Cyber Resilience

Campaign · all campaigns

Quad7 ActivityC0055 unknown

aka Quad7 Activity

Last updated: 2026-07-03

0attributed CVEs
22ATT&CK techniques
0.0IDF score (tooling uniqueness)
0exclusive CVEs
years active

About this actor

Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home office (SOHO) routers. (Citation: Bitsight 7777 Botnet) (Citation: Microsoft Storm-0940) The botnet was initially composed primarily of TP-Link routers and was named Quad7 due to compromised devices exposing TCP port 7777 with the distinctive banner <code>xlogin</code>. Later activity showed a significant increase in compromised Asus routers and the addition of new ports and banners, including TCP port 63256 displaying <code>alogin</code>. Quad7 infrastructure functions as a collection of egress IPs that various China-affiliated threat actors have used to conduct password-spraying and brute-force operations. (Citation: Bitsight 7777 Botnet)(Citation: Medium 777-Botnet) Microsoft has reported that Storm-0940 leveraged credentials obtained through Quad7 Activity to target organizations in North America and Europe, including government agencies, non-governmental organizations, think tanks, law firms, energy firms, IT providers, and defense industrial base entities. (Citation: Microsoft Storm-0940)

Source: MITRE ATT&CK

Activity timeline

No activity events recorded.

Profile

CVERiskCVSSEPSSPublishedProducts
No attributed CVEs.

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
CM-615 / 2268%
SI-415 / 2268%
CA-713 / 2259%
CM-213 / 2259%
CM-712 / 2255%
SI-312 / 2255%
AC-39 / 2241%
AC-49 / 2241%
SC-79 / 2241%
AC-26 / 2227%
AC-66 / 2227%
AC-55 / 2223%
IA-25 / 2223%
SI-105 / 2223%
SI-75 / 2223%

Co-occurring actors

None.

Similar actors