{
	"id": "30ec0246-1111-410f-aa31-5853b35cf4e2",
	"created_at": "2026-04-06T00:11:53.603358Z",
	"updated_at": "2026-04-10T13:11:29.126986Z",
	"deleted_at": null,
	"sha1_hash": "df2a95f9755ceb9f675df859c420a78a3344f25c",
	"title": "Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 433518,
	"plain_text": "Chinese threat actor Storm-0940 uses credentials from password\r\nspray attacks from a covert network | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-10-31 · Archived: 2026-04-05 18:49:34 UTC\r\nSince August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from\r\nmultiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the\r\nsource of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658,\r\nalso known as xlogin and Quad7 (7777). Microsoft is publishing this blog on how covert networks are used in\r\nattacks, with the goal of increasing awareness, improving defenses, and disrupting related activity against our\r\ncustomers.\r\nMicrosoft assesses that credentials acquired from CovertNetwork-1658 password spray operations are used by\r\nmultiple Chinese threat actors. In particular, Microsoft has observed the Chinese threat actor Storm-0940 using\r\ncredentials from CovertNetwork-1658. Active since at least 2021, Storm-0940 obtains initial access through\r\npassword spray and brute-force attacks, or by exploiting or misusing network edge applications and services.\r\nStorm-0940 is known to target organizations in North America and Europe, including think tanks, government\r\norganizations, non-governmental organizations, law firms, defense industrial base, and others.\r\nAs with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised\r\ncustomers, providing them with important information needed to help secure their environments. In this blog, we\r\nprovide more information about CovertNetwork-1658 infrastructure, and associated Storm-0940 activity. We also\r\nshare mitigation recommendations, detection information, and hunting queries that can help organizations identify,\r\ninvestigate, and mitigate associated activity.\r\nWhat is CovertNetwork-1658?\r\nMicrosoft tracks a network of compromised small office and home office (SOHO) routers as CovertNetwork-1658. SOHO routers manufactured by TP-Link make up most of this network. Microsoft uses “CovertNetwork” to\r\nrefer to a collection of egress IPs consisting of compromised or leased devices that may be used by one or more\r\nthreat actors.\r\nCovertNetwork-1658 specifically refers to a collection of egress IPs that may be used by one or more Chinese\r\nthreat actors and is wholly comprised of compromised devices. Microsoft assesses that a threat actor located in\r\nChina established and maintains this network. The threat actor exploits a vulnerability in the routers to gain\r\nremote code execution capability. We continue to investigate the specific exploit by which this threat actor\r\ncompromises these routers. Microsoft assesses that multiple Chinese threat actors use the credentials acquired\r\nfrom CovertNetwork-1658 password spray operations to perform computer network exploitation (CNE) activities.\r\nPost-compromise activity on compromised routers\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/\r\nPage 1 of 8\n\nAfter successfully gaining access to a vulnerable router, in some instances, the following steps are taken by the\r\nthreat actor to prepare the router for password spray operations:\r\n1. Download Telnet binary from a remote File Transfer Protocol (FTP) server\r\n2. Download xlogin backdoor binary from a remote FTP server\r\n3. Utilize the downloaded Telnet and xlogin binaries to start an access-controlled command shell on TCP port\r\n7777\r\n4. Connect and authenticate to the xlogin backdoor listening on TCP port 7777\r\n5. Download a SOCKS5 server binary to router\r\n6. Start SOCKS5 server on TCP port 11288\r\nFigure 1. Steps taken to prepare the router for password spray operations  \r\nCovertNetwork-1658 is observed conducting their password spray campaigns through this proxy network to\r\nensure the password spray attempts originate from the compromised devices.\r\nPassword spray activity from CovertNetwork-1658 infrastructure\r\nMicrosoft has observed multiple password spray campaigns originating from CovertNetwork-1658 infrastructure.\r\nIn these campaigns, CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a\r\ntarget organization. In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account\r\nper day. Figure 2 depicts this distribution in greater detail.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/\r\nPage 2 of 8\n\nFigure 2. CovertNetwork-1658 count of sign-in attempts per account per day.\r\nCovertNetwork-1658 infrastructure is difficult to monitor due to the following characteristics:\r\nThe use of compromised SOHO IP addresses\r\nThe use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP\r\naddresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.