Lax Security Fuels Massive 8220 Gang Botnet Army Surge

The threat group 8220 Gang's cryptocurrency miner and botnet reach has exploded to 30,000 global hosts, a notable increase over the past month, researchers say.

Dark Reading Staff, Dark Reading

July 20, 2022

1 Min Read
software code intended to illustrate a malicious botnet attack
Source: Hotaik Sung via Alamy

Leveraging little more than Linux bugs, common cloud application vulnerabilities, and misconfigurations, the 8220 Gang has been able to use its latest IRC botnet to infect more than 30,000 hosts with their PwnRig cryptominer.

Researchers with SentinelOne reported observing this noteworthy increase in the number of infected hosts over the course of just the past month. In mid-2021, the analysts said the malicious botnet was running on just 2,000 hosts worldwide.

The 8220 Gang gets its name from its original command-and-control communications port choice:8220.

"Over the past few years, 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner," the cloud botnet security warning explained. "From our observations, the group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally."

Patching and better password hygiene would prevent most infections, researchers noted.

The report includes indicators of compromise (IoCs).

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights