Quad7, also known as 7777, CovertNetwork-1658, and xlogin, is a botnet composed primarily of compromised SOHO routers, VPN appliances, wireless devices, and NAS devices. Reported affected vendors and device families include TP-Link, ASUS, Ruckus, Zyxel, Axentra, and in some reporting additional devices from Dahua, D-Link, NETGEAR, MVPower, Zyxel NAS, and GitLab. The botnet was first publicly documented in October 2023 by researcher Gi7w0rm and is named for infected devices exposing TCP port 7777 with an xlogin banner.
Across observed clusters, operators deploy custom malware that provides remote access via Telnet-like bind shells and also install SOCKS5 proxy services so compromised edge devices can relay malicious traffic. Distinct clusters and banners reported in the content include xlogin on TCP 7777 for TP-Link devices, alogin on TCP 63256 and 63260 for ASUS devices, rlogin on TCP 63210 for Ruckus devices, zylogin on TCP 3256 and in some reporting 3556 for Zyxel appliances, and axlogin tooling associated with Axentra devices. One report also notes SOCKS5 services on ports 11228 or 11288. The malware/tooling is reported to be placed in /tmp, making infections ephemeral and often removed by reboot. Researchers also reported a newer backdoor named UPDTAE that provides an HTTP-based reverse shell and executes commands from C2.
The botnet has been observed supporting low-volume password-spray and brute-force activity against Microsoft 365 and Azure accounts. Microsoft reported that Chinese threat actors used credentials obtained through Quad7/CovertNetwork-1658 operations, with sign-in attempts typically kept very low to avoid detection, including cases where only one attempt per account per day was made. Microsoft specifically observed Storm-0940 using stolen credentials from these operations to breach victim networks, dump additional credentials, install RATs and proxy tools, move laterally, maintain persistence, and exfiltrate data, likely for espionage purposes.
Initial compromise methods are not fully known. However, Sekoia observed Quad7 operators exploiting an OpenWRT zero-day by chaining an unauthenticated file disclosure vulnerability with command injection. Other intrusion vectors remain unconfirmed in the provided content. Researchers and Microsoft assess the botnet as likely China-linked or operated from China, and multiple sources in the content describe the operator as a Chinese-speaking or likely Chinese state-sponsored threat actor, although exact attribution remains unconfirmed.
Reported scale in the content ranges from approximately 16,000 currently observed infected devices over a 30-day period to more than 175,000 devices compromised over time. Infections were observed globally, with notable concentrations reported in Bulgaria, the United States, Ukraine, Russia, Poland, South Korea, Sweden, Hong Kong, and Taiwan. The content also notes infected devices in government institutions and approximately 840 organizations with at least one infected device. High-confidence indicators directly mentioned include the banners xlogin, alogin, rlogin, zylogin, and axlogin; exposed ports 7777, 63256, 63260, 63210, 3256, and 3556; and SOCKS5 proxy exposure on 11228 or 11288.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Microsoft warns that Chinese threat actors use the Quad7 botnet, compromised of hacked SOHO routers, to steal credentials in password-spray attacks. Quad7, also known as CovertNetwork-1658 or xlogin, is a botnet first discovered by security researcher Gi7w0rm that consists of compromised SOHO routers.
4 distinct techniques documented for this family, organized by ATT&CK tactic.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A botnet made up of compromised SOHO routers and networking devices. Attackers deploy custom Telnet-access malware with device-specific banners and install SOCKS5 proxy software to relay malicious traffic, support password-spray attacks, enable remote access, and facilitate credential theft and follow-on intrusions.
A botnet primarily composed of compromised SOHO routers/VPN/edge devices. It is associated with opening TCP port 7777 on infected devices, running a SOCKS5 service (reported on port 11228), and conducting brute-force attempts against Microsoft 365/Azure accounts. It has expanded across multiple device brands and appears to be evolving for stealth and evasion.
A router-focused botnet/backdoor ecosystem that compromises consumer and SMB network devices, installs a telnet-based bind shell (with distinctive login banners such as xlogin/alogin/rlogin/zylogin/axlogin) and a SOCKS5 proxy service. The infected devices are then used as infrastructure to conduct low-volume brute-force attacks—specifically noted here as targeting Microsoft 365 corporate accounts—while maintaining a low profile. Artifacts are staged in /tmp, making infections largely ephemeral and requiring re-compromise after reboot/power-off.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.