Microsoft has disclosed that a Chinese threat actor identified as Storm-0940 is utilizing a botnet known as Quad7 to execute sophisticated password spray attacks that are highly evasive. The company has designated this botnet as CovertNetwork-1658, indicating that these password spray operations are aimed at compromising the credentials of various Microsoft clients.
According to the Microsoft Threat Intelligence team, Storm-0940 has been operational since at least 2021, gaining initial access through password spray and brute-force attacks, or by exploiting vulnerabilities in network edge applications and services. The group is reported to target entities in North America and Europe, including think tanks, governmental bodies, non-governmental organizations, law firms, and the defense industrial base, among others.
Quad7, also referred to as 7777 or xlogin, has been extensively analyzed by Sekoia and Team Cymru in recent months. The malware associated with this botnet has been observed targeting various brands of SOHO routers and VPN devices, such as TP-Link, Zyxel, Asus, Axentra, D-Link, and NETGEAR. These devices are compromised by exploiting known and unidentified security vulnerabilities to achieve remote code execution.
The name of the botnet is derived from the fact that the infected routers have a backdoor that listens on TCP port 7777, enabling remote access. In September 2024, Sekoia informed The Hacker News that the primary use of the botnet is to conduct brute-force attacks against Microsoft 365 accounts, suggesting that the operators are likely affiliated with Chinese state-sponsored groups.
Microsoft has further evaluated that the maintainers of the botnet are based in China, with multiple threat actors from the region employing it to carry out password spray attacks as part of broader computer network exploitation (CNE) efforts. This includes activities such as lateral movement, deployment of remote access trojans, and attempts at data exfiltration. Storm-0940 has reportedly infiltrated targeted organizations using valid credentials acquired through these password spray attacks, sometimes on the same day the credentials were obtained.