Hadooken

Hadooken is a malware variant used by the China-based 8220 Gang to target vulnerable cloud environments and hijack system resources for cryptomining. It has been observed in opportunistic campaigns against both Windows and Linux systems, notably through exploitation of Oracle WebLogic vulnerabilities including CVE-2017-10271 and CVE-2020-14883. The infection chain uses WebLogic exploitation to execute scripts that download loaders and install cryptomining malware, with activity mirroring attack chains previously observed on WebLogic servers.

Hadooken shares infection routines and infrastructure with K4Spreader, suggesting both are operated by the same threat actor. Its behavior includes disabling cloud protection tools, terminating competing cryptominers on compromised hosts, and spreading laterally via SSH brute force. The attackers’ objective is to establish persistence and deploy cryptominers to mine Monero, including through a private mining pool. Shared infrastructure includes use of the sck-dns[.]cc domain to download a malicious script named "c" for persistence; mining-related infrastructure also includes run.on-demand[.]pw.

The broader intrusion chain associated with Hadooken has also involved delivery of the Tsunami backdoor, which provides remote control and botnet capability over IRC. The campaign is described as heavily focused on cloud hosting services, with many compromised IPs in Oracle Cloud and targeting concentrated in Asia and South America.