{
	"id": "4758ada0-1ef8-471d-b85a-5e2e675a83d3",
	"created_at": "2026-04-06T00:09:55.558411Z",
	"updated_at": "2026-04-10T03:30:57.386007Z",
	"deleted_at": null,
	"sha1_hash": "2bff4646e24752a9c5b39e9e0d696c6d41d64051",
	"title": "From the Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63104,
	"plain_text": "From the Front Lines | 8220 Gang Massively Expands Cloud\r\nBotnet to 30,000 Infected Hosts\r\nBy Tom Hegel\r\nPublished: 2022-07-18 · Archived: 2026-04-05 12:47:19 UTC\r\nOver the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000\r\nhosts globally through the use of Linux and common cloud application vulnerabilities and poorly secured\r\nconfigurations. In a recent campaign, the group was observed making use of a new version of the IRC botnet,\r\nPwnRig cryptocurrency miner, and its generic infection script.\r\n8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and\r\noperating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing\r\ninfection vectors. While the group has operated for years, by mid 2021, the botnet was observed operating with\r\nroughly 2000 hosts globally. This month, we observed new campaigns utilizing long-running sets of\r\ninfrastructure, bringing the botnet numbers up to today’s figure of around 30,000 infected hosts.\r\n8220 Gang, also known as 8220 Mining Group, was first publicly reported by Talos in 2018. The name 8220 Gang\r\ncomes from the group’s original use of port 8220 for C2 network communications. The group has evolved\r\nsomewhat from their original interests and the use of “WhatMiner”, which was forked from another group known\r\nas Rocke. The targeting of Docker, Hadoop, Redis, Drupal, and other services has been a continuing trend since\r\ntheir first discovery. Based on Talos’ discovery of Github repository details and infrastructure, the group is\r\nbelieved to be a Chinese-speaking threat actor.\r\nVictims of 8220 Gang are typically, but not exclusively, users of cloud networks operating vulnerable and\r\nmisconfigured Linux applications and services. Attacks make use of SSH brute forcing post-infection to automate\r\nlocal and global spreading attempts. Victims using cloud infrastructure (AWS, Azure, GCP,  Aliyun, QCloud) are\r\noften infected via publicly accessible hosts running Docker, Confluence, Apache WebLogic, and Redis. Victims\r\nare not targeted geographically, but simply identified by their internet accessibility. At the time of writing, roughly\r\n30,000 systems globally have been potentially infected with the 8220 Gang botnet.\r\nThe infection script acts as the main code for the botnet to operate. Despite its lack of detection evasion or\r\nobfuscation, the script appears to be highly effective at infecting targets. The core functionality of the script has\r\nbeen widely reported on for a number of years as it has been reused by many amateur cryptocurrency mining\r\ngroups and profit-seeking individuals. For that reason, researchers must be wary of attributing the script in its\r\nentirety to 8220 Gang.\r\nThe script is notoriously ugly and often contains unused or outdated functions, allowing trivial tracking over time.