{ "id": "d34c31c4-e216-4452-bd29-7db19ffb3000", "created_at": "2026-04-06T00:14:26.059755Z", "updated_at": "2026-04-10T03:32:46.218362Z", "deleted_at": null, "sha1_hash": "5680c21a347bfdc57a46d79a2acb6749a0c88f0c", "title": "8220 Gang Cyber Threats: Cloud Infrastructure \u0026 Cryptomining Tactics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1708075, "plain_text": "8220 Gang Cyber Threats: Cloud Infrastructure \u0026 Cryptomining Tactics\r\nBy Uptycs Threat Research\r\nPublished: 2024-02-22 · Archived: 2026-04-05 12:37:06 UTC\r\nAuthors: Tejaswini Sandapolla, Shilpesh Trivedi\r\nThe 8220 Gang, a notorious Chinese-based threat actor group, has once again surfaced in the spotlight with a renewed\r\nassault on cloud based infrastructure. This latest campaign, unfolding from May 2023 through February 2024, showcases the\r\ngang's strategic pivot towards more sophisticated tactics and techniques, targeting both Linux and Windows platforms.\r\nThrough a meticulously orchestrated operation, the group has been exploiting well-known vulnerabilities, including CVE-2021-44228 and CVE-2022-26134, underscoring a persistent threat to cloud environments worldwide.\r\nThe significance of this development cannot be overstated. The shift in the 8220 Gang's approach marks a critical evolution\r\nin cyber threats facing cloud infrastructure today. By leveraging internet scans for vulnerable applications, the group\r\nidentifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access. Once\r\ninside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and\r\nmanipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules,\r\nand removing cloud security services, thereby ensuring their malicious activities remain undetected.\r\nThe implications of these attacks are far-reaching, affecting countless organizations relying on cloud infrastructure for their\r\noperations. The change in tactics and methods employed by the 8220 Gang signifies an alarming advancement in\r\ncybercriminal capabilities, posing an increased risk to cloud security and emphasizing the need for heightened vigilance and\r\nrobust security measures.\r\nUptycs’ threat research team reveals the intricate details of the 8220 Gang's latest campaign, offering an in-depth analysis of\r\ntheir attack methodologies, the vulnerabilities exploited, and the defensive evasion tactics used. By understanding the nature\r\nof these attacks and the changes in the group's approach, organizations can better prepare themselves to defend against such\r\nsophisticated threats, ensuring the security and integrity of their cloud based infrastructure.\r\nOverview of 8220 Gang’s latest cryptomining campaign and historical timeline\r\nIn this latest campaign, the utilization of Windows PowerShell for fileless execution is noted, which leads to the deployment\r\nof a cryptominer. What sets this campaign apart from its predecessors is the adoption of distinctive techniques, including\r\nDLL sideloading, User Account Control (UAC) bypass, and the modification of AMSIscanBuffer and ETWEventWrite.\r\nThese specific tactics represent a novel approach, showcasing the group's ingenuity in optimizing stealth and evasion\r\nmeasures, which distinguish it from previous instances. In the Linux campaign, there were no major changes found.\r\nFigure 1 - Attack timeline (click image to view)\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 1 of 11\n\nThe figure above depicts the percentage of increased and decreased attacks for each month in comparison to the preceding\r\nmonth.\r\nWindows\r\nThe group extends its focus to Windows systems, employing novel file and command-and-control (C\u0026C) servers to\r\ncircumvent prior detection methods. Their tactics involve employing diverse techniques to bypass antivirus (AV) and\r\nendpoint detection and response (EDR) systems, coupled with the utilization of fileless attacks, UAC Bypass and DLL\r\nsideloading strategies.\r\nStage 1: Bypass.ps1\r\n1. In the first stage using the same URL as the Linux sample, a powershell script is used in the first step to download and\r\nexecute the stage 2 payload.\r\nFigure 2 - Downloading payload deliver.cmd.\r\n2. Stage 1 script turns off the firewall using the netsh utility like Linux variant.\r\n3. Other known cryptocurrency miners such as network0, kthreaddi, sysrv etc are killed.\r\n4. Processes listening on ports 3333, 4444, 5555, 7777, and 9000 are also stopped, as these ports are used by crypto mining\r\nprocesses.\r\n5. Downloads stage2(deliver.cmd) and then executes it.\r\nStage 2: deliver.cmd\r\n1. This is an obfuscated batch script. On deobfuscation we can see the following content.