Threat Research

From the Front Lines | 8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts

Securonix

Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through Linux vulnerabilities and poorly secured configurations. The infection script, IRC botnet, and updated PwnRig cryptocurrency miner illustrate a simple, repeatable toolkit used to grow and monetize cloud-host infections. #8220Gang #PwnRig

Keypoints

  • 8220 Gang expanded its cloud botnet to ~30,000 infected hosts globally, up from about 2,000 in 2021.
  • Targets are cloud-hosted Linux services (Docker, Confluence, Redis, Apache WebLogic, etc.) exposed to the internet, with SSH brute-forcing used for propagation.
  • The infection script is modular, performing victim prep/cleanup, botnet/miner deployment, SSH lateral movement, and SSH key collection.
  • The group uses evolving tooling (e.g., Spirit for SSH brute forcing and block lists to dodge honeypots) to facilitate campaigns.
  • PwnRig is an updated XMRig-based miner; recent versions use deceptive pool references (e.g., fbi.gov.br) and a real Brazil gov domain footprint.
  • Infections are opportunistic, not geographically targeted, focusing on internet-accessible hosts running Docker, Confluence, Apache WebLogic, and Redis.
  • ICOs (hashes, domains, and IPs) are extensive and publicly listed, underscoring the campaign’s widespread infrastructure.

MITRE Techniques

  • [T1110] Brute Force – ‘SSH brute forcing post-infection to automate local and global spreading attempts.’
  • [T1021.004] Remote Services: SSH – ‘Internal network SSH scanner with lateral spreading capability.’
  • [T1105] Ingress Tool Transfer – ‘Infection script acts as the main code for the botnet to operate.’
  • [T1496] Resource Hijacking – ‘PwnRig cryptocurrency miner execution.’
  • [T1552.001] Private Keys – ‘Local SSH key collection, connectivity testing, and lateral spreading.’

Indicators of Compromise

  • [Hash] Infection script / associated scripts – 165f188b915b270d17f0c8b5614e8b289d2a36e2, a018d55214cf51f951dc5758fa818a45323db8d8 and 2 more hashes
  • [Domain] C2/Download domains – onlypirate.top, jira.onlypirate.top and 2 more domains
  • [Domain] C2/Download domains – letmaker.top, jira.letmaker.top and 2 more domains
  • [Domain] C2/Download domains – oracleservice.top, a.oracleservice.top, b.oracleservice.top, pwn.oracleservice.top
  • [Domain] IRC Botnet / Tooling Domain – pwndns.pw
  • [Domain] C2/Download domains – givemexyz.in, givemexyz.xyz
  • [Domain] IRC Botnet / Tooling Domain – bashgo.pw
  • [IP] IRC Botnet Server (Shared Infrastructure) – 51.255.171.23, 159.203.103.62
  • [Filename] Infection script file – jira (downloaded filename) and local ‘.lock’

Read more: https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/