Microsoft has unveiled a sweeping cyber threat posed by a sophisticated Chinese botnet, Quad7, targeting organizations worldwide through advanced password spray attacks. Operated by a group identified as Storm-0940, this campaign primarily aims at high-value entities, including think tanks, government organizations, NGOs, law firms, and the defense industry, with espionage as its primary objective.
Microsoft researchers report that Storm-0940 employs stolen credentials to establish persistent access, facilitating deeper intrusions and more extensive cyber espionage. The botnet’s initial actions include harvesting credentials and deploying remote access trojans (RATs) and proxies to maintain long-term access, enhancing the group’s ability to conduct disruptive attacks.
The infiltration tactics of Quad7 stand out for their precision and stealth. According to Microsoft, Storm-0940 relies on a separate covert network, CovertNetwork-1658, to submit a limited number of sign-in attempts across multiple accounts within targeted organizations.
In most cases — around 80 percent — CovertNetwork-1658 limits attempts to just one per account per day, minimizing the likelihood of detection. Once a password is successfully guessed, Storm-0940 quickly moves to compromise the system further, sometimes completing the breach within the same day.
Quad7’s operational scope has recently expanded beyond its initial focus on TP-Link routers, now encompassing ASUS routers, Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers.
Researchers first identified Quad7 in late September 2024, noting its targeted attacks on specific device ports, particularly port 7777. Cybersecurity experts, including those from Sekoia and a researcher known as Gi7w0rm, initially linked the botnet to TP-Link devices. However, it has since broadened its scope, targeting new clusters labeled based on device type, such as “rlogin” for Ruckus and “zylogin” for Zyxel.
Each variant, including clusters named xlogin, alogin, axlogin, and others, showcases Quad7’s adaptability. Some of these clusters comprise thousands of compromised devices, while others involve as few as two infections, reflecting the botnet’s flexibility in scaling its operations.
This escalating threat underlines the urgent need for enhanced cybersecurity vigilance across potentially vulnerable devices worldwide. As Quad7’s reach expands, securing routers and other entry points is essential in protecting against ongoing cyber espionage and disruption.