\r\nFigure 3 - Highly Obfuscated script\r\n2. The script has two encrypted payloads(starting with ::). which are base64 decoded, AES decrypted and GZIP\r\ndecompression.\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 2 of 11\n\nFigure 4 - Encrypted payloads (starting with ::)\r\n3. After decompression, it gives two PE files.\r\n4. The small PE file which is about 11kb (name: YCWNEP) used for amsiscanbuffer and etweventwrite bypass. This\r\nexecutable aims to circumvent AMSI and evade Microsoft's event tracking mechanisms by patching with the EtwEventWrite\r\nand AmsiScanBuffer APIs, thereby making it difficult for security systems to detect and track its activities through ETW and\r\nAMSI.\r\nFigure 5 - Uptycs Alert: Powershell execution detected to bypass defender detection\r\nThe patching of EtwEventWrite and AmsiScanBuffer functions is typically associated with evading detection mechanisms,\r\nspecifically those employed by security software and systems. Let's break down the potential reasons for patching these\r\nfunctions:\r\nEtwEventWrite Patching: Event Tracing for Windows (ETW): EtwEventWrite is a function related to ETW, a Windows\r\nfeature for collecting and tracing events. By patching this function, attackers may attempt to suppress or manipulate the\r\ngeneration of event logs, making their activities less visible to system administrators and security analysts. This can be\r\ncrucial for maintaining stealth during an attack.\r\nAmsiScanBuffer Patching: Anti-Malware Scan Interface (AMSI): AmsiScanBuffer is part of the AMSI interface, which\r\nallows security applications to integrate with scripting engines and scan script content for malicious behavior. By patching\r\nthis function, attackers seek to bypass or disable the scanning capabilities provided by AMSI, enabling them to execute\r\nmalicious scripts without triggering alerts or interventions from security software.In summary, the patching of\r\nEtwEventWrite and AmsiScanBuffer functions is indicative of efforts to avoid detection and hinder the logging and scanning\r\ncapabilities of Windows security features. This is a common strategy employed by attackers to operate stealthily and\r\nincrease the likelihood of their malicious activities going undetected.\r\nThe bigger decrypted PE file serves several purposes (Stage 3).\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 3 of 11\n\nFigure 6 - The patching of EtwEventWrite and AmsiScanBuffer functions to evade detection\r\nStage 3\r\nThe bigger decrypted PE (from stage2) file serves several purposes:\r\na. Checks for the presence of a debugger.\r\nb. Installs startup entry of itself as batch script (Network99717Man.cmd).\r\nFigure 7 - Startup Entry\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 4 of 11\n\nFigure 8 - Uptycs Alert: Powershell execution with scheduled Task\r\nc. Windows Defender Exclusions are added via following command: powershell.exe\" add-mppreference -exclusionpath\r\n@('A:\\','C:\\','D:\\','Z:\\').\r\nd. Has two embedded encrypted resources named P and UAC. After decompressing(GZIP) they give two executables.\r\ne. If the parent process is not run under admin rights, the executable tries to create a directory named “C:\\\\Windows ” (there\r\nis a space after “Windows”). But, Windows does not allow the creation of a trailing spaced directory and in order to bypass\r\nthis restriction, it abuses the CreateDirectory API with the “\\\\?\\” universal naming convention (UNC) prefix. This technique\r\nis to bypass and successfully create a trailing spaced directory. The executable then creates a “System32 '' directory in the\r\ntrailing spaced directory and copies a legitimate ComputerDefaults.exe from%system32% to that fake directory. Then\r\nexecutable UAC (md5: 29263792b788ecfa9f4e29699ed8ab61) is decrypted and copied into the trailing spaced directory and\r\nrenamed as “propsys.dll” [\"C:\\\\Windows\\\\System32\\\\propsys.dll\"] and is loaded as\r\n\"C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe\" is executed. This legitimate program ComputerDefaults.exe is affected by\r\nthe DLL side-loading of propsys.dll.\r\nFigure 9 - DLL Sideloading of malicious propsys.dll which is later used for UAC Bypass\r\nf. The propsys.dll is a modified rust binary having string such as start-windowstylehidden-filepath. So basically\r\nComputerDefaults.exe is called with arguments of filename %appdata%/Network99717Man.cmd. The malicious propsys.dll\r\nis employed solely for initiating the execution of the Network99717Man.cmd file. This strategy serves as a User Account\r\nControl (UAC) bypass mechanism, particularly effective if the parent file is not executed with Administrator privileges.