8220 Gang - Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 18:16:04 UTC
 Other threat group: 8220 Gang
Names
8220 Gang (Talos)
8220 Mining Group (Talos)
Returned Libra (Palo Alto)
Water Sigbin (Trend Micro)
Country China
Motivation Financial gain
First seen 2017
Description
(Trend Micro) 8220 Gang (also known as “8220 Mining Group,” derived from their
use of port 8220 for command and control or C&C communications exchange) has
been active since 2017 and continues to scan for vulnerable applications in cloud
and container environments. Researchers have documented this group targeting
Oracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and
misconfigured Docker containers to deploy cryptocurrency miners in both Linux and
Microsoft Windows hosts. The group was documented to have used Tsunami
malware, XMRIG cryptominer, masscan, and spirit, among other tools in their
campaigns.
Observed
Tools used
Operations performed
May 2021
8220 Gangs Recent use of Custom Miner and Botnet
Jul 2022
8220 Gang Massively Expands Cloud Botnet to 30,000 Infected
Hosts
Oct 2022
8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8384088d-a679-47bb-bff5-957830937ae3
Page 1 of 2

Nov 2022
8220 Gang Continues to Evolve With Each New Campaign
May 2023
8220 Gang Evolves With New Strategies
Information
Playbook Last change to this card: 26 August 2024
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8384088d-a679-47bb-bff5-957830937ae3
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8384088d-a679-47bb-bff5-957830937ae3
Page 2 of 2