C0055: Quad7 Activity
Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home office (SOHO) routers. [1] [2] The botnet was initially composed primarily of TP-Link routers and was named Quad7 due to compromised devices exposing TCP port 7777 with the distinctive banner xlogin. Later activity showed a significant increase in compromised Asus routers and the addition of new ports and banners, including TCP port 63256 displaying alogin. Quad7 infrastructure functions as a collection of egress IPs that various China-affiliated threat actors have used to conduct password-spraying and brute-force operations. [1][3] Microsoft has reported that Storm-0940 leveraged credentials obtained through Quad7 Activity to target organizations in North America and Europe, including government agencies, non-governmental organizations, think tanks, law firms, energy firms, IT providers, and defense industrial base entities. [2]
Analyst context for executives and security teams
Quad7 Activity matters because it describes compromised SOHO routers being used as a covert egress network for password-spraying and brute-force activity. For leaders, the key risk is not only the routers themselves; it is that authentication attacks may arrive from distributed, ordinary-looking residential or small-office IP space, reducing the value of simple IP reputation blocking.
Executive priority
Prioritize identity resilience and edge-device hygiene. Ask whether MFA, password-spray detection, lockout/risk policies, and incident response playbooks can handle low-and-slow login attempts from many unrelated IPs. Where the organization manages branch, remote-office, or SOHO network devices, validate inventory, patching, exposed management services, and evidence needed for audit or incident scoping.
Technical view
MITRE provides no campaign-specific detection text or official platforms, so defenders should validate coverage from the relationships: Password Spraying, Exploit Public-Facing Application, Botnet/Network Devices, External and Multi-hop Proxy, Non-Standard Port, Web/File Transfer Protocol C2, Unix Shell, Fileless Storage, Ingress Tool Transfer, Hide Infrastructure, and Disable or Modify Tools. SOC teams should correlate identity failures across accounts, source IP diversity, and timing patterns rather than relying only on per-account lockout thresholds or known-bad IP lists. Network teams should confirm visibility for unusual exposed services and banners noted in the description, including TCP 7777 with `xlogin` and TCP 63256 with `alogin`, where legally and operationally appropriate.
Likely telemetry
- Identity provider and VPN authentication logs, including failed and successful logins by account, source IP, user agent, geography, and time window
- Password-spray analytics across many accounts from distributed sources
- Firewall, proxy, DNS, NetFlow, and IDS/IPS records for inbound and outbound connections
- Exposure-management or external attack surface scan results for Internet-facing services and network devices
- Router and network-device inventory, firmware, configuration, remote-administration, and management-plane logs where available
Detection direction
- Tune identity detections for distributed password spraying: many accounts, few attempts per account, repeated common timing patterns, and source IP rotation.
- Avoid overdependence on IP reputation; the relationship context includes external and multi-hop proxy behavior using compromised network devices.
- Validate whether SIEM rules correlate authentication failures with later successful logins from new infrastructure.
- Monitor for non-standard ports and unusual protocol/port pairings, especially when traffic blends into web or file-transfer protocols.
- Use the campaign description’s ports and banners as defensive hunting clues, not as complete indicators.
Mitigation priorities
- Strengthen MFA and conditional access for externally reachable identity services, VPNs, cloud consoles, and privileged accounts.
- Review password policy, lockout/rate-limiting, and spray-resistant authentication controls without creating avoidable denial-of-service risk.
- Reduce Internet-facing exposure and prioritize remediation of public-facing applications and network-device management interfaces.
- For organization-managed SOHO or branch routers, maintain inventory, apply vendor updates, disable unnecessary remote administration, and review exposed services.
- Ensure incident response can rapidly investigate a successful login following spray-like activity, including token/session review and credential reset decisions.
Analyst notes and limits
The supplied ATT&CK description reports that Quad7 Activity is also known as CovertNetwork-1658 or the 7777 Botnet and was initially associated with TP-Link routers, later showing increased Asus router compromise and additional ports/banners. Microsoft is cited as reporting Storm-0940 use of credentials obtained through this activity against organizations in North America and Europe, including several government, legal, energy, IT, and defense-related sectors.
No official ATT&CK detection guidance, object-level platforms, or tactics were supplied for this campaign. Technique relationships provide useful defensive context but do not prove every behavior will appear in every environment. Local telemetry, asset ownership, and legal authorization are required before scanning or investigating third-party network devices.
