Friday, May 23, 2025
HomeCyber Security NewsChinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Published on

SIEM as a Service

Follow Us on Google News

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to launch highly evasive password spray attacks, successfully stealing credentials from multiple Microsoft customers. 

The stolen credentials are then leveraged by threat actors like Storm-0940 to gain unauthorized access to systems.

Storm-0940 has been an active threat actor since 2021 and primarily targets organizations in North America and Europe, including government, non-profit, and private sector entities. 

- Advertisement - Google News

The group leverages brute-force attacks, exploits, and compromised network services to gain initial access, so Microsoft has notified affected organizations and provided mitigation and detection recommendations. 

It includes identifying and blocking malicious IP addresses, strengthening password policies, and implementing network segmentation.

Organizations can also use security analytics tools to detect suspicious activity associated with Storm-0940.

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

A Chinese threat actor has compromised a large number of TP-Link SOHO routers, forming CovertNetwork-1658. By exploiting a vulnerability, the attacker gained remote access to these devices. 

After the network has been compromised, additional attacks, such as credential harvesting and computer network exploitation, are carried out using the compromised network. 

Steps taken to prepare the router for password spray operations  
Steps taken to prepare the router for password spray operations  

The threat actor leverages a compromised router to establish a covert network, where they first download and execute Telnet and xlogin binaries to gain remote access. 

Subsequently, a SOCKS5 server is deployed on the router, creating a proxy network, which obfuscates the origin of password spray attacks, making it difficult to trace the source of the malicious activity back to the compromised router.

CovertNetwork-1658, a malicious infrastructure, is actively launching low-volume password spray attacks against numerous organizations. It leverages compromised SOHO routers to mask its origin and employs a vast pool of rotating IP addresses to evade detection. 

By limiting sign-in attempts to a single attempt per account per day, CovertNetwork-1658 avoids triggering traditional security alerts, making it challenging to identify and mitigate these stealthy attacks. 

CovertNetwork-1658 count of sign-in attempts per account per day.
CovertNetwork-1658 count of sign-in attempts per account per day.

Security reports exposed CovertNetwork-1658, a botnet used for large-scale password spraying by a Chinese threat actor.

While the original infrastructure usage declined, recent activity suggests the actors acquire new infrastructure with different signatures. 

According to Microsoft, the network historically comprised 8,000 compromised devices, of which 20% actively sprayed passwords, allowing for widespread credential theft across various sectors. 

Observed user agent strings indicate attempts mimicking Windows and Internet Explorer. Storm-0940, leveraging compromised credentials obtained from CovertNetwork-1658, has infiltrated target organizations. 

Once inside, the threat actor has actively scanned networks, dumped credentials, accessed network devices, installed persistence mechanisms like proxy tools and RATs, and exfiltrated sensitive data, demonstrating a coordinated and efficient attack strategy.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats,...

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself...

GenAI Assistant DIANNA Uncovers New Obfuscated Malware

Deep Instinct’s GenAI-powered assistant, DIANNA, has identified a sophisticated new malware strain dubbed BypassERWDirectSyscallShellcodeLoader. This...

Hackers Expose 184 Million User Passwords via Open Directory

A major cybersecurity incident has come to light after researcher Jeremiah Fowler discovered a...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats,...

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself...

GenAI Assistant DIANNA Uncovers New Obfuscated Malware

Deep Instinct’s GenAI-powered assistant, DIANNA, has identified a sophisticated new malware strain dubbed BypassERWDirectSyscallShellcodeLoader. This...