\r\ng. The main payload stage4 is obtained by decrypting resource “P” of stage 3.\r\nStage 4\r\n1. The stage 4 payload has a memory stream which gets gzip decompressed, forming a PE file and loaded.\r\n2. The above payload is loaded inside AddInProcess.exe via Process injection and is executed with parameters -o\r\n217.182.205.238:8080 -u\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 5 of 11\n\nZEPHYR2xf9vMHptpxP6VY4hHwTe94b2L5SGyp9Czg57U8DwRT3RQvDd37eyKxoFJUYJvP5ivBbiFCAMyaKWUe9aPZzuNoDXYT\r\n-p x --algo rx/0 --cpu-max-threads-hint=50\r\nFigure 10 - Process Injection in AddInProcess.exe performing cryptomining\r\n3. In the above process, we can clearly see that addinprocess.exe runs with high CPU usage \u003e 85%.\r\n4. Mining related strings can be seen in the dump of process AddinProcess.exe.\r\nFigure 11 - Mining related strings found in Dump\r\nWhat changed as compared to previous campaigns in Windows\r\nThe comprehensive strategy in the above detailed scenario revolves around the utilization of PowerShell for fileless\r\nexecution, leading to the deployment of a cryptominer. What sets this campaign apart from its predecessors is the adoption\r\nof distinctive techniques, including DLL sideloading, User Account Control (UAC) bypass, and the modification of\r\nAMSIscanBuffer and ETWEventWrite. These specific tactics represent a novel approach, showcasing the campaign's\r\ningenuity in optimizing stealth and evasion measures, which distinguish it from previous instances.\r\nLinux malware operation\r\nThe primary objective of the Linux based attacks remains cryptojacking, as in previous years. The group actively conducts\r\ninternet scans to identify susceptible applications, still employing tools such as masscan and spirit for reconnaissance, just\r\nusing newer versions of them. The Linux variant is in the form of a shell script which downloads miners and other malware\r\nlater.\r\nIn depth shell script analysis\r\nThe initial phase of the attack incorporates a shell script functioning as a downloader. This script employs multiple defense\r\nevasion techniques, ensuring persistence within the targeted system. Each of these techniques is detailed below:\r\nDefense evasion techniques\r\n1. The command setenforce 0 2\u003e/dev/null is used to temporarily disable SELinux enforcement on a system.\r\n2. Disables firewall via UFW disable.\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 6 of 11\n\nFigure 12 - Uptycs Alert: Process trying to alter UFW firewall rules \r\n3. Set the firewall to a state where all traffic (incoming, outgoing, and forwarded) is allowed without restriction via\r\nIPTABLES which can be seen in the figure below.\r\n4. Removes immutable and append-only from /etc/ld.so.preload immutable and then empty its contents.\r\n5. Removes certain cloud-related security services and agents, such as Alibaba, aliyun etc.\r\nFigure 13 - Defense Evasion Technique\r\nDownloading payload\r\nThe payload is downloaded from two sets of C2, whichever is active, as seen in the figure given below:\r\nFigure 14 - Downloading payload\r\nThe script is a versatile downloader that tries different methods (wget, curl, and lwp-download) to download a file and make\r\nit executable.\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 7 of 11\n\nApart from wget, curl, and lwp-download, in the newer versions it also uses python urllib package and custom bash function\r\nwhich are base64 encoded.\r\nFigure 15 - Base64 encoded commands\r\nThe utilization of base64 encoding for both Python code and a shell script in the download process serves as a strategy\r\nemployed by malicious actors to obscure their activities. By encoding the content, threat actors aim to evade signature-based\r\ndetection mechanisms commonly employed by security solutions.\r\nThe above base64 encoded data decodes to below:\r\nFigure 16 - Downloading payload via python urllib\r\nDownloading payload via custom bash function:\r\nFigure 17 - Downloading payload via python urllib\r\nPersistence\r\n1. The script creates service to maintain persistence.\r\nFigure 18 - Createservices() used to maintain persistence\r\n2. Deployed multiple cron jobs across various directories, each tasked with fetching the primary payload from the\r\ncommand-and-control (C2) server and initiating its execution.\r\nFigure 19 - makecron() used to deploy cron jobs\r\nDiscovery and lateral movement\r\n1. Uses massscan hacktool to scan IP ranges for open SSH ports and saves the output to $DIR/open.lst.