C0055 Quad7 Activity
Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home office (SOHO) routers. 1 3 The botnet was initially composed primarily of TP-Link routers and was named Quad7 due to compromised devices exposing TCP port 7777 with the distinctive banner xlogin. Later activity showed a significant increase in compromised Asus routers and the addition of new ports and banners, including TCP port 63256 displaying alogin. Quad7 infrastructure functions as a collection of egress IPs that various China-affiliated threat actors have used to conduct password-spraying and brute-force operations. 12 Microsoft has reported that Storm-0940 leveraged credentials obtained through Quad7 Activity to target organizations in North America and Europe, including government agencies, non-governmental organizations, think tanks, law firms, energy firms, IT providers, and defense industrial base entities. 3
| Item | Value |
|---|---|
| ID | C0055 |
| Associated Names | |
| First Seen | August 2023 |
| Last Seen | August 2025 |
| Version | 1.0 |
| Created | 04 June 2025 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Quad7 Activity has used the same User Agents of Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko and Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 combined with a reference to the Microsoft Azure PowerShell Application ID 1950a258-227b-4e31-a9cf-717495945fc2 in their sign-in attempts.3 |
| enterprise | T1071.002 | File Transfer Protocols | Quad7 Activity has used a File Transfer Protocol (FTP) server to download malicious binaries.3 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.003 | Password Spraying | Quad7 Activity has conducted a throttled variant of password spraying techniques that only utilized a single attempt to sign in within a 24-hour time period, eluding brute force detection thresholds.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Quad7 Activity has enabled the creation of an access-controlled command shell /bin/sh on compromised routers.31 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.005 | Botnet | Quad7 Activity has compromised various branded SOHO routers to form a botnet that has been leveraged in password spraying activity.13 |
| enterprise | T1584.008 | Network Devices | Quad7 Activity has compromised network devices, such as IP cameras, Network Attached Storage (NAS) devices, and SOHO routers, to leverage for follow-on activity.35 |
| enterprise | T1190 | Exploit Public-Facing Application | Quad7 Activity has enabled the exploitation of vulnerabilities for remote code execution capabilities in SOHO routers including CVE-2023-50224 and CVE-2025-9377 in TP-Link devices.34 |
| enterprise | T1589 | Gather Victim Identity Information | - |
| enterprise | T1589.002 | Email Addresses | Quad7 Activity has gathered targeted individual’s e-mail addresses for the password spraying attempts.2 |
| enterprise | T1665 | Hide Infrastructure | Quad7 Activity has rotated the compromised SOHO IPs used in password spraying activity to hamper detection and network blocking activities by defenders.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Quad7 Activity has disabled the TP-Link management interface for TP-Link by killing the /usr/bin/httpd process.531 |
| enterprise | T1105 | Ingress Tool Transfer | Quad7 Activity has downloaded additional binaries from a remote File Transfer Protocol (FTP) server to compromised devices.3 |
| enterprise | T1571 | Non-Standard Port | Quad7 Activity has used non-standard TCP ports – such as 7777, 11288, 63256, 63210, 3256, and 3556 for C2.35 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.011 | Fileless Storage | Quad7 Activity has infected victim network devices by storing artifacts in the /tmp directory which is volatile in memory and will clear its contents upon shutdown or restart.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.002 | External Proxy | Quad7 Activity has initialized SOCKS5 proxies on compromised devices.31 |
| enterprise | T1090.003 | Multi-hop Proxy | Quad7 Activity has routed traffic through chains of compromised network devices for password spray attacks.3 |
Software
| ID | Name | Description |
|---|---|---|
| S0095 | ftp | Quad7 Activity.3 |
References
-
Batista, João. Gi7w0rm. (2024, August 27). Retrieved June 5, 2025. ↩↩↩↩↩↩↩
-
Gi7w0rm. (2023, October 19). The curious case of the 7777-Botnet. Retrieved June 5, 2025. ↩↩
-
Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June 4, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
TP-Link . (2025, August 29). Technical News and Reports about Quad 7 (7777) Botnet aka CovertNetwork-1658. Retrieved October 10, 2025. ↩
-
Aime, F. et al. (n.d.). Solving the 7777 Botnet enigma: A cybersecurity quest. Retrieved July 23, 2024. ↩↩↩