Quad7 Activity
Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home office (SOHO) routers. [1] [2] The botnet was initially composed primarily of TP-Link routers and was named Quad7 due to compromised devices exposing TCP port 7777 with the distinctive banner xlogin. Later activity showed a significant increase in compromised Asus routers and the addition of new ports and banners, including TCP port 63256 displaying alogin. Quad7 infrastructure functions as a collection of egress IPs that various China-affiliated threat actors have used to conduct password-spraying and brute-force operations. [1][3] Microsoft has reported that Storm-0940 leveraged credentials obtained through Quad7 Activity to target organizations in North America and Europe, including government agencies, non-governmental organizations, think tanks, law firms, energy firms, IT providers, and defense industrial base entities. [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685 | Disable or Modify Tools | Quad7 Activity has disabled the TP-Link management interface for TP-Link by killing the |
| Enterprise | T1665 | Hide Infrastructure | Quad7 Activity has rotated the compromised SOHO IPs used in password spraying activity to hamper detection and network blocking activities by defenders.CitationMicrosoft Storm-0940 |
| Enterprise | T1584.008 | Network Devices Sub-technique | Quad7 Activity has compromised network devices, such as IP cameras, Network Attached Storage (NAS) devices, and SOHO routers, to leverage for follow-on activity.CitationMicrosoft Storm-0940CitationSekoia 7777 Botnet JUL 2024 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | Quad7 Activity has used a File Transfer Protocol (FTP) server to download malicious binaries.CitationMicrosoft Storm-0940 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Quad7 Activity has used the same User Agents of |
| Enterprise | T1589.002 | Email Addresses Sub-technique | Quad7 Activity has gathered targeted individual’s e-mail addresses for the password spraying attempts.CitationMedium 777-Botnet |
| Enterprise | T1190 | Exploit Public-Facing Application | Quad7 Activity has enabled the exploitation of vulnerabilities for remote code execution capabilities in SOHO routers including CVE-2023-50224 and CVE-2025-9377 in TP-Link devices.CitationMicrosoft Storm-0940CitationTP-Link Quad 7 AUG 2025 |
| Enterprise | T1090.002 | External Proxy Sub-technique | Quad7 Activity has initialized SOCKS5 proxies on compromised devices.CitationMicrosoft Storm-0940CitationBitsight 7777 Botnet |
| Enterprise | T1110.003 | Password Spraying Sub-technique | Quad7 Activity has conducted a throttled variant of password spraying techniques that only utilized a single attempt to sign in within a 24-hour time period, eluding brute force detection thresholds.CitationMicrosoft Storm-0940 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Quad7 Activity has routed traffic through chains of compromised network devices for password spray attacks.CitationMicrosoft Storm-0940 |
| Enterprise | T1571 | Non-Standard Port | Quad7 Activity has used non-standard TCP ports – such as 7777, 11288, 63256, 63210, 3256, and 3556 for C2.CitationMicrosoft Storm-0940CitationSekoia 7777 Botnet JUL 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | Quad7 Activity has downloaded additional binaries from a remote File Transfer Protocol (FTP) server to compromised devices.CitationMicrosoft Storm-0940 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Quad7 Activity has infected victim network devices by storing artifacts in the |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Quad7 Activity has enabled the creation of an access-controlled command shell |
| Enterprise | T1584.005 | Botnet Sub-technique | Quad7 Activity has compromised various branded SOHO routers to form a botnet that has been leveraged in password spraying activity.CitationBitsight 7777 BotnetCitationMicrosoft Storm-0940 |
Groups, software, and campaigns
S0095: ftp
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 869c67a01400… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bitsight 7777 Botnet
Batista, João. Gi7w0rm. (2024, August 27). Retrieved June 5, 2025.
Open source URL -
[2]
Microsoft Storm-0940
Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June 4, 2025.
Open source URL -
[3]
Medium 777-Botnet
Gi7w0rm. (2023, October 19). The curious case of the 7777-Botnet. Retrieved June 5, 2025.
Open source URL -
[4]
TP-Link Quad 7 AUG 2025
TP-Link . (2025, August 29). Technical News and Reports about Quad 7 (7777) Botnet aka CovertNetwork-1658. Retrieved October 10, 2025.
Open source URL -
[5]
mitre-attack C0055Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.