{ "id": "af2b46a7-054c-41b9-902c-72ca239bc5a9", "created_at": "2026-04-06T00:07:41.85304Z", "updated_at": "2026-04-10T03:28:21.008699Z", "deleted_at": null, "sha1_hash": "39e418238499c6a961d7b1223aa2f76f93f5cfe2", "title": "8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1391487, "plain_text": "8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads\r\nBy Tom Hegel\r\nPublished: 2022-10-13 · Archived: 2026-04-05 19:41:53 UTC\r\nIn July of 2022 we reported on 8220 Gang, one of the many low-skill crimeware gangs we observe infecting cloud\r\nhosts through known vulnerabilities and remote access brute forcing infection vectors. We noted that 8220 Gang\r\nhad expanded its cloud service botnet to an estimated 30,000 hosts globally.\r\nIn recent weeks, the group has rotated its attack infrastructure and continued to absorb compromised hosts into its\r\nbotnet and to distribute cryptocurrency mining malware.\r\nMisconfiguration Key to Infection Attempts\r\nExploit attempts from 8220 Gang continue at a pace consistent with our previous reporting. The majority of active\r\nvictims are still operating outdated or misconfigured versions of Docker,  Apache, WebLogic, and various Log4J\r\nvulnerable services.\r\n8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet. Victims are\r\ntypically using cloud infrastructure such as AWS, Azure and similar with misconfigured instances that allow\r\nremote attackers to gain access. Publicly-accessible hosts running Docker, Confluence, Apache WebLogic, and\r\nRedis can easily be discovered and attacked with little technical know-how. 8220 Gang is known to make use of\r\nSSH brute force attacks post-infection for the purposes of lateral movement inside a compromised network.\r\nThe top victims recently communicating as miner bots are exposed Ubiquiti Unifi Cloud Keys running outdated\r\nNetwork Controller software or Prometheus container monitoring systems. The vulnerabilities exploited are\r\nhttps://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/\r\nPage 1 of 5\n\nusually far from fresh – such as with CVE-2019-2725 – the Oracle Weblogic vulnerability being exploited to\r\ndownload the installer script, e.g., 871f38fd4299b4d94731745d8b33ae303dcb9eaa. The objective of the infection\r\nattempts continues to be growing the botnet and expanding cryptocurrency hosts mining when possible.\r\n8220 Gang Leverages PureCrypter\r\nWe have observed 8220 Gang using the PureCrypter Malware-as-a-service. PureCrypter is a loader service\r\navailable for a low cost since 2021 and has been observed distributing a large variety of commodity malware.\r\nWindows systems targeted by 8220 Gang have been served by the PureCrypter downloader through the group’s\r\ntraditional C2 infrastructure, most commonly 89.34.27[.]167 . The downloader then beacons back following the\r\ninjectors image extension URLs. The use of Discord URLs can also be observed for the download of illicit\r\nminors.\r\nOne clear example is the miner ee6787636ea66f0ecea9fa2a88f800da806c3ea6 being delivered post-compromise.\r\nThis loader beacons to Discord:\r\nhttps://cdn.discordapp[.]com/attachments/994652587494232125/1004395450058678432/miner_Nyrpcmbw[.]png\r\nand downloads 833cbeb0e748860f41b4f0192502b817a09eff6a , ultimately beginning cryptomining on the victim\r\nhost.\r\nIt is unsurprising to discover 8220 Gang experimenting with new loaders and miners alongside their traditional\r\nexploitation attempts against publicly exposed services. As the threat landscape evolves, we can expect threat\r\nactors to seek new methods to thwart defenses, hide their campaigns, and generally attempt to increase attack\r\nsuccess. This is simply a new iteration of 8220 Gang attempting to do so.\r\nShifting Infrastructure\r\nSince July, 8220 Gang shifted to using 89.34.27[.]167 , and then in early September 2022 rotated its\r\ninfrastructure to 79.110.62[.]23 , primarily relying on two previously reported  domains letmaker[.]top and\r\noracleservice[.]top .\r\n8220 Gang also makes use of a miner proxy at 51.79.175[.]139. Hosts infected with illicit miners will\r\ncommunicate with the proxy as it acts as a pool to combine resources and avoid analysis of their cumulative\r\nmining metrics.