{ "id": "6ffa9ba5-a6e6-4195-a47c-e042a9c04799", "created_at": "2026-04-06T00:07:29.176835Z", "updated_at": "2026-04-10T03:30:33.7863Z", "deleted_at": null, "sha1_hash": "1dbf7e3410dfac499d049ccee26b3b533aa5bbf4", "title": "TeamTNT Upgrades Arsenal Refines Focus on Kubernetes and GPU Environments", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1313234, "plain_text": "TeamTNT Upgrades Arsenal Refines Focus on Kubernetes and GPU\r\nEnvironments\r\nBy David Fiser, Alfredo Oliveira ( words)\r\nPublished: 2021-11-11 · Archived: 2026-04-05 20:46:56 UTC\r\nUsing a new batch of campaign samples, we take a look at its more recent cybercrime contributions and compare\r\nthem with its previous deployments to demonstrate the group’s use of upgraded tools and payloads.\r\nBy: David Fiser, Alfredo Oliveira Nov 11, 2021 Read time: 4 min (1061 words)\r\nSave to Folio\r\nIn previous entries, we described how the hacking group TeamTNTnews- cybercrime-and-digital-threats targeted unsecured Redis instances, exposed Docker APIsnews article, and vulnerable Kubernetes clusters in\r\norder to deploy cryptocurrency-mining payloads and credential stealersservices. TeamTNT was one of the first\r\ncybercriminal groups to focus on cloud service providers (CSPs), specifically the metadata stored on elastic\r\ncomputing instances being run on cloud services. It is mainly engaged in the theft of environmental metadata used by\r\nCSPs. Because instance metadata and user data can’t be authenticated or encrypted, it’s important for users to avoid\r\nstoring sensitive data in metadata fields, including secrets and CSP-related preauthorization data which can then be\r\nused in other services such as serverless deployments.\r\nIf a running instance used by a CSP customer is not properly configured or has a security weakness such as exposed\r\nAPIs or leaked credentials, malicious actors who are able to abuse these security flaws might be able to use other\r\nservices as well. Therefore, it’s important for organizations to safeguard critical authentication credentials, or secrets,\r\nto ensure that they are out of cybercriminals’ reach.\r\nToday, TeamTNT remains to actively exploit compromised cloud environments in its campaigns. Using a new batch\r\nof campaign samples, we take a look at its more recent cybercrime contributions and compare them with its previous\r\ndeployments to demonstrate the group’s use of upgraded tools and payloads.\r\nTeamTNT’s upgraded arsenal\r\nWhat stands out from our analysis is that the samples obtained from TeamTNT’s recent campaigns look more\r\nprofessionally developed than previous versions. The samples, which cover more corner cases and include bug fixes,\r\nshow marked improvements in how the hacking group targets misconfigured Amazon Web Services (AWS) or\r\nKubernetes services.With cybercriminals setting their sights on cloud deployments, it’s important for cloud users to\r\nunderstand the importance of the shared responsibility model. Users play an important role in the overall security of\r\ntheir cloud environments. Cloud users are in charge of securing the data, platforms, applications, and operating\r\nsystems that they run within their respective cloud services. Hence, they must also be aware of where to place critical\r\ndata within the cloud environment for it not to be targeted by malicious actors.\r\nhttps://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html\r\nPage 1 of 5\n\nRather than incorporating all-in-one samples with multiple functionalities, TeamTNT’s attacks have become more\r\nmodular. The samples have a defined scope and feature well-defined functions, showing how the group has evolved\r\nto apply a more targeted approach to its campaigns.\r\nFigure 1. TeamTNT’s typical attack chain\r\nFigure 2. An older version of TeamTNT’s AWS credential stealer (left) compared with newer versions\r\n(middle and right) from instances that they have already compromised\r\nEarlier this year, we detailed how TeamTNT crafted a hard-coded shell script that targeted credentials\r\nfrom vulnerable AWS instances. Aside from AWS, we have also observed how TeamTNT has refined its\r\ndevelopment of tools specifically for one of its primary targets, Kubernetes.\r\nFigure 3 shows TeamTNT samples that target different Kubernetes environments, obtained in August and September\r\n2021. These show that TeamTNT has developed multiple payloads for different targeted Kubernetes environments.