A for-profit Chinese threat group, 8220 Gang, was observed targeting cloud service providers and poorly secured apps. The group was observed using a cryptominer and IRC botnet to churn financial advantage out of public cloud infrastructure.

Public cloud under attack

8220 Gang brings expertise in conducting cryptomining campaigns against public cloud environments. Public clouds offer many unlimited resources to their subscribers, making it hackers’ go-to spot for cryptomining.
  • The group uses different tactics and techniques to mask its activities and avoid detection, such as using a blocklist to avoid tripping over honeypots.
  • Further, the attackers have been using the Tsunami IRC bot (used as a backdoor), one of the earliest IoT botnets whose origin dates back to 2001. 
  • Hackers use the IRC protocol for C2 communication.

Attack tactics

The source IP address used for the attack was a compromised Apache server hosted on a cloud provider. The IP address sent scripted commands to Radware's Redis honeypot.
  • These commands (cron jobs) are used to download, install, and run a shell script, a Python script (d[.]py), a cryptominer (PwnRig), and the Tsunami IRC bot on the system running Redis.
  • PwnRig used by attackers would slow down systems using CPU/GPU resources. It causes devices to consume more resources, which results in increased invoices.
  • Once infected, the same access is used to install other types of malware, such as keyloggers or RATs. 
  • All are used to perform various malicious activities including stealing sensitive details, gaining unauthorized access, and even deploying ransomware.

Further, the Tsunami IRC bot has support for four different types of denial-of-service attacks, such as SYN and UDP floods, which could result in financial losses for a victim organization.


The recent attacks by Chinese 8220 Gang reflect insecurity around cloud environments and insecure applications. Those with weaker credentials or missing patches are at greater risk. Thus, organizations' defense should include state-of-the-art security controls and incident response capabilities for mitigation purposes.
Cyware Publisher