Why You Shouldn't Use Microsoft Windows11.


LMDE5 - Linux Mint Debian Edition.

LMDE5 -...

Why Should I Not Use Windows10?

Here are a...

Cryptomining gang 8220 exploits Linux and cloud app vulnerabilities


Cryptomining gang 8220 exploits Linux and cloud app vulnerabilities.

The gang that has been active since 2017 is considered low-skilled and focuses on infecting AWS, Azure, GCP, Alitun and QCloud hosts after targeting publicly available systems running vulnerable versions of Apache, Confluence, Docker and Redis.

This gang leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.

How they infect your system:

  • Using malicious shell scripts masquerading as JPEG files with the name "logo*.jpg" that install cron jobs and download and execute miners.
  • The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.
  • Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.
  • Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.
  • Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.

The Chinese gang has successfully expanded their botnet to 30.000 hosts globally making use of a new version of the IRC botnet, PwnRig cryptocurrency miner and its generic infection script. They focus on mining "Monero", which has lost over 20% of its value over the past six months.

The name 8220 originates from the groups original use of port 8220 for the C2 network communications.

"Victims of 8220 Gang are typically, but not exclusively, users of cloud networks operating vulnerable and misconfigured Linux applications and services. Attacks make use of SSH brute forcing post-infection to automate local and global spreading attempts. Victims using cloud infrastructure (AWS, Azure, GCP,  Aliyun, QCloud) are often infected via publicly accessible hosts running Docker, Confluence, Apache WebLogic, and Redis. Victims are not targeted geographically, but simply identified by their internet accessibility." Sentinel One writes.

The group uses a separate and dedicated file "Spirit" for the management of the SSH brute forcing step, which contains 450 hardcoded credentials corresponding to a broad range of Linux devices and apps.

Plus they make use of block lists in the script to exclude specific hosts from infections, mostly honeypots that have been set up by security researchers.

The only way to stay safe is to always keep your systems up-to-date and configured in a secure and correct way. Remember to take snapshots / backups of critical systems.


Help us by donating a small amount

If you find this site helpful, please consider donating a small amount.
Please use our contact us form and we will give you the relevant information to make a donation.
We accept BitCoin and ZCash at the moment.

Games For Linux

Windows has always been the preferred platform for gaming, but after STEAM's interest in Linux more game developers are making their games natively available for Linux.


All information on this website is published in good faith and for general educational purposes and for use in safe testing environments only. While linuxexperten.com strives to make the information on this site as accurate as possible, linuxexperten.com does not warrant its completeness, reliability and accuracy.

We are not responsible for any losses or damages associated with the use of our website. While we strive to provide only links to useful websites, we have no control over the content of these sites and links to other sites do not constitute a recommendation for all content contained on these websites.


Site Information

This is a professional review site that receives compensation from the companies whose products reviewed. Each service or product are thoroughly tested and given high marks if considered to be the very best. Independently owned and the opinions expressed here are no one elses.


Limited Time Offers

NordVPN + 3 Months