8220 Gang Continues to Evolve With Each New Campaign

The 8220 Gang, initially perceived as a group of "script kiddies," has continued to evolve its tactics, techniques, and procedures (TTPs) since its first identification in 2017, primarily to conduct cryptojacking campaigns. Known for adopting and modifying strategies and tools from other cybercriminal groups such as TeamTNT and Rocke Group, the gang has improved its methods to evade detection and enhance persistence. Key developments in their recent campaigns include the use of a forked XMRig variant, PwnRig, and the implementation of new techniques such as using PureCrypter Malware-as-a-Service, shifting command and control (C2) infrastructure, and employing advanced defense evasion tactics like base64-encoded Python scripts. Despite their reputation for unoriginality, the gang's ability to update its approach indicates a growing sophistication, though it still relies heavily on exploiting vulnerable public-facing applications and misconfigurations in cloud environments.