Financially Motivated9 malware familiesExploits CVEs in the wild

8220 Gang

Also known as8220_gangWater Sigbin

8220 Gang, also referred to as Water Sigbin, is a financially motivated, opportunistic intrusion set widely described in the provided reporting as China-based or of Chinese origin. The group has been active since at least 2017/2018 and is primarily associated with mass deployment of cryptocurrency-mining malware and cryptojacking on vulnerable internet-facing systems, especially cloud and web server environments. Reported targets include Windows and Linux web servers, VMware Horizon, Oracle WebLogic, Atlassian Confluence, and vulnerable cloud hosting environments; sectors mentioned include healthcare, telecommunications, financial services, and Korean energy-related companies. Across the cited reporting, 8220 Gang is repeatedly linked to exploitation of public-facing vulnerabilities including CVE-2017-3506, CVE-2017-10271, CVE-2019-2725, CVE-2020-14883, CVE-2021-26084, CVE-2021-44228 (Log4Shell), CVE-2022-26134, and CVE-2023-21839. Observed post-exploitation activity includes PowerShell and shell-script downloaders, HTTP/XML-based command execution against WebLogic, use of multiple download methods depending on OS, AMSI bypass, fileless execution, reflective DLL injection, process hollowing, scheduled tasks, cron jobs, systemd services, registry-based configuration storage, disabling or excluding Windows Defender, disabling cloud security tooling, modifying SELinux and /etc/ld.so.preload, deleting logs, and lateral movement via SSH brute force. The group is associated with deployment of XMRig and other Monero miners, as well as malware and tooling including ScrubCrypt, PureCrypter, Hadooken, K4Spreader, Tsunami, AgentTesla, rhajk, and nasqa. Reporting also describes use of Tsunami for IRC-based command and control and botnet/DDoS capability. On VMware Horizon, Oracle WebLogic, and Confluence compromises, the group was observed using staged loaders and injectors to ultimately run XMRig in legitimate processes. In cloud/container-focused campaigns, 8220 Gang used malicious scripts to establish persistence, kill competing miners, disable cloud protections, and spread internally. Known aliases in the provided content are 8220 Gang and Water Sigbin.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Energy

Where they target

Geographies tied to known operations.

🇰🇷 South Korea

MITRE ATT&CK

Tradecraft

11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics12 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1203

Exploitation for Client Execution

TA0003

Persistence

1 technique

T1112

Modify Registry

TA0004

Privilege Escalation

1 technique

T1055

Process Injection

TA0005

Stealth

2 techniques

T1027

Obfuscated Files or Information

T1055

Process Injection

TA0112

Defense Impairment

1 technique

T1112

Modify Registry

TA0008

Lateral Movement

1 technique

T1210

Exploitation of Remote Services

TA0011

Command and Control

2 techniques

T1071

Application Layer Protocol

T1105

Ingress Tool Transfer

TA0040

Impact

1 technique

T1496

Resource Hijacking

ARSENAL

Associated malware families

9 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

k4spreader“…a new tool from the "8220" mining gang, which is used to install other malware, mainly to install the Tsunami DDoS botnet and the PwnRig mining program. We named it "k4spreader"…”2Mar 18, 2026

Tsunami“bi.64 -> Tsunami… Tsunami is a popular botnet that controls and communicates through the IRC protocol. Its main functions include remote control and DDoS attacks.”2Mar 18, 2026

XMRigIf the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.2May 25, 2026

Agent Tesla...finally deploying stealer and cryptominer malware such as AgentTesla, rhajk, nasqa.1Mar 18, 2026

Hadooken"...two new malware variants, Hadooken and K4Spreader... target vulnerable cloud environments, primarily to hijack system resources for cryptomining."1Mar 18, 2026

4 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

5 CVEs this actor has used in observed campaigns. 5 of them exploited in the wild.

CVE-2021-44228Log4ShellIn the wildEvidence2

Ahnlab Security Emergency response Center (ASEC) has recently confirmed that the 8220 Gang attack group is using the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers. Log4Shell (CVE-2021-44228) is both a remote code execution vulnerability and the Java-based logging utility Log4j vulnerability...

CVE-2017-10271Oracle WebLogic WLS-WSAT XML Deserialization RCEIn the wildEvidence1

In November 2017, it used the Weblogic deserialization vulnerability (CVE- 2017-10271) invading a server and implanting a mining Trojan.

CVE-2017-3506Oracle WebLogic Server Web Services XMLDecoder Deserialization RCEIn the wildEvidence1

"...the 8220 Gang has been found to cunningly use HTTP requests for malicious purposes, most notably exploiting the Oracle WebLogic vulnerability CVE-2017-3506. By executing arbitrary commands via a specifically crafted XML document embedded in an HTTP request..."

CVE-2020-14882Oracle WebLogic Server Console Authentication Bypass and RCEIn the wildEvidence1

Currently, there are few samples and the following vulnerabilities are exploited. CVE_2020_14882

CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection RCEIn the wildEvidence1

The group targets not only global systems but also Korean ones. ASEC has introduced a case where the attack group abused the Atlassian Confluence server vulnerability CVE-2022-26134 to attack Korean systems and install CoinMiner.

IOCS

Observables

27 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

27 IOCsView more in app

uri

11 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+3

ip.v4

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

Domains

4 total

••••••.com•••••••.ru••••••••.com•••••••••.net

hash.md5

4 total

••••••••••••••••••••••••••••••••••••••

hash.sha256

3 total

•••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

security online infoNews

Oct 1, 2024

Hadooken & K4Spreader Malware: 8220 Gang’s Latest Cloud Hijacking Tools

Opportunistic cloud-focused intrusion set exploiting Oracle WebLogic vulnerabilities to compromise Windows and Linux cloud servers, disable security tooling, spread laterally via SSH brute force, establish persistence (cron/systemd), and deploy Monero cryptominers; also deploys the Tsunami IRC-controlled backdoor for botnet/DDoS capability.

trend micro researchNews

Jun 28, 2024

Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer

Water Sigbin is known for exploiting Oracle WebLogic vulnerabilities to deploy cryptocurrency miners, specifically using a sophisticated multi-stage, fileless malware delivery chain that leverages reflective DLL injection, process injection, and anti-debugging techniques. The group primarily deploys the PureCrypter loader and XMRig miner, focusing on evasion and persistence.

imperva blogNews

Dec 14, 2023

Imperva Detects Undocumented 8220 Gang Activities

The 8220 gang is a financially motivated threat actor known for mass deployment of cryptojacking malware targeting both Windows and Linux web servers. They exploit well-known vulnerabilities in public-facing applications to propagate malware, primarily for illicit cryptocurrency mining. Their operations are opportunistic, targeting a range of industries and geographies, and they frequently reuse infrastructure and TTPs.

picus security blogNews

Jun 14, 2023

Picus Cyber Threat Intelligence Report May 2023: Top 10 MITRE ATT&CK Techniques

8220 Gang is known for using application layer protocols for C2 and exploiting vulnerabilities such as CVE-2017-3506 for initial access.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping11

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal9

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs5

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables27

Domains, IPs, and hashes tied to this actor, refreshed continuously.