\r\nhttps://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/\r\nPage 2 of 5\n\nVisual Context of 8220 Gang Infrastructure Roles\r\nThriving Abuse of Amateur Tooling\r\nAs we’ve reported in the past, the scripts, miners, and infrastructure surrounding the campaigns of 8220 Gang\r\nstem from the general reuse of known tools. “Script Kiddies” may be a more industry appropriate name. Analysis\r\nof the tools and vulnerabilities at a high level reveals a much wider set of illicit activity.\r\nFor example, through GreyNoise data we can see how common CVE-2019-2725 crawlers are over the last 30\r\ndays. 8220 Gang and other attackers make use of scanning for and exploiting similar n-day vulnerabilities with\r\nsuccess. One theory may be that these types of attackers seek out easy to compromise systems like this as they are\r\nunlikely to be remediated quickly since they are not even meeting common updating practices. These attackers are\r\noperating with success, regardless of the state of vulnerability management. One could consider such attacks to be\r\nbottom feeders of targeting perhaps.\r\nhttps://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/\r\nPage 3 of 5\n\nGreyNoise Trend of CVE-2019-2725 Crawlers\r\nThe loader script is also incredibly common to observe through publicly accessible hosts and honeypots running\r\ncommon cloud services. The script has evolved greatly even in a single year, with many variants, and it is no\r\nlonger useful tracking as a single name (e.g., Carbine Loader). For example, searching VirusTotal for any shell\r\nscripts containing the go-to uninstall commands for common cloud security tools, plus unique variable names,\r\nleads to hundreds of recent results. 8220 Gang is only one of many abusing the same scripts to keep their botnets\r\nalive.\r\nConclusion\r\n8220 Gang continues their botnet proliferation efforts, rotating to new infrastructure. The group continues to make\r\nuse of the same mining proxy server, and defenders should investigate any continual traffic to that destination.\r\nAdditionally, with the experimentation with PureCrypter MaaS, the group has clearly attempted to evolve their\r\nattack efforts. As cloud infrastructure and common publicly accessible services remain vulnerable, we expect 8220\r\nGang to continue growing into the future.\r\nIndicators of Compromise\r\nCommunications\r\n89.34.27.167 (From July into September 2022)\r\n79.110.62.23 (Primary since September 2022)\r\n51.79.175.139 (Miner Proxy)\r\n198.23.214.117 (Miner Proxy)\r\nwork.onlypirate[.]top\r\na.oracleservice[.]top\r\nb.oracleservice[.]top\r\npwn.oracleservice[.]top\r\nhttps://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/\r\nPage 4 of 5\n\nc4k-ircd.pwndns[.]pw\r\njira.letmaker[.]top\r\nhttps://cdn.discordapp[.]com/attachments/994652587494232125/1004395450058678432/miner_Nyrpcmbw[.]png\r\nFile Hashes SHA1\r\n165f188b915b270d17f0c8b5614e8b289d2a36e2\r\n528477d0a2cf55f6e4899f99151a39883721b722\r\n557d729f8a7ba712a48885304280b564194406d3\r\n58af7af0dbf079bafd8fae1a7b3a2230b2bcba31\r\n740a1cdee7b7f4350eec53c1ca3022562ea83903\r\n7477812278038e8d3606c433f1c4389b897012e2\r\n75ea4b0b76a0b61bd0f8f4a491e5db918bc1df1c\r\n7b128cd6cf092409fc9c71ddd27c66dd98002b1a\r\n871f38fd4299b4d94731745d8b33ae303dcb9eaa (CVE-2019-2725 example)\r\n9bc4db76ae77ea98fdcaa9000829840d33faba97\r\nbe53175a3b3e11c1e3ca7b87abb6851479453272\r\nc1630af40f38f01e94eec2981c5f4f11481ba700\r\nc22f9ae02601a52c9dca91c3b4cb3d2221f54b50\r\nc537cf320e90a39e7f5e9846e118502802752780\r\nc86349460658a994e517fede6773e650f8f3ac9b\r\nd5138d1708d5d77ea86920a217c2033a2e94ad7e\r\nee6787636ea66f0ecea9fa2a88f800da806c3ea6\r\nSource: https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/\r\nhttps://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/" ], "report_names": [ "8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads" ], "threat_actors": [ { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434061, "ts_updated_at": 1775791701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39e418238499c6a961d7b1223aa2f76f93f5cfe2.pdf", "text": "https://archive.orkl.eu/39e418238499c6a961d7b1223aa2f76f93f5cfe2.txt", "img": "https://archive.orkl.eu/39e418238499c6a961d7b1223aa2f76f93f5cfe2.jpg" } }