Quad7 Botnet Operators Compromising Several Routers & VPN Appliances

The Quad7 botnet (aka 7777 botnet, xlogin botnet) has gained attention for its use of compromised TP-Link routers to conduct attacks on Microsoft 365 accounts. 

This botnet primarily employs password-spraying techniques, which involve attempting to log in with a list of common passwords across many accounts, rather than trying to guess individual passwords for each account.

Researchers at Sekoia identified that the operators of the Quad7 botnet have been actively attacking several routers and VPN appliances. 

While tracking the Quad7 botnet, security analysts uncovered an expanding threat landscape with five distinct *login clusters (alogin, xlogin, axlogin, rlogin, zylogin) targeting various router brands, including TP-LINK, Zyxel, Asus, Axentra, D-Link, and Netgear.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Quad7 Botnet Operators Compromising Routers

The xlogin botnet, compromising TP-Link routers, utilizes TCP ports 7777 for root-privileged bind shells and 11288 for SOCKS5 proxies, primarily for M365 brute-force attacks. 

The alogin botnet was found to be targeting Asus routers, operating on ports 63256 (TELNET) and 63260 (SOCKS5), facilitating VPN, SSH, and TELNET attack relays. 

New developments include the UPDATE backdoors, HTTP-based reverse shells for MIPS and ARM architectures, using libcurl for communication with 30-second beacons, and an “IOT” User-Agent. 

These backdoors execute commands via JSON POST requests while updating C2 URLs and executing system commands. 

The operators are also testing FsyNet, which is a sophisticated project using the KCP protocol over UDP (port 9999) for low-latency communication. 

FsyNet’s components (asr_node, node-r-control, node-relay) implement multi-layered encryption with hard-coded keys and IVs. 

This evolution from open SOCKS proxies to encrypted, reverse-shell architectures illustrates the threat actor’s adaptation toward stealthier, more strong attack infrastructure.

Researchers found a shell script dubbed “exec.sh ” within the ASUS folder that targets network devices like ASUS, D-LINK DIR-610, and Netgear R7000. 

This script downloads and runs netd and tun.ko files by setting up firewall rules. 

While tun.ko wasn’t available, netd was analyzed by experts, who turned compromised devices into relay nodes using the CJDNS darknet protocol instead of KCP. 

When installed the netd creates two Salsa20-encrypted files, “netd.dat (configuration)” and “sys.dat (system info),” sending them to the attacker’s server. 

Besides this, the netd.dat file enables a secure UDP connection between the attacker’s ORB (compromised device) and their command-and-control (C2) server. 

Unlike the earlier FsyNet binary, the netd uses randomized UDP ports, which makes it harder to detect compromised appliances by scanning. 

This approach is part of the Quad7 botnet that exploits edge devices for anonymous and distributed attacks like relay brute-forcing. 

The operators are evolving from earlier mistakes to more sophisticated methods, including HTTP reverse shells and secure protocols, which complicates the attribution and detection efforts.

Download Free Incident Response Plan Template for Your Security Team – Free Download