{"id":51926,"date":"2023-05-16T00:00:00","date_gmt":"2023-05-16T00:00:00","guid":{"rendered":"urn:uuid:6409cd2c-1f2c-1273-1638-9ef9c5e56ff3"},"modified":"2023-05-16T00:00:00","modified_gmt":"2023-05-16T00:00:00","slug":"8220-gang-evolves-with-new-strategies","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/","title":{"rendered":"8220 Gang Evolves With New Strategies"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/cover-8220-gang-evolution-new-strategies-adapted-campaigns.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We observed the threat actor group known as \u201c8220 Gang\u201d employing new strategies for their respective campaigns, including exploits for the Linux utility \u201clwp-download\u201d and CVE-2017-3506, an Oracle WebLogic vulnerability.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,cyber crime,exploits &amp; vulnerabilities,cyber threats,endpoints,network,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2023-05-16\"> <meta property=\"article:tag\" content=\"exploits &amp; vulnerabilities\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/8220-gang-evolves-with-new-strategies.html\"> <title>8220 Gang Evolves With New Strategies<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/8220-gang-evolution-new-strategies-adapted.html\"><br \/>\n<meta property=\"og:title\" content=\"8220 Gang Evolves With New Strategies\"><br \/>\n<meta property=\"og:description\" content=\"We observed the threat actor group known as \u201c8220 Gang\u201d employing new strategies for their respective campaigns, including exploits for the Linux utility \u201clwp-download\u201d and CVE-2017-3506, an Oracle WebLogic vulnerability.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/cover-8220-gang-evolution-new-strategies-adapted-campaigns.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"8220 Gang Evolves With New Strategies\"><br \/>\n<meta name=\"twitter:description\" content=\"We observed the threat actor group known as \u201c8220 Gang\u201d employing new strategies for their respective campaigns, including exploits for the Linux utility \u201clwp-download\u201d and CVE-2017-3506, an Oracle WebLogic vulnerability.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/cover-8220-gang-evolution-new-strategies-adapted-campaigns.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.378711740521\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"938643761\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.244594594595\">\n<div class=\"article-details\" role=\"heading\" readability=\"40.002702702703\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Exploits &amp; Vulnerabilities<\/p>\n<p class=\"article-details__description\">We observed the threat actor group known as \u201c8220 Gang\u201d employing new strategies for their respective campaigns, including exploits for the Linux utility \u201clwp-download\u201d and CVE-2017-3506, an Oracle WebLogic vulnerability.<\/p>\n<p class=\"article-details__author-by\">By: Sunil Bharti <time class=\"article-details__date\">May 16, 2023<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"38.633992094862\">\n<div readability=\"25.441897233202\">\n<p><a href=\"https:\/\/www.radware.com\/security\/ddos-threats-attacks\/threat-advisories-attack-reports\/the-8220-gang-targeting-cloud-providers\/\">8220 Gang<\/a> (also known as \u201c8220 Mining Group,\u201d derived from their use of <a href=\"https:\/\/sysdig.com\/blog\/8220-gang-continues-to-evolve\/\">port 8220<\/a> for command and control or C&amp;C communications exchange) has been active since <a href=\"https:\/\/blog.talosintelligence.com\/cryptomining-campaigns-2018\/\">2017<\/a> and continues to scan for vulnerable applications in cloud and container environments. Researchers have documented this group targeting Oracle WebLogic, Apache <a href=\"https:\/\/asec.ahnlab.com\/en\/51568\/\">Log4j<\/a>, Atlassian Confluence <a href=\"https:\/\/asec.ahnlab.com\/en\/36820\/\">vulnerabilities<\/a>, and misconfigured Docker containers to deploy cryptocurrency miners in both Linux and Microsoft Windows hosts. The group was documented to have used Tsunami malware, XMRIG cryptominer, masscan, and spirit, among other tools in their campaigns.<\/p>\n<p>Looking at other researchers\u2019 documentation on the gang\u2019s recent activities, it appears as if the threat actor has been <a href=\"https:\/\/sysdig.com\/blog\/8220-gang-continues-to-evolve\/\">active<\/a> in <a href=\"https:\/\/cyware.com\/news\/8220-gang-uses-new-scrubcrypt-crypter-to-evade-detection-8ec824a9\">recent<\/a> <a href=\"https:\/\/www.sentinelone.com\/blog\/soc-team-essentials-how-to-investigate-and-track-the-8220-gang-cloud-threat\/\">months<\/a>. This article explores a recent attack observed exploiting the Oracle WebLogic vulnerability <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-3506\">CVE-2017-3506<\/a> captured by one of our honeypots. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP request remotely with a specifically crafted XML document. This allows attackers to gain unauthorised access to sensitive data or compromise the entire system.<\/p>\n<p><span class=\"body-subhead-title\">Entry point<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure1-8220-gang-new-strategies-linux-oracle-weblogic.jpg\" alt=\"fig1-8220-gang-evolution-new-startegies-adapted-campaign\"><figcaption>Figure 1. Exploiting CVE-2017-3506<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Attackers exploited the HTTP URI (Uniform Resource Identifier) <i>&#8220;wls-wsat\/CoordinatorPortType&#8221;<\/i> as an entry point to target an Oracle WebLogic server leveraging the CVE-2017-3506 vulnerability.