{ "id": "addc4e3b-3fa0-4357-9969-ddb59d8cb9f5", "created_at": "2026-04-06T01:32:08.106735Z", "updated_at": "2026-04-10T03:34:59.837122Z", "deleted_at": null, "sha1_hash": "07d6c89b969ac75280bcaa8779fb8ae0132b4923", "title": "Threat Alert: TeamTNT is Back and Attacking Vulnerable Redis Servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2082393, "plain_text": "Threat Alert: TeamTNT is Back and Attacking Vulnerable Redis Servers\r\nBy Assaf Morag\r\nPublished: 2020-09-30 · Archived: 2026-04-06 01:23:44 UTC\r\nOver the past few weeks, TeamTNT grabbed headlines after launching several novel attacks against cloud native\r\ninfrastructure. In response, Docker Hub decided to remove TeamTNT’s malicious images from its community and deleted\r\nthe user ‘Hildeteamtnt.’ But just a few days later, TeamTNT reemerged with a catchy logo “Still alive” embedded in their\r\nscripts (although “still standing” by Elton John would have been more clever) and a brand-new Docker Hub account\r\n‘kirito666.’ However, this time they didn’t settle for just swift account swapping, they returned with new and advanced\r\ntechniques.\r\nTeamTNT is now targeting vulnerable Redis servers using S3 buckets and the web service IPlogger as their C2 servers, then\r\ntrying to find Linux user passwords in memory.\r\nLast week we detected a Docker Hub account hosting malicious container images. The account ‘kirito666’ was created on\r\nMay 10, 2019. About a week ago, nine images were uploaded to this account — all the images were identified by Aqua DTA\r\nas malicious. A quick analysis revealed that this account and images are strongly affiliated to TeamTNT. We also discovered\r\nthat one of these images had been used to perform an attack in the wild. Two of those container images in particular are\r\nworth mentioning.\r\n‘Kirito666/pwndockerredis’ attacking Redis servers\r\nThe container image kirito666/pwndockerredis:latest  was designed to launch a two-stage attack. It begins by pulling\r\nand running the container image on a host with the misconfigured Docker API port. The image is designed to search for\r\nhosts with a vulnerable Redis service. Then, the second stage of the attack begins on the vulnerable Redis host using\r\npayloads regularly applied by TeamTNT: Tsunami malware, Rekobee Malware, Cryptominers, backdoors, Trojans,\r\npasswords stealers, etc.\r\nhttps://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nPage 1 of 10\n\nOn the vulnerable Docker API host\r\nThe container is initiated with a command intended to run the shell script run.sh. When executed, it runs Shodan API,\r\nsearching for vulnerable Redis hosts and decompressing two Python files from the tar file PwnDocker_REDIS ( working.py\r\n\u0026 pruefen.py ). The script pruefen.py is based on the GitHub project hackredis, which is designed to attack Redis by\r\nconnecting to the host while running over the RSA keys, inserting the attacker’s RSA key, and establishing SSH connection\r\nas root with the targeted host.\r\nhttps://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nPage 2 of 10\n\nThe script working.py is based on GitHub project (redisMassExploit) and is designed to connect to the Redis hosts and\r\ndownload a shell file onto the Redis host from a remote source.\r\nOn the vulnerable Redis host\r\nAs mentioned above, working.py downloads a file from a remote source, which in this case is TeamTNT’s C2 server\r\n( https[:]//teamtnt[.]red/setit ).\r\nhttps://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nPage 3 of 10\n\nThe shell script setit target contains many encoded (base64) snippets and uncompiled code. Its objectives include:\r\nDisabling TenCent Cloud security and Aliyun (Alibaba Cloud) security components.\r\nCleaning security components, temporary files, and Cron jobs.\r\nCleaning Cryptocurrency (MoneroOcean) and Malware (such as Kinsing).\r\nCleaning root temp bash by cleaning “ /root/.tmp00/bash “ and “ /root/.tmp00/bash64 “.\r\nCloning the xmrig git repo (git clone https[:]//github[.]com/xmrig/xmrig/opt/xmrig/ )\r\nDownloading xmrig from an S3 bucket (Cryptominer, MD5: 8ffdba0c9708f153237aabb7d386d083), if xmrig is\r\nmissing.\r\nUsing an S3 bucket to download the malicious binaries bioset, tshd, and kube (which appear in previous TeamTNT\r\nattacks). Although this bucket is not open to the world, these specific pictures can easily be downloaded. It is unclear\r\nwhether this S3 bucket is owned by TeamTNT or the AWS account is hacked and exploited to serve as a C2 server.