\r\n8220 Gang and other groups who make use of this same infection script can be observed changing it multiple\r\ntimes a month. In late June 2022, the group began making use of a separate file they call “Spirit” to manage some\r\nof the SSH brute forcing functionality outside of the script. Spirit contains a list of approximately 450 hardcoded\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/\r\nPage 1 of 6\n\ncredentials for SSH brute forcing. The list includes combinations of the root username, and default Linux device\r\nand application passwords.\r\nAnother evolution example is the use of block lists. 8220 Gang and others make use of block lists in the infection\r\nscript to avoid infecting specific hosts, such as researcher honeypots, which may place their illicit efforts at risk.\r\nThe method of implementing the block list has shifted from direct IPs listed in the script to a list in an\r\nadditionally-downloaded file. The method of calling the list in the script varies across implementations.\r\nWhat we can conclude is that the trivial design of the script allows for simple attacker experimentation, and it\r\nshould not surprise researchers when specific functionality is added or reorganized.\r\nPwnRig is a custom version of the open source XMRig miner that gained its name based on strings the author\r\nused in its early versions. More recent versions of PwnRig continue to make use of the same author name, while\r\nsome functionality of the miner has been updated.\r\nOne of the notable features of PwnRig is the fake pool request for government domains. Early 2021 versions made\r\nuse of fbi.gov ; however, the latest version uses fbi.gov.br and 161.148.164.31 . While the FBI subdomain\r\nis not real, the IP address is the active IP hosting the gov.br domain – the true Brazil federal government\r\ndomain.\r\nOver the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to\r\nexpand a botnet and illicit cryptocurrency miner. From our observations the group has made changes over the\r\nrecent weeks to expand the botnet to nearly 30,000 victims globally. PwnRig, the IRC Botnet, and generic\r\ninfection script are all incredibly simple and used opportunistically in the groups targeting.\r\nIndicator Description 165f188b915b270d17f0c8b5614e8b289d2a36e2 Infection script, downloaded filename\r\n“jira”, locally found as “.lock” (Recent) onlypirate[.]top, jira.onlypirate[.]top, pwn.onlypirate[.]top Actor\r\ncontrolled C2/Download Domain letmaker[.]top, jira.letmaker[.]top, pwn.letmaker[.]top Actor controlled\r\nC2/Download Domain oracleservice[.]top, a.oracleservice[.]top, b.oracleservice[.]top, pwn.oracleservice[.]top\r\nActor controlled C2/Download Domain pwndns[.]pw IRC Botnet / Tooling Domain givemexyz[.]in Actor\r\ncontrolled C2/Download Domain givemexyz[.]xyz Actor controlled C2/Download Domain bashgo[.]pw IRC\r\nBotnet / Tooling Domain 51.255.171[.]23 IRC Botnet Server (Shared Infrastructure) 159.203.103[.]62 IRC Botnet\r\nServer (Shared Infrastructure) a018d55214cf51f951dc5758fa818a45323db8d8 8220 Gang Associated Script\r\n4180c193f366021f1c10890a5bcd2d3ecef47fa7 8220 Gang Associated Script\r\nb400d9ebf27355d600b23d6b397832b1f427ff97 8220 Gang Associated Script\r\n90b5a2cbc29f797bbe6c992f8d993ab337f1db89 8220 Gang Associated Script\r\ne00a617be872d373f066962eb9d231482d0c7650 8220 Gang Associated Script\r\n6f0c6c2625355b8da466127c6217f89132e13fdf 8220 Gang Associated Script\r\n6148cd5d3193863f395c1a9675cbf20f47bb7f6e 8220 