Technical News and Reports about Quad 7 (7777) Botnet aka CovertNetwork-1658 (original) (raw)

Security Advisory

Updated 08-29-2025 17:14:22 PM Number of views for this article 39144

Microsoft has tracked a network of compromised Small Office / Home Office (SOHO) routers, predominantly TP-Link devices, as CovertNetwork-1658 (also called the Quad 7 (7777) botnet). This network has been used by Chinese threat actors for password spray attacks against Microsoft 365 accounts. The threat actor exploits vulnerabilities in the routers to gain remote code execution capability.

Sekoia.io monitored a TP-Link WR841N router (3.16.9 Build 150320 Rel.57500n), which is known to be vulnerable to a chained exploit attack used by the Quad 7 botnet. Sekoia observed a notable attack that chained an unauthenticated file disclosure and a command injection. This unauthenticated file disclosure allowed the threat actor to retrieve the pair of credentials stored in /tmp/dropbear/dropbearpwd and replay them in the HTTP Basic authentication of the management interface (NVD - CVE-2023-50224).Once authenticated, the attacker exploited a known command injection vulnerability in the Parental Control page to achieve the RCE - CVE-2025-9377 (https://www.cve.org/CVERecord?id=CVE-2025-9377).

This exploit chain is only available when the end user has enabled the remote administration interface to the internet, which is not configured by default by TP-Link firmware. TP-Link recommends against exposing the remote administration interface to the internet as a matter of course.

Discovery Timeline:

10/19/2023

Independent researchers Gi7w0rm and Dunstable Toblerone published a blog post about a botnet nicknamed the “Quad7 botnet” or “7777 botnet”. The post notes that the botnet’s signature pattern can be observed between June and July 2022.
https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd

07/23/2024

Sekoia.io, a French network security software operator, investigated the same botnet and indicated that its operators were leveraging compromised TP-Link routers to perform password spraying attacks against Microsoft 365 accounts without any specific targeting.
https://blog.sekoia.io/solving-the-7777-botnet-enigma-a-cybersecurity-quest/

09/09/2024

A cybersecurity news site reported that the Quad 7 botnet had expanded to target several additional brands of SOHO routers and VPN appliances, including Zyxel, Asus, Axentra, D-Link, and Netgear, using multiple vulnerabilities, some of which were previously unknown.
https://thehackernews.com/2024/09/quad7-botnet-expands-to-target-soho.html

10/31/2024

Microsoft published a blog post reporting intrusion activity successfully targeting and stealing credentials from multiple Microsoft customers by a threat actor identified as associated with the Quad 7 botnet. Microsoft stated the network of compromised devices used by the threat actor was comprised mostly of TP-Link SOHO routers. Microsoft also noted the use of the compromised devices had declined steeply since the network’s activities were publicly reported on.

https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/

Related CVEs and Known Exploits

NVD - CVE-2023-50224 - According to Sekoia’s analysis, the threat actor chained two vulnerabilities.

The first vulnerability is an unauthenticated file disclosure allowing for the retrieval of credentials stored in /tmp/dropbear/dropbearpwd. These credentials were then replayed in the HTTP Basic authentication of the management interface. TP-Link has been tracking this vulnerability internally as TP-Link Vulnerability Disclosure (TPVD) 202321023 TL-WR841N. Patched firmware for the affected devices can be found here.
The second vulnerability is a known Parental Control command injection RCE exploit. In this vulnerability, tampering with the url_0 parameter in the Parental Control page is used to achieve the RCE. The vulnerability is tracked as CVE-2025-9377 (https://www.cve.org/CVERecord?id=CVE-2025-9377) and TPVD202411095 internally. Patched firmware for the affected devices can be found here.

Related Firmware and Router Models

There are two router models and associated firmware versions relevant to the discovery timeline:
TL-WR841N/ND(MS) 9.0 Firmware version: 3.16.9 Build 150320 Rel.57500n
Archer C7(EU) 2.0, Firmware version 3.15.3 Build 180305 Rel.51282n
The firmware versions at issue are several revisions behind the latest firmware for these particular TP-Link SOHO Routers. The identified routers are also at End of Life (EOL) status, (see our EOL_List_Home.pdf and our TP-Link End-of-Life Policy). These been replaced by new families of products with superior capabilities and security models. . The replacement models are not affected by these vulnerabilities.
TP-Link is tracking unconfirmed reports of other vulnerable router models, and we will provide updates upon further investigation.

How TP-Link is Responding

TP-Link is performing the following:
Despite the affected router models used in the Quad 7 botnet being past their EOL/EOS date, TP-Link has developed and released firmware patching the vulnerabilities used by the Storm-0940/Quad7 threat actor (linked above). We have engaged with the community to raise awareness on the availability of these updates.
We are engaging with security researchers to obtain additional samples of affected binaries and deployed adversarial payloads in order to perform additional analysis and development of additional Indicators of Compromise (IoC).
TP-Link and its security partners are actively monitoring public intelligence data on the Quad 7 botnet and similar emerging threats, and the company commits to taking speedy and appropriate action to protect its customers and their devices.

Is this faq useful?

Your feedback helps improve this site.

What’s your concern with this article?

Dissatisfied with product
Too Complicated
Confusing Title
Does not apply to me
Too Vague
Other

We'd love to get your feedback, please let us know how we can improve this content.

Thank you

We appreciate your feedback.
Click here to contact TP-Link technical support.

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

As explained further in our website Privacy Policy, we allow certain advertising partners to collect information from our website through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing"/disclosure of personal data for "targeted advertising" as defined by certain U.S. state laws. To opt out of these activities, press "Opt Out" below. If the toggle below for "Targeted Advertising and 'Sale' Cookies" is to the left, you are already opted out and you can close these preferences.

Please note that your choice will apply only to your current device/browser. You must indicate your choice on each device and browser you use to access our website. If you clear your cookies or your browser is set to do so, you must opt out again.

Your Privacy Choices

These cookies are necessary for the website to function and cannot be switched off.

These cookies allow targeted ads or the "sale" of personal data (toggle to the left to opt out).

Analytics cookies enable us to analyze your activities on our and other websites in order to improve and adapt the functionality of our website and our ad campaigns.

Advertising cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.