In November 2025, our Threat Hunting team identified a low-volume credential stuffing campaign targeting authentication attempts associated with the Microsoft Azure PowerShell application in Entra ID. While these attempts were largely unsuccessful due to enforced MFA, the request patterns strongly resembled activity previously associated with the Quad7 botnet.
The purpose of this presentation is to disclose details of our ongoing investigation that pivoted from cloud-based authentication abuse to compromised embedded devices, uncovering multiple botnet components and distinct actor activity on real-world customer-owned hardware.
We identified a shared embedded-device ecosystem in which at least two independent actors operated in parallel: one aligned with previously documented Quad7 activity, and another leveraging compromised devices as residential proxy and ORB infrastructure. This overlap illustrates how mass-compromised network devices blur traditional distinctions between state-aligned operations and eCrime-driven proxy ecosystems.
At the time of writing, we are not aware of any prior public disclosure of these findings.