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure2-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig2-8220-gang-evolves-new-strategies\"><figcaption>Figure 2. Post request to vulnerable resource <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.333802816901\">\n<div readability=\"13.52676056338\">\n<p>On entry, 8220 Gang delivered a PowerShell script that downloads and creates other dropper files using the said six-year old vulnerability. In recent attacks, we also observed the group using \u201c<a href=\"https:\/\/linux.die.net\/man\/1\/lwp-download\">lwp-download<\/a>,\u201d a Linux utility for downloading a file specified by the URL. In this entry, we observed the use of this utility also targeting Windows systems.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure3-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig3-8220-gang-evolves-new-strategies\"><figcaption>Figure 3. Use of the lwp-download utility<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><span class=\"body-subhead-title\">Infection routine<\/span><\/p>\n<p>The attack payload executes a PowerShell command encoded using Base64. Upon decoding, it executes a command that opens a hidden PowerShell window (<i>-NonI -W Hidden<\/i>) with no profile loaded (<i>-NoP<\/i>), and bypasses execution policies (<i>-Exec Bypass<\/i>). The decoded command downloads and executes a PowerShell script from <i>http[:]\/\/185[.]17[.]0[.]199\/bypass.ps1<\/i> without displaying any visible output to the user. The Base64-encoded string downloads a PowerShell script \u201c<i>bypass.ps1.<\/i>\u201d<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure4-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig4-8220-gang-evolves-new-strategies\"><figcaption>Figure 4. Attack payload<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure5-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig5-8220-gang-evolves-new-strategies\"><figcaption>Figure 5. URL after Base64 decoding<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<p><b>Analysis of bypass.ps1<\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure6-8220-gang-new-strategies-linux-oracle-weblogic.jpg\" alt=\"fig6-8220-gang-evolves-new-strategies\"><figcaption>Figure 6. Process flow of bypass.ps1 <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The PowerShell script decodes multiple Base64-encoded byte arrays to create another obfuscated PowerShell script in memory and executes it using \u201ciex<i>\u201d <\/i>(Invoke-Expression) commandlet.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure7-8220-gang-new-strategies-linux-oracle-weblogic.jpg\" alt=\"fig7-8220-gang-evolves-new-strategies\"><figcaption>Figure 7. Contents of the bypass.ps1 PowerShell script<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.216701902748\">\n<div readability=\"22.538054968288\">\n<p>All the variables assigned to byte arrays contain Base64-encoded strings (in this case, the $c byte array). These byte arrays are used later in the script for deobfuscation purposes. Once computation is done for the $cc variable, it stores the decoded value of the $c byte array, which is the PowerShell script that gets executed in memory without writing the script on the disk. Decoding the $c variable using ASCII, the result is identified as the $cc variable and executes the PowerShell script.<\/p>\n<p>The new PowerShell script performs the following tasks:<\/p>\n<p>1.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; It disables the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/amsi\/antimalware-scan-interface-portal\">AMSI<\/a> detection. The code sets the value of \u201camsiInitFailed\u201d field from &lt;System.Management.Automation.AmsiUtils&gt; class to \u201cTrue\u201d to achieve AMSI unhooking so that no scanning action will be done for the current process. To update the value of \u201camsiInitFaild,\u201d it uses <a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/framework\/reflection-and-codedom\/reflection\">.NET reflection<\/a> to assign a value of \u201cTrue,\u201d as observed in the bypass command.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure8-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig8-8220-gang-evolves-new-strategies\"><figcaption>Figure 8. AMSI detection bypass<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; After disabling AMSI detection, it defines the path to write the malicious binary file into the Windows \u201ctemp\u201d directory.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure9-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig9-8220-gang-evolves-new-strategies\"><figcaption>Figure 9. Malicious binary path <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.289156626506\">\n<div readability=\"11.566265060241\">\n<p>3.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Next, it writes the binary file in the specified in the \u201c$eXE_PaTh\u201d variable. This code section decodes the Base64 string into a byte array, which is a binary code, and uses .Net class <a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/api\/system.io.file.writeallbytes?view=net-7.0\">System.IO<\/a><i> <\/i>to write the binary file on the disk.