Quad7

Quad7 is a botnet/activity cluster tracked as Quad7, CovertNetwork-1658, xlogin, and 7777. Reporting in the provided content links it to Chinese threat actors, and Sekoia assesses the activity is likely associated with a Chinese state-sponsored threat actor, although exact attribution is described as unconfirmed. The activity centers on compromising SOHO routers and other edge/network devices to build a botnet and use that infrastructure for password spraying and related follow-on operations. The content states Quad7 has compromised branded SOHO routers and other devices including TP-Link routers, ASUS routers, Zyxel VPN appliances, Ruckus Wireless devices, IP cameras, NAS devices, Dahua DVRs, MVPower devices, Zyxel NAS, and GitLab at low volume. Microsoft reported in October 2024 that the botnet was mainly composed of hacked home and small-business routers, primarily TP-Link devices, and that credentials obtained through its password spray operations were used by multiple Chinese threat actors for computer network exploitation activities. Observed tradecraft in the provided content includes exploitation of known and unknown vulnerabilities in public-facing devices, including remote code execution on TP-Link routers via CVE-2023-50224 and CVE-2025-9377; disabling the TP-Link management interface by killing /usr/bin/httpd; creating an access-controlled /bin/sh shell on compromised routers; downloading additional binaries from remote FTP servers; storing artifacts in /tmp for volatile/fileless persistence; opening non-standard TCP ports including 7777, 11288, 63256, 63260, 63210, 3256, and 3556; initializing SOCKS5 proxies; and routing traffic through chains of compromised network devices as multi-hop proxies/operational relay boxes to conceal source infrastructure. The activity has been observed conducting brute-force and password-spray attempts against Microsoft 365 and Azure instances. The password spraying is described as throttled to a single sign-in attempt per 24-hour period to evade brute-force detection thresholds, with targeted email addresses gathered in advance and compromised SOHO IP addresses rotated to hinder detection and blocking. Sign-in attempts referenced Microsoft Azure PowerShell Application ID 1950a258-227b-4e31-a9cf-717495945fc2 and used browser-like user-agent strings. The operators also introduced a backdoor named UPDTAE that establishes an HTTP-based reverse shell for remote command execution from C2. Known related clusters/sub-groups named in the content are xlogin (compromised TP-Link routers), alogin (compromised ASUS routers), rlogin (compromised Ruckus Wireless devices), zylogin (compromised Zyxel VPN appliances), and axlogin (a capability targeting Axentra NAS devices that had not been detected in the wild at the time of reporting).