Quad7 Activity, Campaign C0055 | MITRE ATT&CK® (original) (raw)
Enterprise
Application Layer Protocol: Web Protocols
Quad7 Activity has used the same User Agents of Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko and Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 combined with a reference to the Microsoft Azure PowerShell Application ID 1950a258-227b-4e31-a9cf-717495945fc2 in their sign-in attempts.[2]
Application Layer Protocol: File Transfer Protocols
Quad7 Activity has used a File Transfer Protocol (FTP) server to download malicious binaries.[2]
Enterprise
Brute Force: Password Spraying
Quad7 Activity has conducted a throttled variant of password spraying techniques that only utilized a single attempt to sign in within a 24-hour time period, eluding brute force detection thresholds.[2]
Enterprise
Command and Scripting Interpreter: Unix Shell
Quad7 Activity has enabled the creation of an access-controlled command shell /bin/sh on compromised routers.[2][1]
Enterprise
Compromise Infrastructure: Botnet
Quad7 Activity has compromised various branded SOHO routers to form a botnet that has been leveraged in password spraying activity.[1][2]
Compromise Infrastructure: Network Devices
Quad7 Activity has compromised network devices, such as IP cameras, Network Attached Storage (NAS) devices, and SOHO routers, to leverage for follow-on activity.[2][5]
Enterprise
Quad7 Activity has disabled the TP-Link management interface for TP-Link by killing the /usr/bin/httpd process.[5][2][1]
Enterprise
Exploit Public-Facing Application
Quad7 Activity has enabled the exploitation of vulnerabilities for remote code execution capabilities in SOHO routers including CVE-2023-50224 and CVE-2025-9377 in TP-Link devices.[2][4]
Enterprise
Gather Victim Identity Information: Email Addresses
Quad7 Activity has gathered targeted individual’s e-mail addresses for the password spraying attempts.[3]
Enterprise
Quad7 Activity has rotated the compromised SOHO IPs used in password spraying activity to hamper detection and network blocking activities by defenders.[2]
Enterprise
Quad7 Activity has downloaded additional binaries from a remote File Transfer Protocol (FTP) server to compromised devices.[2]
Enterprise
Quad7 Activity has used non-standard TCP ports – such as 7777, 11288, 63256, 63210, 3256, and 3556 for C2.[2][5]
Enterprise
Obfuscated Files or Information: Fileless Storage
Quad7 Activity has infected victim network devices by storing artifacts in the /tmp directory which is volatile in memory and will clear its contents upon shutdown or restart.[1]
Enterprise
Quad7 Activity has initialized SOCKS5 proxies on compromised devices.[2][1]
Quad7 Activity has routed traffic through chains of compromised network devices for password spray attacks.[2]