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure10-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig10-8220-gang-evolves-new-strategies\"><figcaption>Figure 10. Binary file write to disk<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>4.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; At the end of the script, the PowerShell executes the newly written binary file in the Windows \u201ctemp\u201d directory using the \u201c-WindowStyle Hidden\u201d parameter in the command without displaying any user interface.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure11-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig11-8220-gang-evolves-new-strategies\"><figcaption>Figure 11. Binary execution<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The file &#8220;<i>Winscp-setup-1867.exe<\/i>&#8221; is responsible for downloading the file &#8220;<i>Ebvjmba.dat<\/i>&#8221; by continuously sending a GET request to its server <i>http[:]\/\/79[.]137[.]203[.]156\/Ebvjmba.dat<\/i>. After executing <i>Winscp-setup-1867.exe<\/i>, a DLL file contacts the file server to download the DAT file dropper from <i>79[.]137[.]203[.]156<\/i>, which is an IP address we determined to be the C&amp;C server. The DLL file uses the <i>.NET<\/i> framework&#8217;s \u201c<i>HttpClient\u201d <\/i>class to send an HTTP GET request to the specified asset URL.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure12-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig12-8220-gang-evolves-new-strategies\"><figcaption>Figure 12. Function that downloads the DAT file using .net code from the dissembler<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure13-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig13-8220-gang-evolves-new-strategies\"><figcaption>Figure 13. Network traffic capture of file download <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>This dropper only has a Base64-encoded string of a binary code in reverse to evade detection.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure14-8220-gang-new-strategies-linux-oracle-weblogic.jpg\" alt=\"fig14-8220-gang-evolves-new-strategies\"><figcaption>Figure 14. Binary in reverse (top) and when decoded (bottom)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure15-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig15-8220-gang-evolves-new-strategies\"><figcaption>Figure 15. Function reversing the byte array to form the correct binary<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>The newly created .dll<i> <\/i>file is an encrypted resource file that is injected into the MS Build process. The file is meticulously obfuscated, adding an extra layer of complexity for analysts. After inspecting the process\u2019 memory, we found that the configuration information of the injected payload is Base64-encoded and the new process communicates with one of the three C&amp;Cs using TCP ports 9090, 9091, or 9092 to download a cryptocurrency miner:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>179[.]43[.]155[.]202<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>work[.]letmaker[.]top<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>su-94[.]letmaker[.]top<\/i><\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/figure16-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"fig16-8220-gang-evolves-new-strategies\"><figcaption>Figure 16. Process injection into msbuild.exe. Screenshot taken with Trend Vision One\u2122<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49.107769423559\">\n<div readability=\"44.731829573935\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>lwp-download is a Linux utility present in a number of platforms by default, and 8220 Gang making this a part of any malware routine can affect a number of services even if it were reused more than once. Considering the threat actor\u2019s tendency to reuse tools for different campaigns and abuse legitimate tools as part of the arsenal, organizations\u2019 security teams might be challenged to find other detection and blocking solutions to fend off attacks that abuse this utility.<\/p>\n<p>Abuse of lwp-download might be expected in the short term for compromise and targeting of other platforms. Despite reusing old tools and C&amp;C servers, the gang has started targeting Windows systems, and using new file and C&amp;C servers to evade previous detections. Moreover, while it would also initially seem counterintuitive to use a six-year-old security gap in an attack, the malicious actor\u2019s scanning activity could have shown systems still vulnerable to the exploit.<\/p>\n<p>Considering these developments, we find 8220 Gang as a threat to be reckoned with despite other researchers describing them as \u201clow-level script kiddies,\u201d and that organizations still have to work on catching up when it comes to updating their security systems. In the group\u2019s previous deployments, earlier scripts they used were simple,&nbsp;unable to evade detection, and were easy to analyze. Over time, it included significantly damaging pieces of malware (such as Tsunami malware) in respective campaigns. We will continue monitoring this group and their respective deployments for analysis, detection, and blocking.