\r\nhttps://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nPage 4 of 10\n\nThe same S3 bucket is also used as a C2 server as part of the attack with the container image\r\nkirito666/gesichtsrababer:latest\r\nCompiling bioset, if it isn’t present in a specific path. This is based on a huge encoded (base64) snippet which is\r\ndecoded and compiled. This snippet contains the Bioset code which includes a few functions designed to launch a\r\nDenial of Service attack, such as SynFlood, NSSynFlood, RandomFlood, etc.\r\nDownloading from a remote source the malicious binary default.jpg (Cryptominer, MD5:\r\n8ffdba0c9708f153237aabb7d386d083 ).\r\nhttp[:]//85[.]214[.]149[.]236[:]443/sugarcrm/themes/default/images/default[.]jpg\r\nOnce decoded, the snippet DEAKTIV is set to download default.jpg from 85[.]214[.]149[.]235\r\nIt appears that this website belongs to a German company and was hacked by TeamTNT. These files were used by\r\nTeamTNT in past attacks, so we speculate that this website serves as a C2 server.\r\nhttps://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nPage 5 of 10\n\nSince July 11th, 2020, 42 malicious images were uploaded to this website.\r\nThe script worker.py contains a snippet which was left as a remark, aimed to download a script from a remote source\r\n( http[:]//healthymiami[.]com/userimages/tnt[.]jpg ).\r\nBoth scripts ( tnt.jpg and setit ) are doing the same thing. It looks like TeamTNT uses them as a fail-safe mechanism\r\nby downloading similar or the same components from different sources. The shell script tnt.jpg is set to download the\r\nmalicious binaries tshd from iplogger (Rekoobe malware, MD5: 5f5599171bfb778a7c7483ffdec18408 ), redis-backup\r\n(Cryptominer, MD5: 9060c99ff97d2e2c59e40eb647afa97d ) and bioset ( MD5: b8568c474fc342621f748a5e03f71667 ).\r\nhttps://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nPage 6 of 10\n\nInterestingly, iplogger is also used as a C2 server in this attack\r\nFurthermore, this script also contains the Python script punk.py , which is encoded (base64) in one of the snippets. It is\r\ndecoded and saved as file PU. This is a post-exploitation tool designed for network pivoting from a compromised Unix box.\r\nIt collects usernames, SSH keys, and known hosts from a Unix system, then it tries to connect via SSH to all the\r\ncombinations found.\r\nTo sum things up, it appears that TeamTNT is trying to execute their version of attack against vulnerable Redis ports, similar\r\nto attacks such as RedisWannaMine, or other attacks that were recently covered in the media.\r\n‘kirito666/docbinary’ is set to steal Linux users’ passwords\r\nThe container image kirito666 / docbinary:latest  has layers containing the following malicious binaries:\r\nkube (Classified by VirusTotal as Tsunami Malware, MD5:df386df8c8a376686f788ceff1216f11 );\r\ndocker-update (Classified by VirusTotal as a cryptominer, MD5: 8ffdba0c9708f153237aabb7d386d083 );\r\nbioset (Classified by VirusTotal as a Linux Malware, MD5:b8568c474fc342621f748a5e03f71667 );\r\ntshd (Classified by VirusTotal as a backdoor, MD5:48858971bb4f5bcd6a972cbdaabfe9ea ).\r\nhttps://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nPage 7 of 10\n\nIn addition to these components, which appeared in previous attacks by TeamTNT, we found two new Zipped files\r\n( mimipenguid and mimipy ). Once unzipped, these files contain MimiPenguin 2.0 tool which is set to find the login\r\npassword of a Linux desktop user (this tool is based on CVE-2018-20781). It searches for cleartext credentials in memory\r\nby dumping the process and extracting lines that have a high probability of containing cleartext passwords.\r\nIn Summary\r\nFor several months, TeamTNT built a Crypto-mining and DDoS worm designed to steal AWS credentials and target Weave\r\nScope deployments. It appears that TeamTNT is constantly trying new attack vectors, while also experimenting with open\r\nsource tools, proof of concept exploits, and hacking tools. In this blog alone, we reported on several new techniques which\r\nTeamTNT is using.\r\nBased on their prompt development cycles, the velocity with which they act, and the adoption rate of new code (developed\r\nby them or others), this is yet another example that organized attackers like TeamTNT are not easily deterred. It’s obvious\r\nthey will persist in their nefarious activities — all the while getting more sophisticated with each new attack.