Chinese 8220 Gang targets public clouds and vulnerable applications

Radware has issued a threat advisory about a for-profit threat group from China called the 8220 Gang. Also known as 8220 Mining Group, the gang rolled into the New Year targeting public cloud environments and poorly secured applications, using a custom-built crypto miner and IRC bot.


The 8220 Gang is known to use a variety of tactics and techniques to hide their activities and evade detection. But it is not perfect and was caught attempting to infect one of Radware’s Redis honeypots.

According to the 2022 Radware Threat Report, Redis was the fourth most scanned and exploited TCP port in Radware’s Global Deception Network in 2022, up from the 10th position in 2021.


According to Daniel Smith, head of research of cyber threat intelligence at Radware, “The threat to cloud environments and insecure applications continues to pose risks to organizations around the world, especially those that use weak credentials or do not patch vulnerabilities immediately.  Because of poor security hygiene, low-skilled groups like the 8220 Gang are able to cause a significant impact to targeted systems.”


Why it matters

  • It is not the first time Redis is subject to exploit activity by malicious gangs. Redis gained a lot of popularity among the criminal community in 2022 and is one of the services that should be looked after and not be exposed to the internet if not required.
  • The main objective of the 8220 Gang is to compromise poorly secured cloud servers with a custom-built crypto miner and a Tsunami IRC bot, leaving companies to deal with the fallout:
    • The main concern with crypto mining malware is that it can significantly impact a system’s performance. But it can also expose systems to additional security risks. Once infected, threat actors can use the same access to install other types of malware, such as keyloggers or remote access tools, which can subsequently be leveraged to steal sensitive information, gain unauthorized access to sensitive data, or deploy ransomware and wipers.
    • The Tsunami IRC is a bot used as backdoor, allowing the threat actors to remotely control systems and launch distributed denial-of-service (DDoS) attacks.
  • Many organizations have limited visibility, making it more difficult for security and network operations to detect and respond to security threats.
  • Public cloud providers offer limited security controls, making it easier for threat actors to find and exploit vulnerabilities.

What’s next?

For more details, see Radware’s threat advisory.