8220
8220 is a China-linked cryptomining threat group, also referred to as the 8220 gang and Water Sigbin. Reporting attributes to the group a Linux-focused malware deployment campaign using a custom installer dubbed k4spreader, first seen in February 2024, to install additional payloads including the Tsunami IRC-based DDoS botnet and the PwnRig Monero miner. The group’s tooling has been observed implementing persistence through .bash_profile modification with chattr immutability, init.d and systemd service creation, cron-based retrieval of follow-on payloads, self-update capability, C2-driven downloading, firewall and iptables disabling, clearing /etc/ld.so.preload, and removal of competing malware and suspicious cron entries/processes. Observed access and exploitation vectors associated with 8220 include Oracle WebLogic vulnerabilities CVE-2020-14883 and CVE-2020-14882, CVE-2017-3506 via crafted XML in HTTP requests, and additional RCE paths identified as JBoss_AS_3456_RCE and YARN_API_RCE. FortiGuard also reported a campaign attributed to 8220 exploiting CVE-2020-14883 commonly chained with CVE-2020-14882 to deploy stealer and cryptominer malware, including AgentTesla, rhajk, and nasqa. The group has been associated with HTTP-based delivery and application-layer protocol use, and infrastructure including domains and IPs used for C2, IRC, and mining operations. Known aliases directly mentioned in the content: Water Sigbin. No sub-groups are directly identified in the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
3 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
In November 2017, it used the Weblogic deserialization vulnerability (CVE- 2017-10271) invading a server and implanting a mining Trojan.
Currently, there are few samples and the following vulnerabilities are exploited. CVE_2020_14882
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
China-origin cryptomining-focused threat group active since 2017 that compromises Windows/Linux servers by exploiting server-side RCE/unauthorized access flaws, establishes persistence, disables defenses, and deploys additional payloads including miners (PwnRig/XMRig-derived) and DDoS botnet malware (Tsunami). In this report, it is developing and deploying a new installer/downloader tool ('k4spreader') to spread and manage these payloads.
Campaign exploiting Oracle WebLogic Server vulnerabilities (CVE-2020-14883 chained with CVE-2020-14882) to achieve RCE via crafted XML and deploy stealer/cryptominer malware (AgentTesla, rhajk, nasqa).
Exploits Oracle WebLogic CVE-2017-3506 via crafted HTTP/XML requests to execute arbitrary commands and compromise systems; uses application-layer protocols for malicious activity.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.