\r\nHowever, this must not discourage organizations like Docker Hub from closing adversaries’ accounts. But it should remind\r\nus of the importance of using CSPM (Cloud Security Posture management) solutions designed to protect against\r\nmisconfigured settings, like Redis ports, in the cloud. Moreover, you should have a strategy that includes static scanning for\r\nvulnerabilities, dynamic scanning for hidden risks, and complete runtime protection.\r\nApplying MITRE ATT\u0026CK Framework to the TeamTNT attacks\r\nA summary that maps each component of the attack to the corresponding MITRE ATT\u0026CK framework and techniques\r\ncategory:\r\nhttps://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nPage 8 of 10\n\nIndications of Compromise (IOCs):\r\nImage File Name md5 Type\r\nkirito666/docbinary:latest kube df386df8c8a376686f788ceff1216f11 binary\r\nkirito666/docbinary:latest mimipenguin.zip eb2fe5063735a3647cb62423b90202f474671480 zip\r\nkirito666/docbinary:latest mimipy.zip 59d8bfeaeb089864f48d21a290fc3c3265fc28d5 zip\r\nkirito666/docbinary:latest tshd 48858971bb4f5bcd6a972cbdaabfe9ea binary\r\nkirito666/docbinary:latest docker-update 8ffdba0c9708f153237aabb7d386d083 binary\r\nkirito666/docbinary:latest bioset b8568c474fc342621f748a5e03f71667 binary\r\nkirito666/docbinary:latest kube df386df8c8a376686f788ceff1216f11 binary\r\nkirito666/docbinary:latest docktor_binary.sh 2c38d9e96dbb9a44b2465e0d057136e0 bash\r\nkirito666/blackt:latest bins.tar.gz 048dd37235f5933bb146a44a6822dfa3 zip\r\nkirito666/blackt:latest bioset b8568c474fc342621f748a5e03f71667 binary\r\nkirito666/blackt:latest kubebot df386df8c8a376686f788ceff1216f11 binary\r\nkirito666/blackt:latest scope 86645e737a60a34219939a59a84098c4 bash\r\nkirito666/blackt:latest tshd 48858971bb4f5bcd6a972cbdaabfe9ea binary\r\nkirito666/blackt:latest system.sh 3259518b8d1dc6a91b64abea8f8fcc09 bash\r\nkirito666/pwndockerredis:latest PwnDocker_REDIS.tar.gz 452c04471bfd1f67a1ae133a64ca2bb6 zip\r\nhttps://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nPage 9 of 10\n\nImage File Name md5 Type\r\nkirito666/pwndockerredis:latest pruefen.py 45d99a2b004553559e8cb821db57b6bf python\r\nkirito666/pwndockerredis:latest working.py f830f99afeed366aa5a1802d6e9ca807 python\r\nkirito666/gesichtsrababer:latest xmrig c6d849e8aaae006860d7dcf42aebd97f binary\r\nkirito666/gesichtsrababer:latest docker-ud 8ffdba0c9708f153237aabb7d386d083 binary\r\nkirito666/plooppp:latest plooppp.sh 658ed348573ef6799e29d1043820bb82 shell\r\nkirito666/plooppp:latest SetUpTheBLACK-T 492ffed6e5cdc872f00a3f8b7cd3e512 python\r\nkirito666/plooppp:latest sbin_u 3acc4bb5971c31c7544378a448fa8ff0 binary\r\nkirito666/du:latest docker-ud 8ffdba0c9708f153237aabb7d386d083 binary\r\nkirito666/docker_update:latest docker-update 8ffdba0c9708f153237aabb7d386d083 binary\r\nkirito666/sbin:latest bins.tar.gz 048dd37235f5933bb146a44a6822dfa3 zip\r\nkirito666/sbin:latest bioset b8568c474fc342621f748a5e03f71667 binary\r\nkirito666/sbin:latest kubebot df386df8c8a376686f788ceff1216f11 binary\r\nkirito666/sbin:latest scope 86645e737a60a34219939a59a84098c4 bash\r\nkirito666/sbin:latest tshd 48858971bb4f5bcd6a972cbdaabfe9ea binary\r\nkirito666/sbin:latest system.sh 3259518b8d1dc6a91b64abea8f8fcc09 bash\r\nAssaf is the Director of Threat Intelligence at Aqua Nautilus. He is responsible of acquiring threat intelligence related to\r\nsoftware development life cycle in cloud native environments, supports the team's data needs, and helps Aqua and the\r\necosystem remain at the forefront of emerging threats and protective methodologies. His research has been featured in\r\nleading information security publications and journals worldwide, and he has presented at leading cybersecurity\r\nconferences. Notably, Assaf has also contributed to the development of the new MITRE ATT\u0026CK Container Framework.\r\nAssaf is leading an O’Reilly course, focusing on cyber threat intelligence in cloud-native environments. The course covers\r\nboth theoretical concepts and practical applications, providing valuable insights into the unique challenges and strategies\r\nassociated with securing cloud-native infrastructures.\r\nSource: https://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nhttps://www.aquasec.com/blog/container-attacks-on-redis-servers/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.aquasec.com/blog/container-attacks-on-redis-servers/" ], "report_names": [ "container-attacks-on-redis-servers" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439128, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07d6c89b969ac75280bcaa8779fb8ae0132b4923.pdf", "text": "https://archive.orkl.eu/07d6c89b969ac75280bcaa8779fb8ae0132b4923.txt", "img": "https://archive.orkl.eu/07d6c89b969ac75280bcaa8779fb8ae0132b4923.jpg" } }