Gang Associated Script\r\n7021e82e50b858c489659e1bd80f19049006c5f0 8220 Gang Associated Script\r\nca76533d3614024046b3cf2b2b166d22327bb859 8220 Gang Associated Script\r\n09beb8d4bf01af519fc83a78adf5abf69594c080 8220 Gang Associated Script\r\n61ac24e100dd0d3408f07b1f9e0ed7ca2e5d8db6 8220 Gang Associated Script\r\n9229b3a232949df16772595f3fc2bb9ca14b3f86 8220 Gang Associated Script\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/\r\nPage 2 of 6\n\n9b5a448d335c20f23bed7ebcb983e1ea67fc7421 8220 Gang Associated Script\r\n641b8d2ed9ed47ce90ec30f887a82cfef9db64af 8220 Gang Associated Script\r\n26ed095c7102776ed4431e994252e97e9554d0e5 8220 Gang Associated Script\r\n8e34816e82a189cf607187154eebee2089d75a18 8220 Gang Associated Script\r\nc1fb3acdfd0627eedfc061e47fc0f5600254dc5b 8220 Gang Associated Script\r\nbd8966ce091589c2b78f940bf955d0c8a4b99241 8220 Gang Associated Script\r\n8c3beeb51860c8869a893f090756fa0dfdf691e3 8220 Gang Associated Script\r\nda486a6ff50476c185c5118b1a8a32a5c3023d14 8220 Gang Associated Script\r\n6ad4f21c5ac559b360ded60fb8308463552c47de 8220 Gang Associated Script\r\n8953a9a896f90c6a1f3c8f54fd010b50920c0a6e 8220 Gang Associated Script\r\n155b178be265fecc1d052e43a6ae13e581441d6f 8220 Gang Associated Script\r\n8bb3c9c4036f25244a21e79723086fcec70aec77 8220 Gang Associated Script\r\n34b747135ebb0a6a0af18ba28bf6d62359b261e0 8220 Gang Associated Script\r\n09778a0a7af741b85bb7d022725bf25b468bba15 8220 Gang Associated Script\r\nac29e4a8aec19dd115a55f0adf45d8293566767a 8220 Gang Associated Script\r\n5c53e4c53b83885e9ded6fd41ac215015539e89c 8220 Gang Associated Script\r\nb305287aa72a74df432daf1a5b7c80c64c08dea4 8220 Gang Associated Script\r\n79bf00fd518847886c69da3dca068c5ac2bacb80 8220 Gang Associated Script\r\n5070e48e224627b16cf536356de89387c3c886e1 8220 Gang Associated Script\r\n757e3f0517051272be6cc810536fd130d823ad2a 8220 Gang Associated Script\r\na830eb4cd77e92ee9516357cc47a5243d96fc683 8220 Gang Associated Script\r\n4fb5b84f29d0b4ecaded0438fc9f7faca2003459 8220 Gang Associated Script\r\n9298221acadac9b12dac4057d123ad0c05b26c22 8220 Gang Associated Script\r\n0d780ecea75bf4cc405a777e40da46a49003cb84 8220 Gang Associated Script\r\n99532847dee9466cbdfdb02db45a4657e45e8c34 8220 Gang Associated Script\r\ncc9c21e5091a9e6b8d772090b7a68fa521772835 8220 Gang Associated Script\r\nf5950d7ce28590a42a9c837dd019c04404340223 8220 Gang Associated Script\r\n398e7149f547ec9a3181d1d033a71fdfb52a7a0d 8220 Gang Associated Script\r\n1a4cc79937adcce2f2a1c59e8a3ff8d7b75eb843 8220 Gang Associated Script\r\n7bdd4ffa86c069f945ed8d5d9e0089f7536f112b 8220 Gang Associated Script\r\nc9dfb589ebe9e7daf9fd00040d29bdb0ff20a8ed 8220 Gang Associated Script\r\n3fc7734dc537c33398e885630e03d6cea08dcaf1 8220 Gang Associated Script\r\n07756ac7497f4011ce280e5f7d1d1c21ed973cd6 8220 Gang Associated Script\r\n554677bff4a29bb286ab9d840ac7565d330a26db 8220 Gang Associated Script\r\nb394f1c580abaac90980a868d6e6638d014b2dac 8220 Gang Associated Script\r\n4f28f566f48580efce59908884906469063aec11 8220 Gang Associated Script\r\n4ce0f5d71ab977ed2501e1559198684113dab48e 8220 Gang Associated Script\r\n8f881f9f8f4754bb2949c7d825dee6035fd84d89 8220 Gang Associated Script\r\nb8347f76903d25ea62d5b65797e8fea8b18a55f1 8220 Gang Associated Script\r\n5cae484e9827067350bfdb5c835fad4db0fae7d8 8220 Gang Associated