Summary Points
- UAT-7810, a China-linked hacking group, exploits outdated Ruckus routers to build and expand a global network of hijacked devices (Operational Relay Box network) that conceals cyberattack origins.
- The group uses custom malware, including the upgraded LONGLEASH backdoor, which manages encrypted tunnels and disguises traffic as normal web browsing to facilitate long-term stealthy operation.
- Known vulnerabilities in unpatched Ruckus routers are the primary entry point, with the attackers also targeting other devices like ASUS AiCloud, aiming to broaden their relay infrastructure.
- Regular firmware updates, network segmentation, and traffic monitoring are critical defenses to prevent and detect these persistent, clandestine device hijackings.
Problem Explained
UAT-7810, a China-linked hacking group, has been expanding its global network by exploiting vulnerabilities in outdated Ruckus wireless routers. They utilize these compromised devices to create an “Operational Relay Box” (ORB) network, which masks the origin of cyberattacks by routing malicious traffic through legitimate home and business routers. This tactic, known as the LapDogs network, has grown since its detection in 2025, with UAT-7810 mainly responsible for building and maintaining it. Researchers from Cisco Talos report that the group relies heavily on unpatched routers to deploy sophisticated custom malware, such as the LONGLEASH backdoor, which acts as a proxy and command center for infected devices.
The group’s activities highlight a concerning pattern of long-term, stealthy access that makes attribution difficult. Their malware tools, including DOGLEASH and JARLEASH, are designed for persistent control over infected devices, which can remain undetected for months. The attack’s success stems from exploiting known vulnerabilities in outdated firmware; therefore, updating router security and hardware replacement are essential preventive measures. UAT-7810’s expansion beyond routers to target devices like ASUS AiCloud demonstrates their intent to grow this relay infrastructure further. These reports, shared by security analysts, serve to inform organizations and individuals about the importance of strengthening defenses against such covert and sustained cyber threats.
Risk Summary
The issue of “China-Nexus Hackers Exploit Ruckus Routers to Build Operational Relay Box Networks” can threaten any business’s security by allowing cybercriminals to hijack network devices. When hackers penetrate Ruckus routers, they often set up hidden relay boxes that can reroute sensitive data or launch attacks. Consequently, your business might face data breaches, theft of valuable information, or even network shutdowns, disrupting daily operations. Moreover, such breaches can damage your reputation, lead to legal penalties, and incur heavy recovery costs. Therefore, without proper security measures, your business becomes vulnerable, and the fallout can be both immediate and long-lasting. In essence, this type of cyber threat underscores the importance of robust cybersecurity practices for every organization.
Possible Action Plan
In the rapidly evolving landscape of cyber threats, prompt remediation of vulnerabilities is critical to prevent widespread damage, especially when sophisticated threat actors like China-Nexus Hackers exploit specific vulnerabilities in network equipment such as Ruckus routers to establish extensive relay networks. Addressing these threats swiftly can significantly reduce potential disruptions, data breaches, and long-term security risks.
Detection and Monitoring
Implement continuous network monitoring for unusual traffic patterns and unauthorized device connections. Utilize intrusion detection systems to flag suspicious activities related to router behavior.
Firmware Updates
Promptly apply the latest firmware patches released by Ruckus Networks to close known security gaps and prevent exploitation of existing vulnerabilities.
Access Controls
Enforce strict access controls by disabling remote management features, changing default passwords, and employing strong, unique credentials. Limit administrative access to essential personnel only.
Network Segmentation
Segment the network to isolate critical systems from less secure or public-facing devices, reducing the attack surface and containing potential breaches.
Vulnerability Assessments
Conduct regular vulnerability scans and penetration testing focused on router security to identify and remediate weaknesses proactively.
Incident Response
Develop and update incident response plans tailored to router compromise scenarios, ensuring rapid containment and recovery in case of an attack.
Vendor Collaboration
Maintain active communication with Ruckus and cybersecurity authorities to stay informed about emerging threats and recommended best practices.
User Education
Train personnel on recognizing suspicious activity and adhering to security policies related to network device management to reduce human error-related weaknesses.
Stay Ahead in Cybersecurity
Explore career growth and education via Careers & Learning, or dive into Compliance essentials.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
