{ "id": "40d9cad9-27d3-431c-8ecb-ed635f1539b3", "created_at": "2026-04-06T00:22:06.181505Z", "updated_at": "2026-04-10T03:30:57.392419Z", "deleted_at": null, "sha1_hash": "f475a7c4f6112cc702f5e23aeaadd876acfb35d3", "title": "8220 Gang - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54929, "plain_text": "8220 Gang - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:16:04 UTC\n Other threat group: 8220 Gang\nNames\n8220 Gang (Talos)\n8220 Mining Group (Talos)\nReturned Libra (Palo Alto)\nWater Sigbin (Trend Micro)\nCountry China\nMotivation Financial gain\nFirst seen 2017\nDescription\n(Trend Micro) 8220 Gang (also known as “8220 Mining Group,” derived from their\nuse of port 8220 for command and control or C\u0026C communications exchange) has\nbeen active since 2017 and continues to scan for vulnerable applications in cloud\nand container environments. Researchers have documented this group targeting\nOracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and\nmisconfigured Docker containers to deploy cryptocurrency miners in both Linux and\nMicrosoft Windows hosts. The group was documented to have used Tsunami\nmalware, XMRIG cryptominer, masscan, and spirit, among other tools in their\ncampaigns.\nObserved\nTools used\nOperations performed\nMay 2021\n8220 Gangs Recent use of Custom Miner and Botnet\nJul 2022\n8220 Gang Massively Expands Cloud Botnet to 30,000 Infected\nHosts\nOct 2022\n8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8384088d-a679-47bb-bff5-957830937ae3\nPage 1 of 2\n\nNov 2022\n8220 Gang Continues to Evolve With Each New Campaign\nMay 2023\n8220 Gang Evolves With New Strategies\nInformation\nPlaybook Last change to this card: 26 August 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8384088d-a679-47bb-bff5-957830937ae3\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8384088d-a679-47bb-bff5-957830937ae3\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8384088d-a679-47bb-bff5-957830937ae3" ], "report_names": [ "showcard.cgi?u=8384088d-a679-47bb-bff5-957830937ae3" ], "threat_actors": [ { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7618565f-b8b8-4e33-b25e-3e89fdc444dd", "created_at": "2023-01-06T13:46:39.434955Z", "updated_at": "2026-04-10T02:00:03.326016Z", "deleted_at": null, "main_name": "Returned Libra", "aliases": [ "8220 Mining Group" ], "source_name": "MISPGALAXY:Returned Libra", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434926, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f475a7c4f6112cc702f5e23aeaadd876acfb35d3.pdf", "text": "https://archive.orkl.eu/f475a7c4f6112cc702f5e23aeaadd876acfb35d3.txt", "img": "https://archive.orkl.eu/f475a7c4f6112cc702f5e23aeaadd876acfb35d3.jpg" } }