Script\r\n798fbb973b7e06465779c48357e500e552a9d4eb 8220 Gang Associated Script\r\nb8f405f77700f703fc0cd4130bac153d3515d0f4 8220 Gang Associated Script\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/\r\nPage 3 of 6\n\n9b93a71776480fc36b87329311772b58598bc47d 8220 Gang Associated Script\r\nf7e4484a32a1c43f0978b0b9a779fa291d3917a0 8220 Gang Associated Script\r\n51c829033a92963aa930e53d2b64cf61670d36fc 8220 Gang Associated Script\r\nc31f32bb412dfc6be0c833dbcd0965a0a69b2187 8220 Gang Associated Script\r\ndbf72af6d1e58aadba6ca0c54e31b276605e0143 8220 Gang Associated Script\r\n6a6974167f0bb7f327c8e2ae3e773d74f379bcc7 8220 Gang Associated Script\r\n48a94f6bd7c58f412d6c546ee296def3a8c26db6 8220 Gang Associated Script\r\n651fdbfedbc31959b4cfbe83f01da659baec84e4 8220 Gang Associated Script\r\n538390a7aa6e6678330b2bd775a3d9931fd177b4 8220 Gang Associated Script\r\n094a989148421b455feb4a23460d7c833a44934b 8220 Gang Associated Script\r\nb00d3376dbd8d9524cbab3ad52378b597d6b6c75 8220 Gang Associated Script\r\n5cf3c2c35b26811806e421a2921ff0c2fb9f25d9 8220 Gang Associated Script\r\n8d02d66a4ad12b5531465842124dc50e84b1db39 8220 Gang Associated Script\r\n8dbddb5b0ef004b4608c4236d75c784a19e72e6c 8220 Gang Associated Script\r\nada2299756eb154b534943c31ffc46474b894dd2 8220 Gang Associated Script\r\na4b18e8d24a3c5cbbb1a544ba109ab49dce4ac06 8220 Gang Associated Script\r\n0ad5316a897d4d724cb32690675941b60156a463 8220 Gang Associated Script\r\n3a5eb4338c7d87e3dfa1ce4dea9e4c5904401f40 8220 Gang Associated Script\r\n235b8373841e9b8bcee9517c5f2b7b8192975a53 8220 Gang Associated Script\r\n01665c6da2a9711c1b091c50bab2272782664226 8220 Gang Associated Script\r\n0f4eaf87aee6275c60c10b7bbf205f4968b5571b 8220 Gang Associated Script\r\n9c34c1f55ec052ec4582b8476aa1299fc5264b42 8220 Gang Associated Script\r\n4bd8130ea41d3b796e507f46ff0d04db8bdb326a 8220 Gang Associated Script\r\n19958aba7665bfbe7a18e555515c8b3dd0b24fbd 8220 Gang Associated Script\r\naba592e4f58cb18094ed6423e4777a9f2956b6ba 8220 Gang Associated Script\r\nc9b79d50d3588982c1a92b5533f55fe2d8a60657 8220 Gang Associated Script\r\n52445f3e47ff90bbf6d8b46687af6ccfb8452831 8220 Gang Associated Script\r\ncaf1e814fba4d9889fa63e8e2fb7de3fc6b006aa 8220 Gang Associated Script\r\n39eb1591ac1952cf32752abcc626da703ecb006c 8220 Gang Associated Script\r\n63eae994b4fa5fe49e26bd00222dcf8de6e13dc5 8220 Gang Associated Script\r\nbbbccc185f9c545fc56042baf13db5f52b17a27c 8220 Gang Associated Script\r\nc89e70626815f2e632602046c83939fd8d5a5288 8220 Gang Associated Script\r\n3e4c51160c74c48ee3fb02c1df21448559a51d82 8220 Gang Associated Script\r\n4e147eeca85185dc8313770709279d31b43c7df0 8220 Gang Associated Script\r\n2bd28b494f468a6416e297f7b4ead42a429a4683 8220 Gang Associated Script\r\n62c9f4b9bfb86c201a54ee7ccb8ca0a01fa39517 8220 Gang Associated Script\r\n3b1cd146b31f3b615152456c17498669547fdca5 8220 Gang Associated Script\r\nfdc02e772b6e17f01c8cf33dd028184a5775a0bd 8220 Gang Associated Script\r\n636d5c40108aa635feaaf2c15ddae103d746e51a 8220 Gang Associated Script\r\n68696b704f9a6b0240316ff67984057b3f040f24 8220 Gang Associated Script\r\nde5ea4db77f15855fea8893e4e188ccc2c85547b 8220 Gang Associated Script\r\n34044407ff14930ae648d0167fac0e1476380ab9 8220 Gang Associated Script\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/\r\nPage 4 of 