold into the broader ORB network infrastructure.

The Bottom Line

Nation-state cyber campaigns like the one behind LONGLEASH don’t rely on exotic tradecraft — they rely on patience and unpatched infrastructure to build powerful ORB networks. As geopolitical tension keeps simmering this summer, expect more of this kind of quiet, infrastructure-first activity from state-aligned actors. The organizations that stay ahead of it are the ones treating router and IoT patching as seriously as they treat patching servers and workstations.

Not sure if your network devices are exposed to campaigns like this one? Contact Us for a security assessment.