{ "id": "b8345b26-fddd-4bc5-bc97-86dabcd7ea1f", "created_at": "2026-04-06T00:15:33.754793Z", "updated_at": "2026-04-10T03:28:21.022456Z", "deleted_at": null, "sha1_hash": "450e0c1bafaf799092970ee54d315bdb8597f681", "title": "Imperva Detects Undocumented 8220 Gang Activities | Imperva", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2504356, "plain_text": "Imperva Detects Undocumented 8220 Gang Activities | Imperva\r\nBy Daniel Johnston\r\nPublished: 2023-12-14 · Archived: 2026-04-05 17:05:14 UTC\r\nImperva Threat Research has detected previously undocumented activity from the 8220 gang, which is known for\r\nthe mass deployment of malware using a variety of continuously evolving TTPs. This threat actor has been known\r\nto target both Windows and Linux web servers with cryptojacking malware. \r\nIn this blog, we will detail recent activity, attack vectors used by the group, and share the indicators of\r\ncompromise (IoCs) from the group’s most recent and previously unknown campaigns. Imperva customers are\r\nprotected against this group’s known activities. All organizations should maintain up-to-date patches and security.\r\nHistory\r\nThe 8220 gang, widely believed to be of Chinese origin, was first identified by Cisco Talos in 2017 targeting\r\nDrupal, Hadoop YARN, and Apache Struts2 applications to propagate cryptojacking malware. Since then, various\r\nother researchers have provided updates on the evolving tactics, techniques and procedures (TTPs) leveraged by\r\nthe group, including exploitation of Confluence and Log4j vulnerabilities. Most recently, Trend Micro disclosed\r\nevidence of the group leveraging the Oracle WebLogic vulnerability CVE-2017-3506 to infect targeted systems. \r\nEvolving TTPs\r\nAs well as the recently disclosed use of CVE-2021-44228 and CVE-2017-3506, Imperva Threat Research\r\nobserved the group’s attempted exploitation of CVE-2020-14883, a Remote Code Execution vulnerability in\r\nOracle WebLogic Server, to propagate malware.\r\nThis vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly\r\nchained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or\r\nthe use of leaked, stolen, or weak credentials. Exploitation of these vulnerabilities is well documented. Therefore,\r\nhttps://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/\r\nPage 1 of 7\n\nit is easy to modify for the purposes of malware deployment. The 8220 gang uses two different gadget chains: one\r\nenables the loading of an XML file, which then contains a call to the other and enables execution of commands on\r\nthe OS.\r\nThe group uses different variations of the supplied XML depending on the target OS:\r\nThe command used to target Linux hosts attempts to download one of a set of second phase files using a variety of\r\ndifferent methods: cURL, wget, lwp-download and python urllib (base64 encoded), as well as a custom bash\r\nfunction that is also base64 encoded.\r\nDecoded base64: calls to python 2 and 3 urllib:\r\nCustom bash download function:\r\nhttps://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/\r\nPage 2 of 7\n\nOn Windows a simple PowerShell WebClient command is used to execute a downloaded PowerShell script:\r\nIn another variation of the attack, the group uses a different gadget chain to execute Java code without the\r\nrequirement of an externally hosted XML file.\r\nThe injected Java code first evaluates whether the OS is Windows or Linux, and then executes the appropriate\r\ncommand strings, which are identical to the ones already outlined above.\r\nFrom here, the downloaded files are executed, infecting the exploited hosts with known AgentTesla, rhajk and\r\nnasqa malware variants, shown in the VirusTotal screenshots below.\r\nhttps://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/\r\nPage 3 of 7\n\nThe chain of infection using CVE-2020-14883:\r\nhttps://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/\r\nPage 4 of 7\n\nActivity Trends\r\nThe following graph shows recent activity attributed to the 8220 gang, all of which was mitigated by Imperva\r\nCloud WAF. The group appears to be opportunistic when selecting their targets, with no clear trend in country or\r\nindustry. Imperva Threat Research observed the group attacking healthcare, telecommunications, and financial\r\nservices targets in the United States, South Africa, Spain, Columbia, and Mexico. The 8220 gang appears to use\r\ncustom tools written in Python to launch their attack campaigns, and the attacking IPs—located in the US, Mexico\r\nand Russia—are associated with known hosting companies.\r\nImperva Mitigation\r\nAt the time of writing, Imperva Cloud WAF and on-prem WAF mitigates all of the web vulnerabilities known to\r\nbe leveraged by the 8220 gang for their malicious activities. Recent vulnerabilities detected by Imperva and\r\nleveraged by the group include:\r\nCVE-2017-3506 – Oracle WebLogic Server RCE\r\nCVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization\r\nCVE-2020-14883 – Oracle WebLogic Server Authenticated RCE\r\nCVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE\r\nCVE-2021-44228 – Apache Log4j JNDI RCE\r\nCVE-2022-26134 – Atlassian Confluence Server RCE\r\nConclusion\r\nThe 8220 gang, a widely recognized threat actor driven by financial motives, has been under scrutiny by various\r\nresearch teams since 2017. The group relies on simple, publicly available exploits to target well-known\r\nvulnerabilities and exploit easy targets to achieve their objectives. While considered unsophisticated, they are\r\nconstantly evolving their tactics and techniques to evade detection. \r\nhttps://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/\r\nPage 5 of 7\n\nThroughout our investigation, we observed that attributing attacks to this group was relatively straightforward due\r\nto their consistent use of easily traceable IoCs and TTPs, frequently reusing the same IP addresses, web servers,\r\npayloads, and attack tools. \r\nDespite the group’s lack of sophistication, it remains critical for enterprises to promptly patch their applications\r\nand implement multiple layers of security measures to safeguard against falling victim to such groups. Imperva\r\nThreat Research will maintain its vigilance in monitoring the activities of this and other threat actors, and ensuring\r\nsecurity for our customers.\r\nLatest 8220 gang IoCs\r\nURLs\r\nSource IPs\r\nhttps://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/\r\nPage 6 of 7\n\nMalicious file hashes\r\nTry Imperva for Free\r\nProtect your business for 30 days on Imperva.\r\nStart Now\r\nSource: https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/\r\nhttps://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/" ], "report_names": [ "imperva-detects-undocumented-8220-gang-activities" ], "threat_actors": [ { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434533, "ts_updated_at": 1775791701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/450e0c1bafaf799092970ee54d315bdb8597f681.pdf", "text": "https://archive.orkl.eu/450e0c1bafaf799092970ee54d315bdb8597f681.txt", "img": "https://archive.orkl.eu/450e0c1bafaf799092970ee54d315bdb8597f681.jpg" } }