{
	"id": "32f5964d-ebd1-4930-aeda-2407dee7a1cd",
	"created_at": "2026-04-06T00:15:56.847589Z",
	"updated_at": "2026-04-10T03:21:07.124235Z",
	"deleted_at": null,
	"sha1_hash": "7b58f09c1ea17a2aaaa59d02280ecd10dcc03f61",
	"title": "7777 Botnet – Insights into a Multi-Target Botnet | Bitsight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 826441,
	"plain_text": "7777 Botnet – Insights into a Multi-Target Botnet | Bitsight\r\nBy Written by Gi7w0rm\r\nArchived: 2026-04-05 16:43:17 UTC\r\nOver the last month there have been some updates about the mysterious 7777 botnet—which was first mentioned\r\nin this post in October 2023. Until now, it was known that the botnet was made up of TP-LINK routers and that it\r\nwas being used to execute very low volume and controlled brute force attacks on Microsoft 365 services targeting\r\ncorporate accounts. In our continuous efforts to have all sorts of malware families under our radar, the 7777 botnet\r\nis no exception. Our research, a collaborative effort between Bitsight TRACE and the security researcher\r\nGi7w0rm, has uncovered additional information about this botnet, the devices it affects, and the victims it claims.\r\nThe name 7777 or Quad7 botnet originated from the simple fact that all routers had the port 7777/tcp exposed\r\nwith the banner xlogin :\r\nFigure 1: xlogin shell banner\r\nIn the latest update regarding this botnet, Team Cymru S2 revealed, a new cluster of routers that are also part of\r\nthis botnet. This new cluster is made up of ASUS routers and all have port 63256/tcp exposed with the banner\r\nalogin :\r\nFigure 2: alogin shell banner\r\nIn this blog post, we will reveal two new but smaller clusters of compromised devices that feature bind shells\r\nexposing banners very similar to the already known xlogin and alogin banners that are also part of this\r\nbotnet, and share some up-to-date infection telemetry.\r\nModus Operandi And New Clusters\r\nhttps://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet\r\nPage 1 of 9\n\nAfter obtaining remote code execution on the devices, the threat actor installs a telnet binary that redirects\r\nconnections to a bind shell that, after receiving the correct password, opens a new /bin/sh process. In addition to\r\nthe bind shell that allows the threat actor to maintain direct access to devices, a SOCKS5 server is also installed on\r\nthe devices so that they can be used as proxies in future brute force attacks.\r\nFigure 3: Running processes of a compromised TP-LINK router\r\nAll these artifacts installed on infected devices are placed within the /tmp directory which is volatile in memory.\r\nWhenever devices are turned off or restarted, their file system is reset and the contents of the /tmp directory are\r\nerased, which causes the threat actor to have to compromise the devices again.\r\nIt is worth mentioning that the entry vectors exploited by the threat actor are still unknown to us and trying to\r\nobtain this visibility is also not a trivial task as it implies two things:\r\n1. have control over an IP that is on the threat actor's target lists\r\n2. expose and monitor a vulnerable device, and hope for some luck\r\nDuring our investigation we were able to identify two new but smaller clusters of compromised devices that are\r\nalso part of this botnet. One of these clusters is made up of RUCKUS routers and these devices have port\r\n63210/tcp exposed with the banner rlogin :\r\nFigure 4: rlogin shell banner\r\nThe second cluster is even smaller and is made up of compromised Zyxel Firewall appliances. These devices have\r\neither port 3256/tcp or port 3556/tcp exposed with the banner zylogin :\r\nhttps://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet\r\nPage 2 of 9\n\nFigure 5: zylogin shell banner\r\nIn the image below you can see what happens to the devices in the case of a successful exploitation attempt.\r\nFigure 6: Exploitation result by device\r\nhttps://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet\r\nPage 3 of 9\n\nWe found an additional bind shell binary belonging to this threat actor's tooling that exposes the axlogin :\r\nbanner.\r\nFigure 7: axlogin bind shell\r\nWe confirmed that this bind shell was used to backdoor Axentra devices, although no devices were found\r\ndisplaying this banner, likely because the company and its products have been discontinued for a long time now.\r\nBased on available data, it is estimated that the botnet may have compromised more than 175.000 devices since it\r\nbegan operating. During the last 30 days, through our internet scans, we were able to identify a total of around\r\n16.000 infected devices with exposed bind shells. The fact that all infections are ephemeral, ie. require re-exploitation whenever a device is turned off or restarted, and that only about 9% of the devices remain infected to\r\nthis day could be seen as an indicator that the threat actor has not been updating its targets for some time now.\r\nStill, we are looking at a decent sized and low profile botnet that has allowed the threat actor to conduct various\r\nbrute force attacks to this day.