A crypto mining group named 8220 Gang has been abusing Linux and cloud app vulnerabilities to grow its botnet. The group has successfully created a botnet comprised of more than 30,000 infected hosts. 

8220 Gang with a botnet network

In this new campaign, the 8220 Gang has added new stealth capabilities, even though it is not using any specific detection evasion tactics.
  • Since last month, the group started using a dedicated file to manage the SSH brute forcing step. 
  • It has 450 hardcoded credentials related to a wide range of Linux apps and devices.
  • In another update, it is using blocklists in the script to avoid certain hosts from infections.
  • These block lists are believed to be related to honeypots set up by security researchers.

The low-skilled 8220 Gang is financially-motivated and targets Aliyun, AWS, QCloud, GCP, and Azure hosts. It targets publicly available systems with exposed versions of Docker, Redis, Apache, and Confluence.

Why brute force 

After obtaining access, the attackers use SSH brute forcing to spread further and hijack available computational resources to execute cryptominers that point to untraceable pools.

Use of a new miner

  • The 8220 Gang uses a new version of its custom cryptominer, PwnRig.
  • The miner uses a fake FBI subdomain with an IP address pointing at the federal government domain of Brazil.
  • The reason behind this is to create a fake pool request and hide the real destination of the produced money.


The 8220 Gang isn’t labeled as sophisticated, yet the sudden rise in crypto-related infection is alarming. Even though several coins, including Monero, lost 20% or more in the past six months, some attackers are still relying on cryptojacking. Botnet attacks can be controlled largely by applying patches for all IoT devices and staying up-to-date. Furthermore, watch out for fake cloud apps and be sure of their legitimacy.
Cyware Publisher