First attempts to catch the Quad7 botnet

Based on these initial findings, we decided to monitor a TP-Link WR841N (firmware: 3.16.9 Build 150320 Rel.57500n) router for a few months. This model is the most compromised according to Censys, with a firmware version known to be vulnerable to the Quad7 botnet. We provided access to the router from five different IP addresses (three residential IPs in France, one mobile IP in the UK, and one VPS in Bulgaria, the most impacted country).