6\n\na06c673ada72e8ec7214e1464b711112bbd9bcfa 8220 Gang Associated Script\r\nde3b342dfb419d7903378ea55b8179d98ec010d7 8220 Gang Associated Script\r\nc4851ff2ab8334918247494fb2aeec42c9c6226d 8220 Gang Associated Script\r\nc57f3f8a4fc0d962a84887b3540788808a48519e 8220 Gang Associated Script\r\nce5413cc02fe84663136ecde86ba063d77077aa1 8220 Gang Associated Script\r\nd5a3c26e5986ba9a24549abc4c96d17eaaef0659 8220 Gang Associated Script\r\n3d8ea93c61029e266c529e1ec1f7fd1c714bd0bb 8220 Gang Associated Script\r\nf3d132802e10b56551ed59c817cff04680e92411 8220 Gang Associated Script\r\nacff0bc1b75127ef7502e23f46cf9acc3878766a 8220 Gang Associated Script\r\n5e81f54164e44bd5ef8a3d97b7deb322fe88d8d7 8220 Gang Associated Script\r\n9b3d75d00b2021e73bb9138501c3cda5eeaead03 8220 Gang Associated Script\r\n08fab9009dcac6e5a9fa265a5f1e1c015f33f21a 8220 Gang Associated Script\r\n3f27ec4f8d4b1df58b41c9e3be8f444596e0a921 8220 Gang Associated Script\r\n445913e819d166ca72e7d1c7b250b398cf3c0deb 8220 Gang Associated Script\r\n8487ecfbaa456787afbdde178b7e2e140970a38e 8220 Gang Associated Script\r\nf5ac085147a9e4da35838ea97da7d89de51f9715 8220 Gang Associated Script\r\n8c7c2a7f1872428b5a1e00431ba97f5f5211aab5 8220 Gang Associated Script\r\n575f9441effcb0688d564733e4cc58743d565a6c 8220 Gang Associated Script\r\n76ecb74747254b857b0822514e53d0b5f7a81d1c 8220 Gang Associated Script\r\n9fba0735cf24a06142d9485d22a17b022b3ea725 8220 Gang Associated Script\r\ned5af8e2ab526991d583631e517cd613ebdc1b41 8220 Gang Associated Script\r\n2ddcdddfe05bbc40477e7dfb071d8e4b3eaa0cd7 8220 Gang Associated Script\r\nd61e00bce386a03aaa0efde9ade31e23bb2795f0 8220 Gang Associated Script\r\n9e3194736c344b909addad65f6e69a627adba599 8220 Gang Associated Script\r\n5dc23d673198a13e27e543927a4abd79770ccdaa 8220 Gang Associated Script\r\n7fa2baab95c40550164e5bfd4c4057e82a4b41ce 8220 Gang Associated Script\r\n55d640f245dcc7a43e4535f89993da272ae10479 8220 Gang Associated Script\r\n80c35fc7eb4738878dcd2c9e8fa6e95799278dd8 8220 Gang Associated Script\r\ne601833f18a35b2308504521532c284cf53a95da 8220 Gang Associated Script\r\nf712066871d6bede64a95a7636795e70fb3f8ac9 8220 Gang Associated Script\r\ne82970f8c693f636104690476f66b37c49949c18 8220 Gang Associated Script\r\n7cdd222e2b4ec9896c53f24381efc6a02c6d1932 8220 Gang Associated Script\r\na0a0e2201501a20b77f5194f41b85416dd4ddcb0 8220 Gang Associated Script\r\nac3268c067851e7b74d9fc334d2134bfd0037a8e 8220 Gang Associated Script\r\n5d6a8c0437bdf30079188283b0e60d063e649f27 8220 Gang Associated Script\r\n58ff71135673fad731ae07bb510a46e7184f0b1f 8220 Gang Associated Script\r\nddde688f6afdff65de7019cefd7c3b08604a0bc3 8220 Gang Associated Script\r\n800c962a8d57669cd27d68b4205a997c2d86b7c6 8220 Gang Associated Script\r\n44eb23838bcacfcb094f6f9f1a0f8bc27e807e4f 8220 Gang Associated Script\r\n90263a77a622a5464ff2c9470b9c40aa324e471d 8220 Gang Associated Script\r\nba6528c2c49337868dda95ca82f877c4e72f64ec 8220 Gang Associated Script\r\n45b5c636223fe224d065f856fbb30596cb14b37f 8220 Gang Associated Script\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/\r\nPage 5 of 6\n\n78f5d9412655e94284b55292370f2387ebbf52fc 8220 Gang Associated Script\r\ne6e29b66c3b0a1a051d001eec24f64b8fa4da184 8220 Gang Associated Script\r\n5e2a6277c7e526734ce1cec573c829fe5c9adfd0 8220 Gang Associated Script\r\naafb88c74d5fce9ffc7632c00330e94d6f80b853 