Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal

SUMMARY :

This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection routine differs slightly between Windows and Linux systems but ultimately aims to mine Monero cryptocurrency. The campaign shares many similarities with the previously reported Hadooken case, including attack vectors, payloads, and infrastructure. Victim analysis reveals a focus on cloud environments, particularly in Asia and South America, with 200-250 compromised machines observed. The evolving tactics and global reach of the 8220 Gang highlight their ongoing threat to vulnerable cloud systems.

OPENCTI LABELS :

china,brazil,botnet,cryptomining,tsunami,pwnrig,k4spreader,weblogic,hadooken,cve-2017-10271,cve-2020-14883


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal