Cyber Defense Advisors

Quad7 Botnet Expands to Target SOHO Routers and VPN Appliances

The operators of the mysterious Quad7 botnet are actively evolving by compromising several brands of SOHO routers and VPN appliances by leveraging a combination of both known and unknown security flaws.

Targets include devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR, according to a new report by French cybersecurity company Sekoia.

“The Quad7 botnet operators appear to be evolving their toolset, introducing a new backdoor and exploring new protocols, with the aim of enhancing stealth and evading the tracking capabilities of their operational relay boxes (ORBs),” researchers Felix Aimé, Pierre-Antoine D., and Charles M. said.

Quad7, also called 7777, was first publicly documented by independent researcher Gi7w0rm in October 2023, highlighting the activity cluster’s pattern of ensnaring TP-Link routers and Dahua digital video recorders (DVRs) into a botnet.

The botnet, which gets its name from the fact it opens TCP port 7777 on compromised devices, has been observed brute-forcing Microsoft 3665 and Azure instances.

“The botnet also appears to infect other systems like MVPower, Zyxel NAS, and GitLab, although at a very low volume,” VulnCheck’s Jacob Baines noted earlier this January. “The botnet doesn’t just start a service on port 7777. It also spins up a SOCKS5 server on port 11228.”

Subsequent analyses by Sekoia and Team Cymru over the past few months have found that not only the botnet has compromised TP-Link routers in Bulgaria, Russia, the U.S., and Ukraine, but has since also expanded to target ASUS routers that have TCP ports 63256 and 63260 opened.

The latest findings show that the botnet is comprised of three additional clusters –

xlogin (aka 7777 botnet) – A botnet composed of compromised TP-Link routers which have both TCP ports 7777 and 11288 opened
alogin (aka 63256 botnet) – A botnet composed of compromised ASUS routers which have both TCP ports 63256 and 63260 opened
rlogin – A botnet composed of compromised Ruckus Wireless devices which have TCP port 63210 opened
axlogin – A botnet capable of targeting Axentra NAS devices (not detected in the wild as yet)
zylogin – A botnet composed of compromised Zyxel VPN appliances that have TCP port 3256 opened

Sekoia told The Hacker News that the countries with the most number of infections are Bulgaria (1,093), the U.S. (733), and Ukraine (697).

In a further sign of tactical evolution, the threat actors now utilize a new backdoor dubbed UPDTAE that establishes an HTTP-based reverse shell to establish remote control on the infected devices and execute commands sent from a command-and-control (C2) server.

It’s currently not clear what the exact purpose of the botnet is or who is behind it, but the company said the activity is likely the work of a Chinese state-sponsored threat actor.

“Regarding the 7777 [botnet], we only saw brute-force attempts against Microsoft 365 accounts,” Aimé told the publication. “For the other botnets, we still don’t know how they are used.”

“However, after exchanges with other researchers and new findings, we are almost certain that the operators are more likely CN state-sponsored rather than simple cybercriminals doing [business email compromise].”

“We are seeing the threat actor attempting to be more stealthy by using new malwares on the compromised edge devices. The main aim behind that move is to prevent tracking of the affiliated botnets.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.