Microsoft has issued a warning about a Chinese-operated botnet known as Quad7, or CovertNetwork-1658, which is actively targeting small office and home office (SOHO) routers to steal credentials through password-spray attacks.
These attacks focus on breaching devices made by major brands like TP-Link, ASUS, Ruckus, Axentra, and Zyxel. The compromised routers are used as a network of relays, enabling threat actors to mask malicious activities among regular internet traffic, making detection difficult.
The Quad7 botnet, first identified by researcher Gi7w0rm, employs a custom malware setup that provides remote access to compromised devices via Telnet. Each device type displays a unique welcome banner, such as “xlogin” for TP-Link routers or “alogin” for ASUS devices, to mark its compromised status. In addition, attackers install a SOCKS5 proxy on infected routers, allowing them to conduct stealthy, indirect attacks.
In recent reports, Microsoft attributed the botnet activity to multiple Chinese threat actors, including the group Storm-0940, who use the compromised credentials to infiltrate networks, often expanding their reach by dumping credentials and installing remote access tools (RATs) on internal devices. This campaign is notable for its low-frequency attack style, where each account in a target organization is probed only a few times daily to avoid detection. Despite the seemingly cautious approach, stolen credentials are often exploited quickly, sometimes within the same day.
The exact method of infection remains uncertain, though Sekoia researchers recently observed a zero-day exploit in OpenWRT firmware that allowed unauthorized file access and command injection. The Quad7 botnet continues to evolve, and Microsoft urges organizations to strengthen network security and monitor for unusual login attempts as researchers investigate the full scope of these attacks.