\r\nThe low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from\r\none IP address or to one account will not detect this activity\r\nVarious security vendors have reported on CovertNetwork-1658 activities, including Sekoia (July 2024) and Team\r\nCymru (August 2024). Microsoft assesses that after these blogs were published, the usage of CovertNetwork-1658\r\nnetwork has declined substantially. The below chart highlights a steady and steep decline in the use of\r\nCovertNetwork-1658’s original infrastructure since their activities have been exposed in public reporting as\r\nobserved in Censys.IO data.\r\nFigure 3. Chart showing the drop in CovertNetwork-1658’s available nodes between August 1, 2024\r\nand October 29, 2024\r\nMicrosoft assesses that CovertNetwork-1658 has not stopped operations as indicated in recent activity but is likely\r\nacquiring new infrastructure with modified fingerprints from what has been publicly disclosed. An observed\r\nincrease in recent activity may be early evidence supporting this assessment.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/\r\nPage 3 of 8\n\nFigure 4. Chart showing number of Microsoft Azure tenants targeted by day between October 8,\r\n2024-October 30, 2024.\r\nHistorically, Microsoft has observed an average of 8,000 compromised devices actively engaged in the\r\nCovertNetwork-1658 network at any given time. On average, about 20 percent of these devices perform password\r\nspraying at any given time. Any threat actor using the CovertNetwork-1658 infrastructure could conduct password\r\nspraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and\r\ninitial access to multiple organizations in a short amount of time. This scale, combined with quick operational\r\nturnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the\r\npotential of account compromises across multiple sectors and geographic regions.\r\nBelow are User Agent Strings* observed in the password spray activity:\r\nMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/80.0.3987.149 Safari/537.36\r\n*Note: We updated this list of User Agent Strings on November 4, 2024 to fix typos.\r\nObserved activity tied to Storm-0940\r\nMicrosoft has observed numerous cases where Storm-0940 has gained initial access to target organizations using\r\nvalid credentials obtained through CovertNetwork-1658’s password spray operations. In some instances, Storm-0940 was observed using compromised credentials that were obtained from CovertNetwork-1658 infrastructure on\r\nthe same day. This quick operational hand-off of compromised credentials is evidence of a likely close working\r\nrelationship between the operators of CovertNetwork-1658 and Storm-0940.\r\nAfter successfully gaining access to a victim environment, in some instances, Storm-0940 has been observed:        \r\nUsing scanning and credential dumping tools to move laterally within the network;\r\nAttempting to access network devices and install proxy tools and remote access trojans (RATs) for\r\npersistence; and\r\nAttempting to exfiltrate data.\r\nRecommendations\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/\r\nPage 4 of 8\n\nOrganizations can defend against password spraying by building credential hygiene and hardening cloud\r\nidentities. Microsoft recommends the following mitigations to reduce the impact of this threat:\r\nEducate users on the importance of credential hygiene and avoiding password reuse.\r\nEnforce multi-factor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly\r\nrequire MFA from all devices, in all locations, at all times. Microsoft continues to expand MFA defaults for\r\nproducts and services like Azure to broaden MFA adoption.\r\nConsider transitioning to a passwordless primary authentication method, such as Azure MFA,\r\ncertificates, or Windows Hello for Business.\r\nSecure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to\r\nharden against password spray or brute force attacks.\r\nEnable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft\r\nAuthenticator) for accounts that support passwordless. For accounts that still require passwords, use\r\nauthenticator apps like Microsoft Authenticator for MFA.\r\nDisable legacy authentication.\r\nUse a cloud-based identity security solution to identify and detect threats or compromised identities.\r\nDisable stale or unused accounts.\r\nReset account passwords for any accounts targeted during a password spray attack. If a targeted account\r\nhad system-level permissions, further investigation may be warranted.\r\nImplement the Azure Security Benchmark and general best practices for securing identity infrastructure,\r\nincluding:\r\nCreate conditional access policies to allow or disallow access to the environment based on defined\r\ncriteria.\r\nBlock legacy authentication with Azure AD by using Conditional Access. Legacy authentication\r\nprotocols don’t have the ability to enforce MFA, so blocking such authentication methods will\r\nprevent password spray attackers from taking advantage of the lack of MFA on those protocols.\r\nEnable AD FS web application proxy extranet lockout to protect users from potential password\r\nbrute force compromise.\r\nSecure accounts with credential hygiene:\r\nPractice the principle of least privilege and audit privileged account activity in your Azure AD\r\nenvironments to slow and stop attackers.