Sekoia.io investigated the mysterious 7777 botnet (aka Quad7 botnet), which compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts. The investigation involved intercepting network communications and malware deployed on a compromised router in France. The findings suggest the Quad7 botnet operators leverage these routers for possible long-term business email compromise (BEC) cybercriminal activity rather than an APT threat actor. However, some mysteries remain regarding the exploits used, the geographical distribution, and the attribution of this activity cluster.