Skip to content

Affected Systems: Linux, cloud networks and applications.

Date Discovered: New campaigns to expand the botnet from the gang have been seen running this month (July 2022), however, their botnet has existed since roughly 2021.


The 8220 Gang, which has been in operation for several years, has been spotted recently operating a massive surge in operations to bring its botnet up to an estimated size of 30,000 hosts.

According to SentinelOne “Victims of 8220 Gang are typically, but not exclusively, users of cloud networks operating vulnerable and misconfigured Linux applications and services”. They added that victims using cloud-based infrastructure were often infected via publicly available hosts running Apache WebLogic, Docker, Confluence, and Redis.

Once infected, devices have a cryptocurrency miner known as PwnRig installed and executed.


As many of the hosts of this botnet are infected via known vulnerabilities, one of the best preventions is to keep all services regularly updated and to have a firewall and antivirus running on your system.

Watching out for tell-tale signs of a cryptominer on your systems, such as a significant drop in performance or reduced battery life, can help you quickly detect if a cryptominer has taken place on your system.

Indicators of compromise for this botnet can be found here.

Related Links: