Cyware Daily Threat Intelligence - July 07, 2026

Attackers are turning everyday routers into covert launchpads, using new malware families to relay operations through compromised edge devices. On cyware.com, analysts are tracking UAT-7810's expansion of its Operational Relay Box network, which leverages multiple backdoors and exploits in Ruckus and ASUS routers to make intrusions harder to trace. Cisco Talos has linked this activity to a cluster of new malware, with detection coverage mapped to five distinct SNORT SIDs.
Critical vulnerabilities in network management platforms are opening the door to remote device takeovers. Ubiquiti’s UniFi product line faces a wave of exploits, with CVSS scores as high as 10.0 and first-time exploitation confirmed by CISA. Attackers are targeting device management, access control, and video surveillance infrastructure, with patches now available to close the gaps.
A modular command-and-control framework is giving Iranian threat actors new reach into Israeli networks. MuddyWater is deploying the Cavern framework, exploiting five separate CVEs to breach IT providers and government targets. The campaign’s DLL modules and anti-analysis techniques are designed to evade detection and enable broad, persistent access.
Top Malware Reported in the Last 24 Hours
UAT-7810 expands router-based ORB malware
The UAT-7810 malware cluster consists of multiple families designed to convert edge devices into covert infrastructure. LONGLEASH acts as an intermediate command-and-control relay, providing reverse-shell access, proxying, and packet redirection. DOGLEASH executes coded tasking such as shell commands and file reading, while JARLEASH adds web-based file management and FTP/SFTP-style services for data staging. UAT-7810 delivers these payloads by exploiting known vulnerabilities in Ruckus wireless routers and ASUS AiCloud routers. UAT-7810 targets organizations with internet-facing network gear, making intrusions harder to trace by routing operations through repurposed devices. Cisco Talos discovered the activity and referenced available patches for the exploited vulnerabilities.
Gentlemen ransomware spreads itself across networks
The Gentlemen ransomware family is engineered for rapid lateral movement and enterprise-wide impact. Gentlemen ransomware self-propagates by enumerating reachable systems and deploying its payload across networks. Gentlemen ransomware encrypts files on Windows, Linux, and VMware ESXi environments, causing business shutdowns and ransom demands for decryption. Gentlemen ransomware leverages multiple remote-execution techniques, including PsExec, WMIC, scheduled tasks, Windows services, PowerShell remoting, and WMI process creation. Gentlemen ransomware has impacted organizations in education, transportation, healthcare, and financial services. CSO Online reported the campaign, highlighting the risk of multi-site disruption.
Fake Teams IT calls deliver EtherRAT
The EtherRAT remote access trojan is distributed via Microsoft Teams social engineering campaigns that impersonate IT support. EtherRAT operators blend phishing emails with follow-up voice calls, convincing employees to install attacker-controlled tools. EtherRAT uses an “Employee Survey” lure, a malicious PDF, and a trojanized MSI installer to deliver its payload. EtherRAT provides full remote control, including command execution, file manipulation, data theft, and persistence. EtherRAT targets individual employees as entry points for broader compromise. BleepingComputer reported Microsoft’s response, which includes new Teams protections and policies for suspected third-party bots.
Top Vulnerabilities Reported in Last 24 hours
Agentic malware raids Langflow for secrets (CVE-2025-3248)
The CVE-2025-3248 missing-authentication vulnerability in the Langflow framework (CVSS not specified) allows attackers to execute Python code on the host and extract credentials. Successful exploitation enables theft of LLM API keys from OpenAI, Anthropic, DeepSeek, and Gemini, as well as cryptocurrency wallets and credentials in PostgreSQL and MinIO storage. The vulnerability is actively exploited, with attackers using automation to retry failed steps and remove temporary files to evade detection. Sysdig researchers discovered the issue and observed the “JadePuffer” agent in action. A patch is available from Langflow, and all deployments should update immediately.
UniFi bugs enable remote device takeover
Multiple critical vulnerabilities affect the Ubiquiti UniFi product line, including CVE-2026-50746 (command execution, CVSS 10.0), CVE-2026-50747 (SQL injection, CVSS 9.9), CVE-2026-50748 (input validation, CVSS 9.9), CVE-2026-54402 (input validation, CVSS 9.9), CVE-2026-55115 (SSRF, CVSS 9.9), and CVE-2026-54403 (path traversal, authentication bypass, CVSS 9.9). Successful exploitation allows remote takeover of network management, access control, and video surveillance devices. These vulnerabilities are under active exploitation, with CISA confirming attacks and NCSC highlighting the risk. Ubiquiti has released patches for all affected products, and updates are available.
ColdFusion RDS flaw leads to RCE (CVE-2026-48282)
The CVE-2026-48282 path traversal vulnerability in Adobe ColdFusion’s RDS FILEIO handler (CVSS 10.0) enables unauthenticated remote code execution on vulnerable servers. Exploitation allows attackers to access and manipulate files outside intended directories, escalating to full code execution. The vulnerability is actively exploited, with attackers using a POST request to the RDS FILEIO endpoint in a length-prefixed RPC format to confirm file-write capability, then deploying a CFML webshell. Resecurity documented the exploitation chain. A fix is available in ColdFusion 2025 Update 10 and 2023 Update 21, and all deployments should update immediately.
