Security researchers from the company Team Wales identified a noticeable expansion of activity botnet “7777”, first spotted in October 2023 and named after the use of TCP port 7777 on infected routers. Recent studies have shown that the botnet has significantly increased its activities despite ongoing containment efforts, raising concerns among experts.
The “7777” botnet was initially observed engaging in malicious activity targeting Microsoft Azure cloud services, which were characterized by a low volume of attacks, making them difficult to detect. At that time, the botnet numbered about 10,000 nodes, but by August 2024 the number of active devices had decreased to 7 thousand.
Recent evidence suggests that the botnet has expanded with new infrastructure, using open port 63256 on infected routers Asus. This expansion allowed the botnet to reach almost 13 thousand active devices, which, according to experts, is only part of a vast malicious network.
The researchers also discovered seven IP addresses associated with botnet control. Four of them have been previously mentioned in other studies, and three new IP addresses require additional analysis. These IP addresses are used to manage infected devices and may be associated with cyber attacks on Microsoft 365 services.
A significant portion of infected devices are routers TP-Link and cameras Hikvision, which is consistent with previous studies. The new part of the botnet, running on port 63256, primarily targets Asus routers, highlighting the evolution of the attackers’ methods.
Despite measures taken to combat the botnet, it continues to function, retaining a significant number of infected devices. Experts continue to study its infrastructure to better understand the goals of the botnet operators and possible attack vectors.
Experts strongly recommend that users update the firmware of their devices, use strong passwords, and regularly check network activity to prevent possible compromises.