{ "id": "0c39f6d2-0993-4a4f-b1da-9b6dc1092739", "created_at": "2026-04-06T00:15:56.027571Z", "updated_at": "2026-04-10T03:32:45.960811Z", "deleted_at": null, "sha1_hash": "2fa573dbd31f91e77fb409838bdb4b343c8bf759", "title": "TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 784367, "plain_text": "TeamTNT Actively Enumerating Cloud Environments to Infiltrate\r\nOrganizations\r\nBy Nathaniel Quist\r\nPublished: 2021-06-04 · Archived: 2026-04-05 16:17:13 UTC\r\nExecutive Summary\r\nTeamTNT has been evolving their cloud-focused cryptojacking operations for some time now. TeamTNT operations have\r\ntargeted and, after compromise, exfiltrated AWS credentials, targeted Kubernetes clusters and created new malware called\r\nBlack-T that integrates open source cloud native tools to assist in their cryptojacking operations. TeamTNT operations are\r\nnow using compromised AWS credentials to enumerate AWS cloud environments, via the AWS platform’s API. These\r\nactions attempt to identify all Identity and Access Management (IAM) permissions, Elastic Compute Cloud (EC2) instances,\r\nSimple Storage Service (S3) buckets, CloudTrail configurations and CloudFormation operations granted to the compromised\r\nAWS credential. TeamTNT operations are now also targeting the credentials of 16 additional applications, including those of\r\nAWS and Google Cloud credentials, which may be stored on the compromised cloud instance, if installed.\r\nThe presence of Google Cloud credentials being targeted for collections represents the first known instance of an attacker\r\ngroup targeting IAM credentials on compromised cloud instances outside of AWS. While it is still possible that Microsoft\r\nAzure, Alibaba Cloud, Oracle Cloud or IBM Cloud IAM credentials could be targeted using similar methods, Unit 42\r\nresearchers have yet to find evidence of credentials from these cloud service providers (CSPs) being targeted. TeamTNT\r\nfirst started collecting AWS credentials on cloud instances they had compromised as early as August 2020.\r\nIn addition to the targeting of 16 application credentials from cloud applications and platforms, TeamTNT has added the\r\nusage of the open-source Kubernetes and cloud penetration toolset Peirates to their reconnaissance operations. With these\r\ntechniques available, TeamTNT actors are increasingly more capable of gathering enough information in target AWS and\r\nGoogle Cloud environments to perform additional post-exploitation operations. This could lead to more cases of lateral\r\nmovement and potential privilege escalation attacks that could ultimately allow TeamTNT actors to acquire administrative\r\naccess to an organization’s entire cloud environment.\r\nThat said, TeamTNT operations are still focused on cryptojacking. The TeamTNT cryptojacking operations represented\r\nwithin this writing have collected 6.52012192 Monero coins, which at the time of this writing equaled $1,788 USD. The\r\nmining operation was found to be operating at an average speed of 77.7KH/s across eight mining workers. Operations using\r\nthis Monero wallet address have continued for 114 days as of the time of this writing.\r\nPalo Alto Networks Prisma Cloud customers are protected from these threats through the Runtime Protection feature,\r\nCryptominer Detection feature and the Prisma Cloud Compute Kubernetes Compliance Protection, which alerts on an\r\ninsufficient Kubernetes configuration and provides secure alternatives. Additionally, Palo Alto Networks VM-Series and\r\nCN-Series products offer cloud protections that can prevent network connections from cloud instances toward known\r\nmalicious IP addresses and URLs.\r\nEnumeration Techniques\r\nUnit 42 researchers identified one of TeamTNT’s malware repositories, hxxp://45.9.148[.]35/chimaera/sh/, which contained\r\nseveral bash scripts designed to perform cryptojacking operations, exploitation, lateral movement and credential scraping\r\noperations, as shown in Figure 1. This malware repository, referred to as the Chimaera Repository, highlights the expanding\r\nscope of TeamTNT operations within cloud environments as well as a target set for current and future operations.\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 1 of 13\n\nFigure 1. TeamTNT’s Chimaera Repository.