\r\nThe top 5 countries with the highest number of compromised devices are in order:\r\nUS (3103 devices)\r\nRU (2109 devices)\r\nBG (1390 devices)\r\nUA (1286 devices)\r\nPL (689 devices)\r\nhttps://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet\r\nPage 4 of 9\n\nFigure 8: TP-LINK, ASUS and RUCKUS devices\r\nAs a botnet that is essentially targeting consumer devices such as routers, the expectation is that it would mostly\r\naffect residential users. Although the majority of cases align with our expectations, it is quite interesting to note\r\nthat of the 840 organizations that we identified with at least one infected device, approximately 20% are not\r\nInternet Service Providers (ISPs). It is quite concerning to also see that there are infected devices belonging to\r\nGovernment institutions, many of them present in the USA.\r\nFigure 9: Affected Industry sectors\r\n7777 cluster victims\r\nThe 7777 cluster of TP-LINK routers has around 8.303 infected devices and the top 5 affected countries remain\r\nthe same, although the order changes.:\r\nhttps://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet\r\nPage 5 of 9\n\nBG (1340 devices)\r\nRU (1192 devices)\r\nUA (967 devices)\r\nUS (829 devices)\r\nPL (410 devices)\r\nFigure 10: TP-LINK devices\r\n63256 cluster victims\r\nThe 63256 cluster of ASUS routers has around 7.192 infected devices and here the top 5 affected countries already\r\nchange a little:\r\nUS (2210 devices)\r\nRU (917 devices)\r\nSE (625 devices)\r\nKR (471 devices)\r\nHK (406 devices)\r\nhttps://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet\r\nPage 6 of 9\n\nFigure 11: ASUS devices\r\n63210 cluster victims\r\nThe 63210 cluster of RUCKUS routers has less than 200 infected devices and the top 3 affected countries are:\r\nKR (80 devices)\r\nUS (56 devices)\r\nTW (5 devices)\r\nFigure 12: RUCKUS devices\r\n3256/3556 cluster victims\r\nThis cluster of compromised Zyxel devices is particularly interesting because only a total of 4 compromised hosts\r\nhave been identified, all located in Hong Kong.\r\nDuring our investigation of this botnet, we were able to identify a very significant number of device models that\r\nhave been compromised. The diversity of affected models highlights the good capacity that this threat actor has to\r\nexploit vulnerabilities, which leads us to believe that this botnet could be part of an operation with good resources\r\nand capable of targeting devices of various brands and models.\r\nThe following models were found to be compromised:\r\nASUS TP-LINK Zyxel RUCKUS\r\n4G-AC53U\r\nBLUE\r\nBLUE_CAVE\r\nDSL-AC68U\r\nDSL-AX82U\r\nGT-AC2900\r\nArcher-C7\r\nEC230-G1\r\nWDR-3500\r\nWDR-3600\r\nWDR-4300\r\nWR-1043ND\r\nUSG20-VPN\r\nUSG60\r\nZyWALL-11\r\nR500\r\nhttps://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet\r\nPage 7 of 9\n\nASUS TP-LINK Zyxel RUCKUS\r\nGT-AC5300\r\nGT-AX11000\r\nGT-AX6000\r\nGT-AXE16000\r\nRT-AC1200\r\nRT-AC1200HP\r\nRT-AC1300GPLUS\r\nRT-AC1300UHP\r\nRT-AC1750\r\nRT-AC1750_B1\r\nRT-AC1900\r\nRT-AC1900P\r\nRT-AC3100\r\nRT-AC3200\r\nRT-AC51U\r\nRT-AC51UPlus\r\nRT-AC52U\r\nRT-AC52U_B1\r\nRT-AC5300\r\nRT-AC54U\r\nRT-AC55U\r\nRT-AC55UHP\r\nRT-AC56R\r\nRT-AC56U\r\nRT-AC58U\r\nRT-AC66R\r\nRT-AC66U\r\nRT-AC66U_B1\r\nRT-AC66W\r\nRT-AC67U\r\nRT-AC68P\r\nRT-AC68R\r\nRT-AC68U\r\nRT-AC68W\r\nRT-AC750\r\nRT-AC85U\r\nRT-AC86U\r\nRT-AC87R\r\nRT-AC87U\r\nRT-AC88U\r\nRT-ACRH13\r\nWR-740N\r\nWR-840N\r\nWR-841HP\r\nWR-841N\r\nWR-842N\r\nWR-842ND\r\nWR-843N\r\nWR-845N\r\nWR-940N\r\nWR-945N\r\nWR-949N\r\nhttps://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet\r\nPage 8 of 9\n\nASUS TP-LINK Zyxel RUCKUS\r\nRT-AX3000\r\nRT-AX56U\r\nRT-AX58U\r\nRT-AX68U\r\nRT-AX82U\r\nRT-AX86S\r\nRT-AX86U\r\nRT-AX88U\r\nRT-AX89X\r\nRT-AX92U\r\nRT-N14U\r\nRT-N14UHP\r\nRT-N16\r\nRT-N18U\r\nRT-N66R\r\nRT-N66U\r\nRT-N66W\r\nTUF-AX3000\r\nTUF-AX4200\r\nTUF-AX5400\r\nWS880\r\nZenWiFi\r\nThere is some speculation regarding the purpose of this botnet and whether its activity is related to the interests of\r\na particular state. At the moment, the only certainty that exists is that the botnet is being used to attack corporate\r\naccounts of interest through brute force attacks on Microsoft 365 services, always at a very low volume, in order\r\nto maintain a low profile and avoid detection.\r\nThere are some indicators publicly shared by the research community that suggest this botnet is likely operated by\r\na threat actor originating from China. We were able to deeply investigate some of the infrastructure related to this\r\nbotnet and, based on the evidence collected, we are very confident that this botnet is operated by a Chinese\r\nspeaking threat actor.\r\nWe will continue to monitor the evolution of this botnet. If you are researching it and want to\r\ncollaborate/exchange notes feel free to contact us at threat-research@bitsight.com.\r\nSource: https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet\r\nhttps://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet"
	],
	"report_names": [
		"7777-botnet-insights-multi-target-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434556,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b58f09c1ea17a2aaaa59d02280ecd10dcc03f61.pdf",
		"text": "https://archive.orkl.eu/7b58f09c1ea17a2aaaa59d02280ecd10dcc03f61.txt",
		"img": "https://archive.orkl.eu/7b58f09c1ea17a2aaaa59d02280ecd10dcc03f61.jpg"
	}
}