{
	"id": "baa0aabd-1d0b-4cf2-a0a0-6b584832ff54",
	"created_at": "2026-04-09T02:22:51.846021Z",
	"updated_at": "2026-04-10T03:30:57.391221Z",
	"deleted_at": null,
	"sha1_hash": "a8fc4a0fc73d95fe3761368fc6409cb730725369",
	"title": "The 8220 Gang: Targeting Cloud Providers and Vulnerable Applications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 359369,
	"plain_text": "The 8220 Gang: Targeting Cloud Providers and Vulnerable\r\nApplications\r\nBy Radware\r\nArchived: 2026-04-09 02:18:34 UTC\r\nJanuary 19, 2023 11:46 AM\r\nThe 8220 Gang, also known as 8220 Mining Group, is a for-profit threat group from China that mainly targets cloud providers and poorly\r\nsecured applications with a custom-built crypto miner and IRC bot.\r\nhttps://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/the-8220-gang-targeting-cloud-providers/\r\nPage 1 of 3\n\nRead the Complete Alert\r\nOverview\r\nAs initially reported by Cisco Talos, the 8220 Gang has been active since 2017. While the threat group may be\r\nconsidered low-level, they have continued to advance and update their campaign over the years, proving how\r\nimpactful a persistent low-level threat group can be. For example, in 2022, Lacework reported on how this highly\r\nactive group continued evolving tactics and techniques to evade detection. Later in the year, Aqua reported on the\r\ngroup's exploitation of CVE-2022-26134, a vulnerability in the Atlassian Confluence software; SentinelOne also\r\nsaid that they had recently observed the 8220 Gang Botnet proliferate after successfully infecting over 30,000\r\nhosts.\r\nThe threat group typically leverages publicly available exploits and brute-force attacks to spread its malware. But\r\nthe group also leveraged Pastebin, Git repositories, and malicious Docker images to spread their malicious code.\r\nThe 8220 Gang is known to use a variety of tactics and techniques to hide their activities and evade detection,\r\nincluding the use of a blocklist to avoid tripping over honeypots. Yet, the group is not perfect and was caught\r\nattempting to infect one of Radware's Redis honeypots at the beginning of this year.\r\nTactics, Techniques, and Procedures\r\nBy profiling and documenting the tactics, techniques, and procedures (TTPs) used by threat groups like the 8220\r\nGang, network defenders can better understand their behavior and how specific attacks are orchestrated, allowing\r\norganizations the ability to prepare, respond and mitigate current and future threats posed by the group.\r\nIn cybersecurity, tactics refer to the high-level description of the behavior the threat actors are trying to\r\naccomplish. For example, initial access is a tactic a threat actor leverages to gain a foothold in your network.\r\nTechniques are detailed descriptions of the behavior or actions that lead up to the tactic. For example, a technique\r\nto gain initial access includes exploiting public-facing applications. Procedures are technical details or directions\r\nabout how a threat actor will leverage the technique to accomplish an objective. For example, procedures for\r\nexploiting a public-facing application can include information on a weakness in a targeted application.\r\nINITIAL ACCESS\r\nThe source IP address in this attack originated from a compromised Apache server hosted on a major cloud\r\nprovider. The IP address originally sent several requests to our Redis honeypot via '/api/login' and port 8443.\r\nFollowing this event, a few days later, the same IP address began sending a series of scripted commands to our\r\nRedis honeypot via port tcp/6379, the default port used by Redis. These commands were cron jobs intended to\r\ndownload, install and execute a shell script named 'xms?redis', a python script named d.py, a crypto miner called\r\nPwnRig, and the Tsunami IRC bot on the system where Redis is running.\r\nhttps://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/the-8220-gang-targeting-cloud-providers/\r\nPage 2 of 3\n\nFigure 1: Redis commands executed through initial access shell script\r\nREDIS\r\nRedis is an open-source (BSD licensed), in-memory data structure store used as a database, cache, and message\r\nbroker. It is not the first time Redis has been subject to exploit activities by malicious gangs. In March of 2022,\r\nafter a proof-of-concept exploit was released for CVE-2022-0543, Juniper Threat Labs reported that the Muhstik\r\nmalware gang was actively targeting and exploiting the Lua sandbox escape vulnerability. In December, Aqua\r\ndiscovered a previously undocumented Golang based backdoor they dubbed Redigo and targeted their Redis\r\nhoneypots vulnerable to CVE-2022-0543. The malware aimed to take control of systems to likely build a botnet\r\nnetwork. The dropped malware mimicked the Redis protocol to communicate with its C2 infrastructure. The\r\nobjective of the botnet and the attackers remains unknown.\r\nAccording to the 2022 Radware Threat Report, Redis was the fourth most scanned and exploited TCP port in\r\nRadwares Global Deception Network in 2022, up from 10th position in 2021. Redis has gained a lot of popularity\r\nwith the criminal community in 2022 and is one of the services that should be monitored, and not be exposed to\r\nthe internet if not required\r\nSource: https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/the-8220-gang-targeting-cloud-providers/\r\nhttps://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/the-8220-gang-targeting-cloud-providers/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/the-8220-gang-targeting-cloud-providers/"
	],
	"report_names": [
		"the-8220-gang-targeting-cloud-providers"
	],
	"threat_actors": [
		{
			"id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7",
			"created_at": "2023-06-23T02:04:34.839947Z",
			"updated_at": "2026-04-10T02:00:04.99239Z",
			"deleted_at": null,
			"main_name": "8220 Gang",
			"aliases": [
				"8220 Mining Group",
				"Returned Libra",
				"Water Sigbin"
			],
			"source_name": "ETDA:8220 Gang",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8",
			"created_at": "2024-07-09T02:00:04.434476Z",
			"updated_at": "2026-04-10T02:00:03.671196Z",
			"deleted_at": null,
			"main_name": "Water Sigbin",
			"aliases": [
				"8220 Gang"
			],
			"source_name": "MISPGALAXY:Water Sigbin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7618565f-b8b8-4e33-b25e-3e89fdc444dd",
			"created_at": "2023-01-06T13:46:39.434955Z",
			"updated_at": "2026-04-10T02:00:03.326016Z",
			"deleted_at": null,
			"main_name": "Returned Libra",
			"aliases": [
				"8220 Mining Group"
			],
			"source_name": "MISPGALAXY:Returned Libra",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775701371,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8fc4a0fc73d95fe3761368fc6409cb730725369.pdf",
		"text": "https://archive.orkl.eu/a8fc4a0fc73d95fe3761368fc6409cb730725369.txt",
		"img": "https://archive.orkl.eu/a8fc4a0fc73d95fe3761368fc6409cb730725369.jpg"
	}
}