China-nexus threat actor UAT-7810 is deploying a decentralized Operational Relay Box (ORB) infrastructure by compromising edge devices, including routers and firewalls, to obfuscate Command and Control (C2) traffic. Utilizing the "Longleash" malware, the actor achieves persistence within embedded firmware to route malicious egress through legitimate residential and corporate IP spaces. This architecture bypasses geolocation filters and IP reputation-based detection systems. Primary targets include government contractors and SMBs. Detection requires monitoring for non-standard tunneling protocols and anomalous outbound traffic originating from perimeter hardware, focusing on firmware integrity and egress filtering.
-
Infrastructure Evolution: ORB Architecture
- Shift from traceable VPS and cloud hosting to a distributed network of compromised edge hardware.
- Deployment of Operational Relay Boxes (ORBs) as intermediaries to shield the backend C2 infrastructure from discovery.
- Strategic masking of geographic origins to complicate attribution and evade IP-based reputation filters.
-
Technical Execution: Longleash Malware
- Exploitation of vulnerabilities in the embedded firmware of routers, firewalls, and various IoT devices.
- Deployment of Longleash malware, specifically engineered for persistence across device reboots and network expansion.
- Implementation of optimized C2 tunneling protocols designed for high performance on resource-constrained embedded hardware.
-
Targeting and Traffic Obfuscation
- Prioritized targeting of Small-to-Medium Businesses (SMBs) and government contractors to embed within trusted network segments.
- Blending malicious C2 traffic with legitimate residential and enterprise egress to defeat behavioral heuristics.
- Use of diversified, legitimate-looking relay IPs to bypass strict geolocation-based blocking policies.
-
Impact on Network Defense
- Degradation of perimeter security as compromised edge hardware serves as a hidden pivot point for lateral movement.
- Increased attribution difficulty due to the utilization of legitimate IP space for malicious routing.
- Establishment of a high-availability infrastructure capable of sustaining long-term espionage and targeted campaigns.
-
Detection and Mitigation Strategies
- Implementation of strict egress filtering and continuous monitoring for unusual outbound connections from perimeter devices.
- Regular auditing of firmware integrity and expedited patching of edge hardware to close known exploitation vectors.
- Integration of Longleash malware signatures and ORB relay indicators into SIEM and IDS platforms.
Related posts
- bulwarkblack.com — UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure
- bleepingcomputer.com — Chinese hackers develop LONGLEASH malware to expand ORB network
- Thehackernews
- Gbhackers
- Radar