Microsoft has warned that the Chinese-speaking 8220 gang has updated its malware campaign aimed at infecting Linux servers with cryptomining malware, ZDNet reports. Aside from leveraging RCE exploits for a critical Atlassian Confluence Server and Data Center vulnerability, tracked as CVE-2022-26134, as well as a WebLogic flaw, tracked as CVE-2019-2725 for initial access, the latest campaign also involved the use of a new version of the pwnRig cryptominer and an IRC bot, according to Microsoft's Security Intelligence Center. Attackers have been downloading a loader for configuration changes to facilitate security service deactivation, cryptominer downloads, and network persistence, said the report. "The loader uses the IP port scanner tool "masscan" to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool "spirit" to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts," said Microsoft, which recommended the activation of Defender for Endpoint tamper protection settings to curb such an attack.