{"description": "Enterprise techniques used by Quad7 Activity, ATT&CK campaign C0055 (v1.0)", "name": "Quad7 Activity (C0055)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has used the same User Agents of Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko and Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 combined with a reference to the Microsoft Azure PowerShell Application ID 1950a258-227b-4e31-a9cf-717495945fc2 in their sign-in attempts.(Citation: Microsoft Storm-0940)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has used a File Transfer Protocol (FTP) server to download malicious binaries.(Citation: Microsoft Storm-0940)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.003", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has conducted a throttled variant of password spraying techniques that only utilized a single attempt to sign in within a 24-hour time period, eluding brute force detection thresholds.(Citation: Microsoft Storm-0940) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has enabled the creation of an access-controlled command shell /bin/sh on compromised routers.(Citation: Microsoft Storm-0940)(Citation: Bitsight 7777 Botnet)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.005", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has compromised various branded SOHO routers to form a botnet that has been leveraged in password spraying activity.(Citation: Bitsight 7777 Botnet)(Citation: Microsoft Storm-0940)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584.008", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has compromised network devices, such as IP cameras, Network Attached Storage (NAS) devices, and SOHO routers, to leverage for follow-on activity.(Citation: Microsoft Storm-0940)(Citation: Sekoia 7777 Botnet JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has disabled the TP-Link management interface for TP-Link by killing the /usr/bin/httpd process.(Citation: Sekoia 7777 Botnet JUL 2024)(Citation: Microsoft Storm-0940)(Citation: Bitsight 7777 Botnet)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has enabled the exploitation of vulnerabilities for remote code execution capabilities in SOHO routers including CVE-2023-50224 and CVE-2025-9377 in TP-Link devices.(Citation: Microsoft Storm-0940)(Citation: TP-Link Quad 7 AUG 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1589", "showSubtechniques": true}, {"techniqueID": "T1589.002", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has gathered targeted individual\u2019s e-mail addresses for the password spraying attempts.(Citation: Medium 777-Botnet)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1665", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has rotated the compromised SOHO IPs used in password spraying activity to hamper detection and network blocking activities by defenders.(Citation: Microsoft Storm-0940)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has downloaded additional binaries from a remote File Transfer Protocol (FTP) server to compromised devices.(Citation: Microsoft Storm-0940)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has used non-standard TCP ports \u2013 such as 7777, 11288, 63256, 63210, 3256, and 3556 for C2.(Citation: Microsoft Storm-0940)(Citation: Sekoia 7777 Botnet JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has infected victim network devices by storing artifacts in the /tmp directory which is volatile in memory and will clear its contents upon shutdown or restart.(Citation: Bitsight 7777 Botnet)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has initialized SOCKS5 proxies on compromised devices.(Citation: Microsoft Storm-0940)(Citation: Bitsight 7777 Botnet)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[Quad7 Activity](https://attack.mitre.org/campaigns/C0055) has routed traffic through chains of compromised network devices for password spray attacks.(Citation: Microsoft Storm-0940)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Quad7 Activity", "color": "#66b1ff"}]}