China launched major botnet that's attacking users all over the world, reveals Microsoft

Microsoft has uncovered a significant cyber threat involving a Chinese botnet known as Quad7, which is reportedly targeting organisations across the globe with sophisticated password spray attacks.

This botnet, operated by a group identified as Storm-0940, aims to breach networks and steal credentials, paving the way for further intrusive and potentially disruptive cyber activities.

According to Microsoft, the main objective of this campaign appears to be espionage, as the targets include high-value entities such as think tanks, government bodies, NGOs, law firms, and defence industries.

Strategic and stealthy infiltrations
Storm-0940’s method of attack is calculated and difficult to detect. The botnet, through a sub-group known as CovertNetwork-1658, submits minimal login attempts to various accounts within a target organisation, ensuring it remains under the radar.

More from Tech

How ChatGPT is becoming everyone’s BFF and why that’s dangerous America ready for self-driving cars, but it has a legal problem

Microsoft’s report indicates that in around 80 per cent of cases, CovertNetwork-1658 makes only a single login attempt per account each day, a strategy designed to evade traditional security monitoring systems.

Once the attackers manage to breach an account, the follow-up is swift. Microsoft revealed that in some cases, further compromises were initiated on the same day the password was successfully guessed. The attackers’ initial actions after gaining access include extracting additional credentials and deploying remote access tools (RATs) and proxies to maintain their foothold within the network.

Expanding target surface and malware clusters
Quad7 is not an unfamiliar threat. It gained significant attention in September 2024 when it began exhibiting new features and expanding its range of targets. Initially spotted by a researcher known as Gi7w0rm and analysed by Sekoia experts, the botnet was first seen focusing on TP-Link routers.

Impact Shorts

More Shorts

America ready for self-driving cars, but it has a legal problem

Alibaba, Baidu begin using own AI chips as China shifts away from US tech amid Nvidia row

However, it rapidly evolved to target other devices such as ASUS routers and expanded further to compromise Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers.

The attackers have developed tailored malware to breach these devices, creating unique clusters of infections for different targets. Each cluster employs a variant of a login method tailored for specific devices; for example, the cluster designed for Ruckus devices is termed ‘rlogin,’ while others include ‘xlogin’, ‘alogin’, ‘axlogin’, and ‘zylogin’. The scale of these clusters varies significantly, with some encompassing thousands of infected devices, while others may involve as few as two.

Broader implications and security concerns
The discovery of Quad7’s expanded operations underlines the growing complexity of global cyber threats. The use of SOHO (small office/home office) routers as entry points suggests a shift in tactics, with attackers exploiting weaker endpoints to bypass traditional enterprise security defences. By customising their malware and deploying covert login attempts, Storm-0940 and its affiliates are demonstrating an advanced level of cyber sophistication.

Microsoft’s findings emphasise the importance of robust security measures and continuous monitoring for organisations worldwide.

While Quad7’s reach and impact continue to grow, cybersecurity experts are urging organisations to strengthen their defences, particularly in protecting routers and network endpoints that could serve as gateways for such attacks.