2026-04-17 –, Amphitheater
In November 2025, our Threat Hunting team identified a low-volume credential stuffing campaign targeting authentication attempts associated with the Microsoft Azure PowerShell application in Entra ID. While these attempts were largely unsuccessful due to enforced MFA, the request patterns strongly resembled activity previously associated with the Quad7 botnet.
The purpose of this presentation is to disclose details of our ongoing investigation that pivoted from cloud-based authentication abuse to compromised embedded devices, uncovering multiple botnet components and distinct actor activity on real-world customer-owned hardware.
We identified a shared embedded-device ecosystem in which at least two independent actors operated in parallel: one aligned with previously documented Quad7 activity, and another leveraging compromised devices as residential proxy and ORB infrastructure. This overlap illustrates how mass-compromised network devices blur traditional distinctions between state-aligned operations and eCrime-driven proxy ecosystems.
At the time of writing, we are not aware of any prior public disclosure of these findings.
Fabian is a Threat Intelligence Analyst at Deutsche Telekom Security with a focus on Cybercrime. He has multiple years of experience in tracking threat actors, malware analysis, threat hunting and similar activities. He has spoken at multiple international Cybersecurity conferences and has a strong background in computer networks and IT security research due to his former role as a researcher at the University of Bonn. He enjoys exchanging ideas with other analysts and is constantly striving to expand his network in order to better respond to cyber threats.
I have been working for several years as a Senior Analyst in the Cyber Threat Intelligence (CTI) department at Deutsche Telekom Security. In this role I am deeply involved in analyzing attack methods and profiling threat actors. A particular focus of my work is the investigation of botnet structures—especially those associated with so called residential proxies, VPN providers, and ORB networks.