The software king of the world, Microsoft reported that “Botnet-7777” includes more than 16,000 compromised devices globally at its peak. Vole dubbed it “CovertNetwork-1658,” to indicate that Chinese threat actors are deploying the botnet to breach targeted Azure accounts.

The botnet’s activities are reportedly “highly evasive,” with the dispersed devices minimising detection by limiting login attempts from each IP. This tactic—known as password spraying—uses widespread, low-frequency login attempts that blend into normal activity, bypassing many traditional security alerts.

Vole said: “Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organisations in a short amount of time.”

The hacking network, previously observed by security researchers Sekoia.io and Team Cymru, employs numerous strategies to remain concealed. Microsoft estimated the botnet now consists of approximately 8,000 active nodes, with the threat actors using SOHO (small office, home office) IP addresses and rotating them to avoid detection.

Microsoft has identified “Storm-0940,” a group that frequently targets think tanks, NGOs, law firms, and government entities, as a key user of CovertNetwork-1658. After gaining access to Azure accounts, the attackers aim to infiltrate other areas of the network, steal data, and deploy remote access tools.

The botnet has decreased in activity recently, but Microsoft believes this is due to infrastructure updates rather than a reduction in operations. Microsoft also suspects a close collaboration between the operators of CovertNetwork-1658 and Storm-0940, citing “quick operational hand-off of compromised credentials” between the two.

Vole said: “Microsoft has observed numerous cases where Storm-0940 has gained initial access to target organisations using valid credentials obtained through CovertNetwork-1658’s password spray operations.”

The botnet’s infection and operation method involves downloading specific binaries to start an access-controlled command shell on TCP port 7777. Once active, the devices enable a SOCKS5 server on TCP port 11288, which the hackers use to anonymise their traffic.

Microsoft did not provide direct guidance for users of affected routers. However, cybersecurity experts recommend rebooting devices as a temporary fix since the malware lacks persistence and cannot survive a restart.