Microsoft has discovered a significant cyber threat involving a Chinese botnet known as Quad7, which appears to be targeting organizations around the globe with sophisticated password spraying attacks.

This botnet, operated by a group identified as Storm-0940, aims to breach networks and steal credentials, opening the way for additional intrusive and potentially disruptive cyber activities.

According to Microsoft, the primary focus of this campaign appears to be espionage, as targets include high-value entities such as think tanks, government bodies, NGOs, law firms, and defense industries.

Strategic and covert infiltrations
Storm-0940’s attack method is calculated and difficult to detect. The bot network, through a subgroup known as CovertNetwork-1658, sends minimal login attempts to various accounts within a target organization, ensuring it stays under the radar.

Microsoft’s report indicates that in about 80 percent of cases, CovertNetwork-1658 makes only one login attempt per account each day, a strategy designed to evade traditional security monitoring systems.

Once attackers manage to breach an account, tracking is quick. Microsoft disclosed that in some cases, other compromises were initiated on the same day that the password was successfully guessed. Attackers’ initial actions after gaining access include extracting additional credentials and deploying remote access tools (RATs) and proxies to maintain their place on the network.

Expanding the target surface and malware clusters
Quad7 is not an unknown threat. It gained significant attention in September 2024 when it began to introduce new features and expand its range of targets. Originally discovered by a researcher known as Gi7w0rm and analyzed by Sekoia experts, the botnet was first seen targeting TP-Link routers.

However, it quickly evolved to target other devices such as ASUS routers and expanded further to compromise Zyxel VPN endpoints, Ruckus wireless routers and Axentra media servers.

Attackers have developed custom malware to breach these devices, creating unique clusters of infections for different targets. Each cluster uses a variant of a connection method tailored for specific devices; for example, the cluster designed for Ruckus devices is named “rlogin”, while others include “xlogin”, “alogin”, “axlogin”, and “zylogin”. The size of these clusters varies significantly, with some comprising thousands of infected devices, while others may involve just two.

Wider implications and security concerns
The discovery of Quad7’s extensive operations underscores the growing complexity of global cyber threats. The use of SOHO (small office/home office) routers as entry points suggests a change in tactics, with attackers exploiting weaker endpoints to bypass traditional enterprise security defenses. By customizing their malware and implementing stealthy login attempts, Storm-0940 and its affiliates demonstrate an advanced level of cyber sophistication.

Microsoft’s findings underscore the importance of robust security measures and continuous monitoring for organizations around the world.

As the reach and impact of Quad7 continues to grow, cybersecurity experts are urging organizations to strengthen their defenses, particularly in protecting routers and network endpoints that could serve as gateways to such attacks.