\r\nDeploy Azure AD Connect Health for ADFS. This captures failed attempts as well as IP addresses\r\nrecorded in ADFS logs for bad requests via the Risky IP report.\r\nUse Azure AD password protection to detect and block known weak passwords and their variants.\r\nTurn on identity protection in Azure AD to monitor for identity-based risks and create policies for\r\nrisky sign ins.\r\nEducate users about phishing attempts and MFA fatigue attacks. Encourage users to report unsolicited MFA\r\nauthentication prompts.\r\nReview your Anomaly detection policies in Defender for Cloud Apps under Microsoft 365 Defender\r\nPolicies by going to Cloud Apps \u003e Policies \u003e Policy management. Then select Anomaly detection policy.\r\nDetection details\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/\r\nPage 5 of 8\n\nAlerts with the following titles in the Security Center can indicate threat activity on your network:\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alert can indicate associated threat activity:\r\nStorm-0940 actor activity detected\r\nMicrosoft Defender XDR\r\nThe following alert might indicate threat activity related to this threat. Note, however, that these alerts can be also\r\ntriggered by unrelated threat activity.\r\nPassword spray attacks originating from single ISP\r\nMicrosoft Defender for Identity\r\nThe following Microsoft Defender for Identity alerts can indicate associated threat activity:\r\nPassword Spray\r\nUnfamiliar Sign-in properties\r\nAtypical travel\r\nSuspicious behavior: Impossible travel activity\r\nMicrosoft Defender for Cloud Apps\r\nThe following Microsoft Defender for Cloud Apps alerts can indicate associated threat activity:\r\nSuspicious Administrative Activity\r\nImpossible travel activity\r\nHunting queries\r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR customers can run the following query to find related activity in their networks:\r\nPotential Storm-0940 activity           \r\nThis query identifies UserAgents obtained from observed activity and AAD SignInEvent attributes that identify\r\npotential activity to guide investigation:\r\n//Advanced Hunting Query\r\nlet suspAppRes = datatable(appId:string, resourceId:string)\r\n[\r\n\"1950a258-227b-4e31-a9cf-717495945fc2\", \"00000003-0000-0000-c000-000000000000\"\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/\r\nPage 6 of 8\n\n];\r\nlet userAgents = datatable(userAgent:string)\r\n[\r\n\"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\",\r\n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/80.0.3987.149 Safari/537.36\" //Low fidelity\r\n];\r\nAADSignInEventsBeta\r\n| where Timestamp \u003e=ago(30d)\r\n| where ApplicationId in ((suspAppRes | project appId)) and ResourceId in ((suspAppRes | project\r\nresourceId)) and UserAgent in ((userAgents| project userAgent))\r\nFailed sign-in activity\r\nThe following query identifies failed attempts to sign-in from multiple sources that originate from a\r\nsingle ISP. Attackers distribute attacks from multiple IP addresses across a single service provider\r\nto evade detection\r\nIdentityLogonEvents\r\n| where Timestamp \u003e ago(4h)\r\n| where ActionType == \"LogonFailed\"\r\n| where isnotempty(AccountObjectId)\r\n| summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress\r\n= dcount(IPAddress) by ISP\r\n| where TargetCount \u003e= 100\r\n| where TargetCountry \u003e= 5\r\n| where TargetIPAddress \u003e= 25\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on\r\nthe Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/\r\nPage 7 of 8\n\nPotential Storm-0940 activity\r\nThis query identifies UserAgents obtained from observed activity and AAD SignInEvent attributes that identify\r\npotential activity to guide investigation:\r\n//sentinelquery\r\nlet suspAppRes = datatable(appId:string, resourceId:string)\r\n[\r\n\"1950a258-227b-4e31-a9cf-717495945fc2\", \"00000003-0000-0000-c000-000000000000\"\r\n];\r\nlet userAgents = datatable(userAgent:string)\r\n[\r\n\"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\",\r\n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/80.0.3987.149 Safari/537.36\" //Low fidelity\r\n];\r\nSigninLogs\r\n| where TimeGenerated \u003e=ago(30d)\r\n| where AppId in ((suspAppRes | project appId)) and ResourceIdentity in ((suspAppRes | project\r\nresourceId)) and UserAgent in ((userAgents| project userAgent))\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-att\r\nacks-from-a-covert-network/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/"
	],
	"report_names": [
		"chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network"
	],
	"threat_actors": [
		{
			"id": "046ca688-af96-46ec-8782-88350c635b4c",
			"created_at": "2024-12-21T02:00:02.852393Z",
			"updated_at": "2026-04-10T02:00:03.785762Z",
			"deleted_at": null,
			"main_name": "Storm-0940",
			"aliases": [
				"CovertNetwork-1658",
				"ORB07"
			],
			"source_name": "MISPGALAXY:Storm-0940",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434313,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/df2a95f9755ceb9f675df859c420a78a3344f25c.pdf",
		"text": "https://archive.orkl.eu/df2a95f9755ceb9f675df859c420a78a3344f25c.txt",
		"img": "https://archive.orkl.eu/df2a95f9755ceb9f675df859c420a78a3344f25c.jpg"
	}
}