\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 8 of 11\n\n2. The above list of targeted hosts is used by the spirit tool which is Golang UPX binary, which serves as an propagation\r\nutility. It launches brute force attacks (uses p.lst md5: 3cd845610e49e11575b5c18596b38389 having around 6000\r\ncombinations of username:password) against susceptible hosts within the network, thereby propagating the attack and\r\nextending infection across interconnected systems.\r\n3. The attacker has updated p.lst and spirit binary over the last 5-6 months campaigns. He has used the spirit free version in\r\nmost of the campaigns. It looks like he has used an open source github project: https://github.com/theaog/spirit/tree/master\r\nfor masscan and spirit tools.\r\nFigure 20 - Uses massscan and zgrab hacktools for discovery and lateral movement\r\n4. It also automates SSH connections to various hosts using multiple keys and users, with the purpose of downloading and\r\nexecuting a remote script on each host. It parses command history files (~/.bash_history, /home/*/.bash_history,\r\n/root/.bash_history) to find previously used SSH connections.\r\nFigure 21 - Lateral movement via local ssh credentials\r\nDownloader\r\n1. The main purpose of this shell script is to download payloads which includes “Tsunami IRCBot” and “Coinminer”.\r\n2. Verifies the existence of established connections to the IP addresses 51[.]255[.]171[.]23, 217[.]182.205.238,\r\n89[.]185[.]85[.]102, 178[.]62[.]234[.]229, and 159[.]223[.]201[.]180. These IP addresses are associated with miner and\r\nIRCbot frameworks, and this process is undertaken to assess the presence of any active malware.\r\n3. If they are not connected to above IPS it downloads miner as $DIR/bash and executes with parameters “-c -p 80 -p 443 -\r\ntls -dp 80 -dp 443 -tls -d”\r\n4. It downloads Tsunami malware as \"$DIR/python3\" and executes it.\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 9 of 11\n\nFigure 22 - Downloading and executing Tsunami and miner.\r\n5. It also uses the $(uname -m) command to download files related to the specific architecture. The Tsunami malware(md5:\r\n 63a86932a5bad5da32ebd1689aa814b3) and miner (md5: 915aec68a5b53aa7681a461a122594d9) haven't changed over last\r\n2 years of the campaign.\r\nUptycs CNAPP coverage\r\nUptycs CNAPP is flagging a growing number of suspicious alerts, encompassing activities such as system startup, potential\r\ninformation theft, attempts to gain high-level access, termination of running services, executing processes from temporary\r\nlocations, and the discovery of dropped files within the AppData folder. These alerts collectively contribute to an escalating\r\nlevel of suspicion.\r\nFigure 23 - Uptycs alert -Windows\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 10 of 11\n\nFigure 24 - Uptycs alert - Linux\r\nConclusion: 8220 Gang\r\nThe 8220 Gang has proven to be a substantial threat, challenging the characterization by some researchers who initially\r\nlabeled them as mere \"script kiddies.\" While their Linux campaign saw minimal changes, the group significantly enhanced\r\nand altered their tactics in the Windows campaign.\r\nOrganizations are now tasked with the continuous improvement and updating of their security systems to match the group's\r\nevolving strategies. In the early stages, the group employed straightforward and easily detectable scripts in their\r\ndeployments. Maintaining a watchful eye on the 8220 Gang and their deployments is crucial for ongoing analysis, detection,\r\nand the effective implementation of blocking measures.\r\nPrecautions\r\nUtilize trustworthy antivirus and anti-malware solutions, ensuring they are regularly updated.\r\nMaintain current security patches for operating systems and software to stay protected.\r\nInform users/employees about the risks associated with clicking on unfamiliar links or downloading questionable\r\nattachments.\r\nEnforce robust email filtering to prevent malicious attachments and links from infiltrating your system.\r\nConsistently observe network traffic for any abnormal or questionable behaviors.\r\nFrequently back up essential data and store it in an offline location to safeguard against ransomware encryption.\r\nIOC\r\nhttps://github.com/uptycslabs/IOCs/blob/main/8220Gang\r\nSource: https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nhttps://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat" ], "report_names": [ "8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat" ], "threat_actors": [ { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434466, "ts_updated_at": 1775791966, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5680c21a347bfdc57a46d79a2acb6749a0c88f0c.pdf", "text": "https://archive.orkl.eu/5680c21a347bfdc57a46d79a2acb6749a0c88f0c.txt", "img": "https://archive.orkl.eu/5680c21a347bfdc57a46d79a2acb6749a0c88f0c.jpg" } }