According to open-source publications, the Quad7 botnet is suspected to target different kinds of IOTs including IP cameras or NAS devices and SOHO routers, predominantly TP-Link. However, our investigation found that almost all – we cannot be completely certain – compromised assets were in fact TP-Link routers.

The bias in the analysis of compromised assets results from the fact that the operators of the Quad7 botnet try to disable the TP-Link management interface after compromising it by stopping the binary acting as a web server. Therefore, no TP-Link associated interface or banner is present in many results of online scanners such as Shodan or Censys.