Microsoft reported that Chinese hackers are using theQuad7 botnet to crack passwords and steal credentials.
Quad7 botnet, also known as CovertNetwork-1658 or xlogin, was first spotted in the summer of 2023 by security researcher Gi7w0rm.
In September 2024, the Sekoia TDR team reported it had identified additional implants associated with the Quad7 botnet operation. The botnet operators are targeting multiple SOHO devices and VPN appliances, including TP-LINK, Zyxel, Asus, D-Link, and Netgear, exploiting both known and previously unknown vulnerabilities.
The operators maintain the botnet to launch distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.
The experts identified five distinct login clusters (alogin, xlogin, axlogin, rlogin, and zylogin) associated with these botnet operators. Some of these clusters specifically target Axentra media servers, Ruckus wireless routers and Zyxel VPN appliances.
The Quad7 botnet is primarily composed of compromised TP-Link routers, with open ports for administration and proxy purposes. These routers are used to relay brute-force attacks on Microsoft 365 accounts. Microsoft calls on organizations to strengthen credential and cloud data security.