Microsoft reveals major Chinese botnet is attacking users across the world

A major Chinese botnet called Quad7 is being utilized to mount password spray attacks against organizations in the west, Microsoft experts have warned.

In a new report, the company’s researchers say the group, called Storm-0940, then use the passwords to establish persistence, steal even more credentials, and ultimately engage in more disruptive cyberattacks.

The end goal of the campaign is, most likely, espionage, Microsoft believes , as targets include think tanks, government organizations, non-governmental organizations, law firms, defense industrial bases, and more.

Targeting SOHO routers

“In particular, Microsoft has observed the Chinese threat actor Storm-0940 using credentials from CovertNetwork-1658,” the report states, adding that the group was being extra careful not to get spotted.

“In these campaigns, CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization,” it was said. “In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day.”

Still, as soon as there is a hit, Storm-0940 moves in to further compromise the target. In fact, Microsoft said that on some occasions, the infiltration was done the same day when the passwords were guessed. Storm-0940’s first move was to dump credentials, and install RATs and proxies, for persistence.

Quad7 is a fairly known botnet. In late September 2024, we reported the botnet adding new features and expanding the attack surface. It was first spotted by a researcher alias Gi7w0rm, and experts from Sekoia, when it was only observed targeting TP-Link routers. However, during the following weeks, Quad7 (which was named so for targeting port 7777), expanded to ASUS routers, and now has been observed on Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers.

The attackers built custom malware to compromise these endpoints, targeting different clusters. Each cluster is a variant of *login, with Ruckus, for example, having the ‘rlogin’ cluster. Other clusters include xlogin, alogin, axlogin, and zylogin. Some clusters are relatively large, counting thousands of assimilated devices. Others are smaller, counting as little as two infections.

More from TechRadar Pro