\r\nUpon closer look, the payloads have minor changes specifically geared toward adapting a bit better to the infected\r\nenvironment: They are less noisy as they are less generic, and they change command-and-control addresses as they\r\nget updated. \r\nhttps://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html\r\nPage 2 of 5\n\nFigure 3. TeamTNT tools targeting Kubernetes environments using different payloads\r\nChecking this trend with Shodan data, we see that TeamTNT’s focus on Kubernetes deployments makes sense since\r\nthe number of open and exposed Docker APIs has been decreasing. In September 2021, the number of exposed\r\nDocker APIs was 836, down from 7,276 12 months prior. Meanwhile, the number of vulnerable Kubernetes APIs has\r\nbeen increasing since June 2021. In September 2021, exposed Kubernetes APIs even reached 161,993. \r\nFigure 4. Shodan data showing a significant decrease in exposed Docker APIs from the latter part of\r\n2020 to 2021\r\nhttps://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html\r\nPage 3 of 5\n\nFigure 5. Shodan data showing a significant increase in exposed Kubernetes APIs in 2021\r\nTeamTNT is also extending its focus on its mining hash rate by enhancing its chances to exploit devices equipped\r\nwith GPUs by having toolsets designed for multiple GPU manufacturers. This is no surprise as the actual reward for\r\nmining monero cryptocurrency is getting lower. Thus, to mine the same amount of moneroj, a bigger contribution\r\n(with hashes provided) is needed, which in this case is indicated by the hash rate. Simply put, the bigger the hash\r\nrate, the higher the amount of money mined.  \r\nFigure 6. TeamTNT tools that target GPU environments\r\nConclusion and security recommendations\r\nThis entry highlights our three major observations on TeamTNT’s recent campaigns. The first concerns the changes\r\nthe group has employed in its arsenal development. Rather than using messy, all-in-one malicious files, its new-generation payloads seem to be more professionally developed and targeted, and generates less noise during\r\ninfection by reducing the number of executions and deploying more accurately.\r\nAnother crucial observation is that TeamTNT is developing more tools targeting Kubernetes. This is backed by in-the-wild Shodan data showing the number of exposed Kubernetes APIs. Because the hacking team has also\r\nmentioned the launch of a new Kubernetes campaign on its social media account, we highly recommend that\r\nKubernetes users pay special attention to its deployments. However, despite TeamTNT’s apparent preference for\r\nexposed Kubernetes APIs, it still targets CSPs.\r\nThe final point is that the payloads now identify GPU-based environments and deploy specific payloads to target\r\ninstances running in CSPs and take advantage of the computational power and generate more cryptocurrency by ill\r\nmeans.  \r\nWith organizations relying on cloud services now more than ever, attacks targeting cloud services are likely to\r\nbecome more ubiquitous and sophisticated in the coming years. To keep systems and services protected against\r\nevolving threats, organizations should create strong security policies that highlight the shared responsibility\r\nmodelnews article and the principle of least privilegenews article. It is also a good practice to encrypt metadata or\r\nuse obfuscated or otherwise non-sensitive metadata to ensure that critical data is kept secure. AWS provides a\r\nhttps://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html\r\nPage 4 of 5\n\ndetailed example of encrypting metadata with the AWS Glue Data Catalog and a listing of ITAR-controlled\r\ndataservices related to each AWS service.\r\nOrganizations can also benefit from prioritizing continuous monitoring and auditing, and regularly patching and\r\nupdating their systems.\r\nIndicators of compromise\r\nSHA-256 Detection name\r\n024445ae9d41915af25a347e47122db2fbebb223e01acab3dd30de4b3546496 TROJAN.SH.KIMERA.YXBJ3\r\n06e8e4e480c4f19983f58c789503dbd31ee5076935a81ed0fe1f1af69b6f1d3d TROJAN.SH.KIMERA.YXBJ3\r\n4a00f99ce55f6204abcfa0b0392c6ee4c6a9fa46e8c1015a7c411ccd1b456720 TROJAN.SH.KIMERA.YXBJ3\r\n6075906fbc8898515fe09a046d81ca66429c9b3052a13d6b3ca6f8294c70d207 TROJANSPY.SH.CHIMAERA.AA\r\n71af0d59f289cac9a3a80eacd011f5897e0c8a72141523c1c0a3e623eceed8a5 TROJAN.SH.KIMERA.YXBJ3\r\n8bb87c1bb60cbf88724e88cf75889e6aa4fba24ab92a14aa108be04841a7aa86 TROJAN.SH.KIMERA.YXBJ3\r\n9ad4daaa5503bef61bb9ae7e5e75e92c3afd7077296c9a0ddee8ee38a0ce380e TROJAN.SH.KIMERA.YXBJ3\r\nb07ca49abd118bc2db92ccd436aec1f14bb8deb74c29b581842499642cc5c473 TROJAN.SH.KIMERA.YXBJ3\r\nc57f61e24814c9ae17c57efaf4149504e36bd3e6171e9299fd54b6fbb1ec108c TROJAN.SH.KIMERA.YXBJ3\r\nfa2a7374219d10a4835c7a6f0906184daaffd7dec2df954cfa38c3d4dd62d30d TROJAN.SH.KIMERA.YXBJ3\r\nTags\r\nSource: https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html\r\nhttps://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html" ], "report_names": [ "teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434049, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1dbf7e3410dfac499d049ccee26b3b533aa5bbf4.pdf", "text": "https://archive.orkl.eu/1dbf7e3410dfac499d049ccee26b3b533aa5bbf4.txt", "img": "https://archive.orkl.eu/1dbf7e3410dfac499d049ccee26b3b533aa5bbf4.jpg" } }