Identifying victims
As our honeypot didn’t yield the expected results, we shifted to a different strategy: identifying some victims in France. Of the eleven IPs observed in 2024, we were able to identify and contact three individuals, requesting their assistance in tapping their routers and physically recovering the Quad7 botnet related malwares.

Why intervene physically when a victim could simply send us their router? The reason is simple: the majority of the file system is read-only (squashfs), and the /tmp/ directory is writable – but in volatile memory. As soon as the router is unplugged, its file system would be reset, making it impossible to retrieve the malicious codes.