<\/p>\n<p><span class=\"body-subhead-title\">Trend Micro solutions<\/span><\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/endpoint-security.html\">Trend Cloud One\u2122 &#8211; Endpoint Security<\/a> and <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/cloud-one-workload-security.html\">Workload Security<\/a> protect endpoints, servers, and cloud workloads through unified visibility, management, and role-based access control. These services provide specialized security optimized for your diverse endpoint and cloud environments, which eliminate the cost and complexity of multiple point solutions.<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<p><b>URLs and IPs<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">http[:]\/\/79[.]137[.]203[.]156\/Ebvjmba.dat<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http[:]\/\/185[.]17[.]0[.]19\/bypass.ps1<\/span><\/li>\n<li><span class=\"rte-red-bullet\">http[:]\/\/185[.]17[.]0[.]19\/Nmfwg.png<\/span><\/li>\n<li><span class=\"rte-red-bullet\">185[.]17[.]0[.]19<\/span><\/li>\n<li><span class=\"rte-red-bullet\">194[.]38[.]23[.]170<\/span><\/li>\n<li><span class=\"rte-red-bullet\">201[.]71[.]165[.]153<\/span><\/li>\n<li><span class=\"rte-red-bullet\">179[.]43[.]155[.]202<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Work[.]letmaker[.]top<\/span><\/li>\n<li><span class=\"rte-red-bullet\">su-94[.]letmaker[.]top<\/span><\/li>\n<\/ul>\n<p><b>&nbsp;<\/b><\/p>\n<p><span class=\"body-subhead-title\">MITRE ATT&amp;CK<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/e\/the-8220-gangs-evolution-new-strategies-adapted\/Mitre-Table-8220-gang-new-strategies-linux-oracle-weblogic.png\" alt=\"mitre-table-8220-gang-evolves-new-strategies\"> <\/figure>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/8220-gang-evolution-new-strategies-adapted.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We observed the threat actor group known as \u201c8220 Gang\u201d employing new strategies for their respective campaigns, including exploits for the Linux utility \u201clwp-download\u201d and CVE-2017-3506, an Oracle WebLogic vulnerability. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":51927,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9511,9508,9555,9513,9523],"class_list":["post-51926","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-malware","tag-trend-micro-research-network"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>8220 Gang Evolves With New Strategies 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"8220 Gang Evolves With New Strategies 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-16T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/cover-8220-gang-evolution-new-strategies-adapted-campaigns.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"8220 Gang Evolves With New Strategies\",\"datePublished\":\"2023-05-16T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/\"},\"wordCount\":1298,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/8220-gang-evolves-with-new-strategies.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&amp;Vulnerabilities\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Network\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/\",\"name\":\"8220 Gang Evolves With New Strategies 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/8220-gang-evolves-with-new-strategies.jpg\",\"datePublished\":\"2023-05-16T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/8220-gang-evolves-with-new-strategies.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/8220-gang-evolves-with-new-strategies.jpg\",\"width\":954,\"height\":675},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/8220-gang-evolves-with-new-strategies\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"8220 Gang Evolves With New Strategies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"8220 Gang Evolves With New Strategies 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/","og_locale":"en_US","og_type":"article","og_title":"8220 Gang Evolves With New Strategies 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-05-16T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/cover-8220-gang-evolution-new-strategies-adapted-campaigns.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"8220 Gang Evolves With New Strategies","datePublished":"2023-05-16T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/"},"wordCount":1298,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/8220-gang-evolves-with-new-strategies.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&amp;Vulnerabilities","Trend Micro Research : Malware","Trend Micro Research : Network"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/","url":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/","name":"8220 Gang Evolves With New Strategies 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/8220-gang-evolves-with-new-strategies.jpg","datePublished":"2023-05-16T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/8220-gang-evolves-with-new-strategies.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/8220-gang-evolves-with-new-strategies.jpg","width":954,"height":675},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/8220-gang-evolves-with-new-strategies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"8220 Gang Evolves With New Strategies"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=51926"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51926\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/51927"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=51926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=51926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=51926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}