8220 Gang Associated Script\r\n490e4bc10302b43aa00c510e457026e8546a91fc 8220 Gang Associated Script\r\n87ed8ddca4a5d3f1d7267941ce1d817c0c5a7795 8220 Gang Associated Script\r\nSource: https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/\r\nhttps://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/\r\nPage 6 of 6\n\nhttps://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/  \n78f5d9412655e94284b55292370f2387ebbf52fc 8220 Gang Associated Script\ne6e29b66c3b0a1a051d001eec24f64b8fa4da184 8220 Gang Associated Script\n5e2a6277c7e526734ce1cec573c829fe5c9adfd0 8220 Gang Associated Script\naafb88c74d5fce9ffc7632c00330e94d6f80b853 8220 Gang Associated Script\n490e4bc10302b43aa00c510e457026e8546a91fc 8220 Gang Associated Script\n87ed8ddca4a5d3f1d7267941ce1d817c0c5a7795 8220 Gang Associated Script\nSource: https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/  \n Page 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"references": [
		"https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/"
	],
	"report_names": [
		"from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts"
	],
	"threat_actors": [
		{
			"id": "7c053836-8f50-4d40-bc5c-7088967e1b57",
			"created_at": "2022-10-25T16:07:24.549525Z",
			"updated_at": "2026-04-10T02:00:05.03048Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra",
				"G0106",
				"Iron Group",
				"Rocke"
			],
			"source_name": "ETDA:Rocke",
			"tools": [
				"Godlua",
				"Kerberods",
				"LSD",
				"Pro-Ocean",
				"Xbash"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7",
			"created_at": "2023-06-23T02:04:34.839947Z",
			"updated_at": "2026-04-10T02:00:04.99239Z",
			"deleted_at": null,
			"main_name": "8220 Gang",
			"aliases": [
				"8220 Mining Group",
				"Returned Libra",
				"Water Sigbin"
			],
			"source_name": "ETDA:8220 Gang",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "905eabd9-2b7f-483d-86bd-0c72f96b4162",
			"created_at": "2023-01-06T13:46:39.02749Z",
			"updated_at": "2026-04-10T02:00:03.185957Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra"
			],
			"source_name": "MISPGALAXY:Rocke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8",
			"created_at": "2024-07-09T02:00:04.434476Z",
			"updated_at": "2026-04-10T02:00:03.671196Z",
			"deleted_at": null,
			"main_name": "Water Sigbin",
			"aliases": [
				"8220 Gang"
			],
			"source_name": "MISPGALAXY:Water Sigbin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f",
			"created_at": "2022-10-25T15:50:23.360509Z",
			"updated_at": "2026-04-10T02:00:05.337702Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Rocke"
			],
			"source_name": "MITRE:Rocke",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7618565f-b8b8-4e33-b25e-3e89fdc444dd",
			"created_at": "2023-01-06T13:46:39.434955Z",
			"updated_at": "2026-04-10T02:00:03.326016Z",
			"deleted_at": null,
			"main_name": "Returned Libra",
			"aliases": [
				"8220 Mining Group"
			],
			"source_name": "MISPGALAXY:Returned Libra",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434195,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2bff4646e24752a9c5b39e9e0d696c6d41d64051.pdf",
		"text": "https://archive.orkl.eu/2bff4646e24752a9c5b39e9e0d696c6d41d64051.txt",
		"img": "https://archive.orkl.eu/2bff4646e24752a9c5b39e9e0d696c6d41d64051.jpg"
	}
}