Storm-0940 is a Chinese threat actor assessed by Microsoft and referenced by the U.S. government. The group has been linked to highly evasive password spray activity leveraging the CovertNetwork-1658 botnet, also known as Quad7 and xlogin, which consists of compromised SOHO routers and networking devices. Microsoft observed Storm-0940 using credentials obtained through CovertNetwork-1658 password spray operations to breach targeted networks, sometimes on the same day the credentials were stolen. After initial access, the actor was observed dumping additional credentials, moving laterally, installing RATs and proxy tools for persistence, and exfiltrating data for likely cyber espionage purposes. Supporting reporting also notes the botnet included compromised devices such as TP-Link routers and that Storm-0940 used credentials acquired from these operations against U.S. corporate networks. Known alias in the provided content: storm_0940.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Attributed origin per open-source reporting.
5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 malware families attributed to this actor across reporting.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Assessed Chinese threat actor behind activity involving CovertNetwork-1658/Quad7, used to conduct highly evasive password spray attacks.
Storm-0940 is a state-sponsored group known for recruiting TP-Link routers into a botnet to conduct evasive password spraying attacks targeting US corporate networks.
Uses credentials obtained via the Quad7/CovertNetwork-1658 botnet’s password-spray operations to breach target networks, then dumps credentials, installs RATs and proxy tools for persistence, and exfiltrates data for likely cyber espionage.
China-linked actor using a covert network of compromised SOHO routers/network devices (CovertNetwork-1658/Quad7) to password-spray, steal credentials, move laterally, and exfiltrate data across targets in North America and Europe.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.