216.73.217.22

Mining Gang's New Tool: k4spreader

· Published 02/07/2024 08:22 · Modified 02/07/2024 08:50

Export JSON

Essential information

Published
02/07/2024 08:22
Modified
02/07/2024 08:50
Tags
2024-07-02 botnet k4spreader mining pwnrig spreader tsunami
Related entities
35 observables, 1 intrusion sets (apt), 7 techniques (mitre), 3 malware

Description

QIanxin describes the discovery and analysis of , a new malware installer and tool developed by the 8220 gang. is written in cgo and implements system persistence, self-updating, and releasing other malware like the and miner. The tool is still in early development with three versions observed so far.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (35)

  • 167.114.114.169
  • 51.255.171.23
  • 185.172.128.146
  • http://run.sck-dns.cc/sys/index.php
  • http://run.sck-dns.ws/sys/index.php
  • http://run.on-demand.pw:8080
  • http://run.on-demand.pw:80
  • http://run.on-demand.pw:443
  • http://fbi.su1001-2.top:8080
  • http://fbi.su1001-2.top:80
  • http://fbi.su1001-2.top:443
  • http://185.172.128.146:443/d.py
  • http://185.172.128.146:443/bin.64
  • http://185.172.128.146:443/bi.64
  • http://185.172.128.146:443/bin
  • http://185.172.128.146/d.py
  • run.sck-dns.ws
  • run.sck-dns.cc
  • run.on-demand.pw
  • pwn.oracleservice.top
  • dw.c4kdeliver.top
  • c4k-ircd.pwndns.pw
  • syslog.target
  • network.target
  • multi-user.target
  • network-online.target
  • fbi.su1001-2.top
  • a980b1b0387534da7c9a321f7d450c02087f7a8445fc86b77785da0c510bbaa8
  • 7bade55726a3a6e86d809836d1bc43f4f7702ecde9ceed80a09876c2efeff8d4
  • 31fd924b9a5747befdf61c03b02c90d3c2ba93c8e1a9f798e6dfefe23767e1ae
  • 20d08d27631ae9bab8f3cb7cddd9b35fb75e5bee5764072f77ac3b4513307838
  • f998aeb84da8b84723ca9fdbdeb565dbc7938bd0a0ce5f0981307b3e24bdf712
  • 0897b1d3e3e453c160bf8d28a041eee3bd29e43a6f063faed7d3cb83a86b88cc
  • e2c3e81aa24b20ac71147340adc1eaedf077ad00e4a2359e3db47b166cf5411a
  • 0013b356966c3d693b253cdf00c7fdf698890c9b75605be07128cac446904ad9

Intrusion sets (APT) (1)

  • 8220 Mining Gang
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:44 · Modified 21/12/2025 05:44

Techniques (MITRE) (7)

  • T1060
  • T1197
    T1197
  • T1189
    Drive-by Compromise
  • T1055
    Process Injection
  • T1140
    Deobfuscate/Decode Files or Information
  • T1195
    Supply Chain Compromise
  • T1059
    Command and Scripting Interpreter

Malware (3)

  • PwnRig
    Family
    Published 01/10/2024 10:08 · Modified 01/10/2024 10:08
  • K4Spreader
    Family
    Published 01/10/2024 10:08 · Modified 01/10/2024 10:08
  • Tsunami
    Family
    Published 14/04/2026 08:54 · Modified 14/04/2026 08:54

External references