BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.botconf.org//botconf-2026//speaker//NCEJFJ
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-botconf-2026-AX8BTL@cfp.botconf.org
DTSTART;TZID=CET:20260417T150000
DTEND;TZID=CET:20260417T153000
DESCRIPTION:In November 2025\, our Threat Hunting team identified a low-vol
 ume credential stuffing campaign targeting authentication attempts associa
 ted with the Microsoft Azure PowerShell application in Entra ID. While the
 se attempts were largely unsuccessful due to enforced MFA\, the request pa
 tterns strongly resembled activity previously associated with the Quad7 bo
 tnet.\nThe purpose of this presentation is to disclose details of our ongo
 ing investigation that pivoted from cloud-based authentication abuse to co
 mpromised embedded devices\, uncovering multiple botnet components and dis
 tinct actor activity on real-world customer-owned hardware.\nWe identified
  a shared embedded-device ecosystem in which at least two independent acto
 rs operated in parallel: one aligned with previously documented Quad7 acti
 vity\, and another leveraging compromised devices as residential proxy and
  ORB infrastructure. This overlap illustrates how mass-compromised network
  devices blur traditional distinctions between state-aligned operations an
 d eCrime-driven proxy ecosystems.\nAt the time of writing\, we are not awa
 re of any prior public disclosure of these findings.
DTSTAMP:20260429T221536Z
LOCATION:Amphitheater
SUMMARY:When One Botnet Leads to Another: Pivoting from Quad7-like Activity
  to Unknown Proxy Networks on Embedded Devices - Andreas Petker\, Hanno He
 inrichs
URL:https://cfp.botconf.org/botconf-2026/talk/AX8BTL/
END:VEVENT
END:VCALENDAR