Top Threat Actors Reported in Last 24 hours
UAT-7810 grows router-based relay network
The UAT-7810 advanced persistent threat group (China-nexus, suspected) is focused on espionage and covert infrastructure development. UAT-7810 is actively developing and deploying LONGLEASH (a new version of the SHORTLEASH backdoor), DOGLEASH, and JARLEASH to relay traffic and support follow-on operations. UAT-7810 uses LONGLEASH as an intermediate C2 server with reverse shell, proxying, and packet redirection, while DOGLEASH executes coded commands and JARLEASH provides web-based file management and FTP/SFTP services. UAT-7810 targets organizations with internet-facing Ruckus wireless routers and ASUS AiCloud Routers, using them as “middleman” infrastructure for intrusions. Cisco Talos attributed hosting and distribution to IP addresses 194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147, and 95.182.100[.]231, and detection coverage includes SNORT SIDs 66433, 66432, 66430, 66431, and 301493, as well as ClamAV signatures.
Turla refreshes Kazuar stealth playbook
The Turla threat actor (also tracked as the Russia-linked FSB-associated group, suspected) is motivated by long-term espionage. Turla leverages the Kazuar backdoor, often paired with STOCKSTAY, in campaigns that blend legitimate-signed executables with malicious DLLs. Turla uses DLL side-loading, PowerShell loaders, and process spawning (such as Start-Process launching Nvidia helper binaries) to evade detection. Turla targets government and military organizations, aiming for persistent access to sensitive internal data. Recent campaigns use MITRE ATT&CK techniques T1574.001 (DLL side-loading), T1059.001 (PowerShell), T1102/T1071 (web services and protocols), and T1480 (environmental keying).
MuddyWater deploys Cavern against Israel
The MuddyWater threat actor (an Iranian group linked to Iran’s Ministry of Intelligence and Security, suspected) is focused on espionage and data exfiltration. MuddyWater is deploying the Cavern modular C2 framework, which consists of DLL modules for file operations (mhm.dll), SQL database manipulation (db.dll), Active Directory reconnaissance (ode.dll), network reconnaissance (n-ten.dll), and SOCKS5 proxy/WebSocket tunneling (n-sws.dll). MuddyWater exploits CVE-2025-52691, CVE-2025-68613, CVE-2025-9316, CVE-2025-34291, and CVE-2025-54068 to breach Israeli IT providers and government organizations. MuddyWater’s Cavern agent (uxtheme.dll) combines managed .NET code with native C++ and uses anti-analysis techniques to hinder detection. The campaign’s modular design enables lateral movement from compromised suppliers into downstream environments.
Frequently Asked Questions
What is UAT-7810? UAT-7810, a China-nexus APT group, is building out its Operational Relay Box (ORB) network with new malware families designed to turn edge devices into covert infrastructure. LONGLEASH acts as an intermediate command-and-control relay that can provide reverse-shell access, proxying, and packet redirection—giving operators a way to route operations through compromised routers.
What is Gentlemen? Gentlemen ransomware is built to move quickly inside enterprises, using self-propagation to enumerate reachable systems and push its payload across a network. After landing, it encrypts files on Windows, Linux, and VMware ESXi environments, turning routine IT outages into business shutdowns while the victim faces a ransom demand for decryption.
What is EtherRAT? EtherRAT is being pushed through Microsoft Teams social engineering that impersonates IT support, blending phishing emails with follow-up voice calls to talk employees into installing tools attackers control. The campaign uses an “Employee Survey” lure and a malicious PDF, then pivots to a malicious MSI installer that loads the payload.
What is CVE-2025-3248? Attackers are exploiting a missing-authentication flaw in the Langflow framework (CVE-2025-3248) to run Python code on the underlying host and quickly strip out valuable credentials. In Sysdig’s analysis, the “JadePuffer” agent shows a trial-and-error style of automation, retrying failed steps with tweaked parameters until it can extract what it wants.
What is CVE-2026-50746? Multiple critical flaws across Ubiquiti’s UniFi product line could let attackers take over devices remotely, turning network management, access control, and video surveillance infrastructure into an entry point. The reported issues span UniFi apps and UniFi OS, including command execution in UniFi Connect (CVE-2026-50746, CVSS 10.0), SQL injection in UniFi Talk (CVE-2026-50747, CVSS 9.9), input validation flaws in UniFi Access (CVE-2026-50748, CVSS 9.9) and UniFi OS (CVE-2026-54402, CVSS 9.9), SSRF in UniFi Protect (CVE-2026-55115, CVSS 9.9), and a path traversal in UniFi OS that enables authentication bypass (CVE-2026-54403, CVSS 9.9).
What is CVE-2026-48282? A critical path traversal flaw in Adobe ColdFusion’s RDS FILEIO handler (CVE-2026-48282, CVSS 10.0) allows unauthenticated remote code execution on vulnerable servers. The issue centers on FILEIO operations that can be abused to access and manipulate files outside intended directories, letting an attacker move from file access to full code execution.
What is UAT-7810? UAT-7810, a China-nexus APT group, is expanding its “Operational Relay Box” (ORB) network by rolling out a cluster of new malware families designed to turn edge devices into stealthy infrastructure. They are actively developing and deploying LONGLEASH (a new version of the SHORTLEASH backdoor), alongside DOGLEASH and JARLEASH, to relay traffic and support follow-on operations against high-value targets.
What is Turla? Turla (also tracked as the Russia-linked FSB-associated threat actor) continues to lean on its long-running Kazuar backdoor—often paired with STOCKSTAY—in campaigns built for quiet, long-term espionage. Recent activity shows them blending legitimate-signed executables with malicious DLLs, using DLL side-loading to make the execution chain look routine on compromised machines.
What is MuddyWater? MuddyWater (an Iranian hacking group linked to Iran’s Ministry of Intelligence and Security), is using a new modular C2 framework called Cavern to target Israeli organizations, with a reported focus on IT providers and government. They are exploiting vulnerabilities including CVE-2025-52691, CVE-2025-68613, CVE-2025-9316, CVE-2025-34291, and CVE-2025-54068 as part of activity described as reconnaissance and data exfiltration.