Chinese Hackers Exploit Ruckus Routers with LONGLEASH Malware
Chinese hacker malware is once again making headlines as the threat group known as UAT-7810 deploys a sophisticated new tool called LONGLEASH to compromise internet-facing networking devices across the globe. Australian businesses with unpatched Ruckus routers are particularly vulnerable to this evolving threat, which aims to expand China’s Operational Relay Box (ORB) network for future cyberattacks.
This latest development represents a significant escalation in state-sponsored cyber operations, with attackers actively targeting network infrastructure to build covert communication channels. Understanding how this Chinese hacker malware operates is critical for organisations seeking to protect their digital assets.
“Chinese hackers tracked as ‘UAT-7810’ are actively evolving their malware to expand their Operational Relay Box (ORB) network by compromising internet-facing networking devices, primarily unpatched Ruckus routers.”
— Source: BleepingComputer, July 08, 2026
What Is the LONGLEASH Malware and How Does It Work?
LONGLEASH is a newly identified malware strain specifically designed to compromise vulnerable networking equipment. Unlike traditional malware that targets endpoints, LONGLEASH focuses on network infrastructure devices, making detection significantly more challenging for conventional security tools.
The malware operates by exploiting known vulnerabilities in unpatched Ruckus wireless routers. Once installed, it transforms compromised devices into nodes within the attackers’ Operational Relay Box (ORB) network—a distributed infrastructure used to anonymise malicious traffic and launch subsequent attacks.
Key Technical Characteristics
- Persistence mechanisms that survive device reboots
- Encrypted command-and-control communications
- Ability to update and evolve remotely
- Low resource footprint to avoid detection
- Targeted exploitation of firmware vulnerabilities
Who Is UAT-7810 and What Are Their Objectives?
UAT-7810 is a Chinese state-sponsored threat actor that has been tracked by security researchers for several years. Their primary objective appears to be building and maintaining a vast network of compromised devices that can be leveraged for espionage, data exfiltration, and cyberattacks against Western targets.
The group’s focus on ORB networks is particularly concerning. These networks allow attackers to route malicious traffic through legitimate infrastructure, making attribution and blocking extremely difficult. By compromising devices in Australia and other allied nations, UAT-7810 gains strategic positioning for future operations.
Why Network Devices Are Prime Targets
- Often overlooked in regular patching cycles
- Limited visibility from endpoint detection tools
- Always-on connectivity provides reliable access
- Trusted position within network architecture
- Firmware updates frequently delayed or ignored
What Is the Business Impact for Australian Organisations?
The emergence of this Chinese hacker malware poses significant risks for Australian businesses across multiple sectors. Organisations using vulnerable Ruckus equipment may unknowingly become part of a hostile nation-state’s attack infrastructure.
Beyond the immediate security implications, compromised devices could expose businesses to regulatory penalties under the Security of Critical Infrastructure Act 2018 and damage customer trust. The reputational impact of being identified as a node in a Chinese espionage network could be devastating.
Industries at Greatest Risk
- Healthcare facilities with legacy network equipment
- Educational institutions with distributed campuses
- Retail and hospitality businesses
- Small-to-medium enterprises with limited IT resources
- Government contractors and suppliers
If your organisation relies on network infrastructure that hasn’t been recently audited, now is the time to explore professional vulnerability management services to identify potential exposure.
How Can You Protect Your Business from LONGLEASH?
Defending against sophisticated threats like LONGLEASH requires a multi-layered approach that addresses both immediate vulnerabilities and long-term security posture. The following recommendations can significantly reduce your organisation’s risk.
Immediate Actions
- Audit your network inventory to identify all Ruckus devices and firmware versions
- Apply the latest security patches from the manufacturer immediately
- Disable unnecessary remote management interfaces
- Implement network segmentation to isolate critical assets
- Enable logging and monitor for suspicious outbound connections
Long-Term Security Measures
- Establish a regular firmware update schedule for all network devices
- Deploy network detection and response (NDR) solutions
- Conduct regular penetration testing of network infrastructure
- Implement zero-trust architecture principles
- Subscribe to threat intelligence feeds for early warning
For organisations requiring expert guidance, speak with our security team about developing a comprehensive defence strategy tailored to your environment.
Frequently Asked Questions
What is Chinese hacker malware like LONGLEASH designed to do?
LONGLEASH is designed to compromise vulnerable network devices, particularly Ruckus routers, and incorporate them into an Operational Relay Box (ORB) network. This network allows Chinese state-sponsored hackers to anonymise their traffic and launch cyberattacks while making attribution extremely difficult. The malware specifically targets unpatched firmware vulnerabilities.
How can I tell if my Ruckus router has been compromised by LONGLEASH?
Signs of compromise may include unexpected outbound network traffic, degraded device performance, unauthorised configuration changes, or connections to unknown external IP addresses. However, sophisticated malware like LONGLEASH is designed to evade detection. Professional security assessments and network traffic analysis are recommended for definitive identification.
Are Australian businesses specifically targeted by UAT-7810?
While UAT-7810 operates globally, Australian organisations are indeed targets due to the country’s strategic alliances and valuable intellectual property. Businesses in the defence supply chain, critical infrastructure, and research sectors should consider themselves at elevated risk and prioritise network security accordingly.
Key Takeaways
- UAT-7810 is a Chinese state-sponsored group actively deploying LONGLEASH malware
- Unpatched Ruckus routers are the primary targets for network compromise
- Compromised devices become part of an ORB network used for future attacks
- Australian businesses face regulatory, reputational, and operational risks
- Immediate patching and network audits are essential protective measures
- Long-term defence requires network detection capabilities and zero-trust principles
Conclusion: Act Now to Defend Against Chinese Hacker Malware
The emergence of LONGLEASH demonstrates that Chinese hacker malware continues to evolve in sophistication and scope. Australian organisations cannot afford to overlook the security of their network infrastructure, particularly devices that may not receive the same attention as endpoints and servers.
By taking immediate action to patch vulnerable Ruckus equipment and implementing robust long-term security measures, businesses can significantly reduce their exposure to this threat. The cost of prevention is invariably lower than the cost of compromise—especially when that compromise makes your organisation complicit in nation-state cyber operations.
Don’t wait until your network becomes part of someone else’s attack infrastructure. Review your security posture today and ensure your organisation isn’t the next victim of this evolving threat campaign.
