1. Home
  2. Campaigns
  3. Quad7 Activity

Quad7 Activity

Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home office (SOHO) routers. [1] [2] The botnet was initially composed primarily of TP-Link routers and was named Quad7 due to compromised devices exposing TCP port 7777 with the distinctive banner xlogin. Later activity showed a significant increase in compromised Asus routers and the addition of new ports and banners, including TCP port 63256 displaying alogin. Quad7 infrastructure functions as a collection of egress IPs that various China-affiliated threat actors have used to conduct password-spraying and brute-force operations. [1][3] Microsoft has reported that Storm-0940 leveraged credentials obtained through Quad7 Activity to target organizations in North America and Europe, including government agencies, non-governmental organizations, think tanks, law firms, energy firms, IT providers, and defense industrial base entities. [2]

ID: C0055
First Seen:  August 2023 [2]
Last Seen:  August 2025 [4]
Version: 1.0
Created: 04 June 2025
Last Modified: 24 October 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Quad7 Activity has used the same User Agents of Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko and Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 combined with a reference to the Microsoft Azure PowerShell Application ID 1950a258-227b-4e31-a9cf-717495945fc2 in their sign-in attempts.[2]
.002 Application Layer Protocol: File Transfer Protocols

Quad7 Activity has used a File Transfer Protocol (FTP) server to download malicious binaries.[2]
Enterprise T1110 .003 Brute Force: Password Spraying

Quad7 Activity has conducted a throttled variant of password spraying techniques that only utilized a single attempt to sign in within a 24-hour time period, eluding brute force detection thresholds.[2]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Quad7 Activity has enabled the creation of an access-controlled command shell /bin/sh on compromised routers.[2][1]
Enterprise T1584 .005 Compromise Infrastructure: Botnet

Quad7 Activity has compromised various branded SOHO routers to form a botnet that has been leveraged in password spraying activity.[1][2]
.008 Compromise Infrastructure: Network Devices

Quad7 Activity has compromised network devices, such as IP cameras, Network Attached Storage (NAS) devices, and SOHO routers, to leverage for follow-on activity.[2][5]
Enterprise T1190 Exploit Public-Facing Application

Quad7 Activity has enabled the exploitation of vulnerabilities for remote code execution capabilities in SOHO routers including CVE-2023-50224 and CVE-2025-9377 in TP-Link devices.[2][4]
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Quad7 Activity has gathered targeted individual’s e-mail addresses for the password spraying attempts.[3]
Enterprise T1665 Hide Infrastructure

Quad7 Activity has rotated the compromised SOHO IPs used in password spraying activity to hamper detection and network blocking activities by defenders.[2]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Quad7 Activity has disabled the TP-Link management interface for TP-Link by killing the /usr/bin/httpd process.[5][2][1]
Enterprise T1105 Ingress Tool Transfer

Quad7 Activity has downloaded additional binaries from a remote File Transfer Protocol (FTP) server to compromised devices.[2]
Enterprise T1571 Non-Standard Port

Quad7 Activity has used non-standard TCP ports – such as 7777, 11288, 63256, 63210, 3256, and 3556 for C2.[2][5]
Enterprise T1027 .011 Obfuscated Files or Information: Fileless Storage

Quad7 Activity has infected victim network devices by storing artifacts in the /tmp directory which is volatile in memory and will clear its contents upon shutdown or restart.[1]
Enterprise T1090 .002 Proxy: External Proxy

Quad7 Activity has initialized SOCKS5 proxies on compromised devices.[2][1]
.003 Proxy: Multi-hop Proxy

Quad7 Activity has routed traffic through chains of compromised network devices for password spray attacks.[2]

Software

ID Name Description
S0095 ftp

Quad7 Activity.[2]

References

  1. Batista, João. Gi7w0rm. (2024, August 27). Retrieved June 5, 2025.
  2. Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June 4, 2025.
  3. Gi7w0rm. (2023, October 19). The curious case of the 7777-Botnet. Retrieved June 5, 2025.
  1. TP-Link . (2025, August 29). Technical News and Reports about Quad 7 (7777) Botnet aka CovertNetwork-1658. Retrieved October 10, 2025.
  2. Aime, F. et al. (n.d.). Solving the 7777 Botnet enigma: A cybersecurity quest. Retrieved July 23, 2024.