Hadooken and K4Spreader: The 8220 Gang’s Latest Arsenal

**Executive Summary:** Sekoia TDR observed active exploitation of WebLogic RCE vulnerabilities to deploy K4Spreader/Hadooken, Tsunami, and PwnRig cryptomining malware across Linux and Windows hosts, linked by shared IOCs (domains, IPs, and a Monero wallet) to the 8220 Gang; approximately 200–250 infected hosts were observed, with persistence, lateral movement, AMSI bypass, and mining proxy infrastructure documented.