\r\nWithin the Chimaera repository, there were three scripts that specifically highlight TeamTNT’s expanding cloud targeting\r\ncapabilities and intent. The first script is grab_aws-data.sh, (SHA256:\r\na1e9cd08073e4af3256b31e4b42f3aa69be40862b3988f964e96228f91236593), which focuses on enumerating AWS cloud\r\nenvironments using known AWS IAM credentials. The second script, bd_aws.sh, (SHA256:\r\nde3747a880c4b69ecaa92810f4aac20fe5f6d414d9ced29f1f7ebb82cd0f3945) scrapes all known Secure Shell Protocol (SSH)\r\nkeys from an AWS instance and identifies all executable programs currently running on that instance. Finally, the script\r\nsearch.sh (SHA256: ed40bce040778e2227c869dac59f54c320944e19f77543954f40019e2f2b0c35) performs a search for\r\nconfiguration files containing application credentials stored on a given host. These scripts are newly discovered and directly\r\nhighlight the targeting of cloud native applications within both AWS and Google Cloud environments.\r\nEnumerating AWS Environments\r\nThe bash script, grab_aws-data.sh, contains 70 unique AWS CommandLine Interface (AWS CLI) commands designed to\r\nenumerate seven AWS services, IAM configurations, EC2 instances, S3 buckets, support cases and direct connections, in\r\naddition to any CloudTrail and CloudFormation operations available to a given AWS IAM credential. As seen in Figure 2,\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 2 of 13\n\nall enumerated values obtained through the AWS enumeration process will be stored within the local directory\r\n/var/tmp/.../...TnT.../aws-account-data/ on the compromised system.\r\nFigure 2. TeamTNT’s grab_aws.sh script.\r\nNavigate to the Appendix for a list of all 70 unique AWS CLI commands present within the TeamTNT script grab_aws-data.sh. As a summary, the TeamTNT script contained commands for the following seven AWS services:\r\n44 EC2 instance commands.\r\n14 IAM commands.\r\n4 Direct Connect commands.\r\n4 CloudFormation commands.\r\n2 CloudTrail commands.\r\n1 S3 command.\r\n1 Support command.\r\nCredential Scraping\r\nTeamTNT actors have also expanded their credential scraping capabilities to include the identification and collection of 16\r\nunique applications, which may be present on the compromised cloud endpoint and for any of the known user accounts on\r\nthe cloud instance, including the root account. There has been additional research involving this particular script. These\r\napplications were listed within the script search.sh:\r\nSSH keys.\r\nAWS keys.\r\nS3 clients.\r\ns3backer\r\ns3proxy\r\ns3ql (Google Cloud capable as well)\r\npasswd-s3fs\r\ns3cfg\r\nDocker.\r\nGitHub.\r\nShodan.\r\nNgrok.\r\nPidgin.\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 3 of 13\n\nFilezilla.\r\nHexchat.\r\nGoogle Cloud.\r\nProject Jupyter.\r\nServer Message Block (SMB) clients.\r\nSeveral of these applications are noteworthy. The presence of Google Cloud credentials tops the list as this is the first known\r\ninstance of an attacker group targeting IAM credentials outside of AWS (see Figure 3). It is possible that Microsoft Azure,\r\nAlibaba Cloud, Oracle Cloud or IBM Cloud environments could be targeted using similar techniques, but Unit 42\r\nresearchers have yet to find evidence of these CSPs being targeted. Researchers believe that it is only a matter of time before\r\nTeamTNT will develop functionality similar to that of grab_aws-data.sh described above, but targeting Google Cloud\r\nenvironments.\r\nFigure 3. TeamTNT’s search.sh script searching for Google Cloud credentials.\r\nLateral Movement Operations\r\nIn addition to the 16 applications listed above, the following applications are specifically targeted for lateral movement\r\noperations.\r\nWeaveworks\r\nWithin the search.sh script, there are several applications identified which display evolving attack patterns for TeamTNT\r\noperations. Within the Chimaera repository, Unit 42 researchers identified several scripts that single out specific\r\napplications. One of those applications is Weaveworks (see Figure 4). Weave is a microservice network mesh application\r\ndeveloped for container infrastructures such as Docker and Kubernetes, and allows for microservices to be running on one\r\nor multiple hosts while simultaneously maintaining network connectivity. By targeting Weave installations, TeamTNT\r\noperations have the potential to move laterally within a container infrastructure using the Weave network mesh application.\r\nAs can be seen within the base64 encoded code in the script setup_scope.sh, (SHA256:\r\n584c6efed8bbce5f2c52a52099aafb723268df799f4d464bf5582a9ee83165c1), TeamTNT is targeting Docker user accounts\r\nthat contain Weave container information.\r\nFigure 4. TeamTNT script setup_scope.sh base64 decode code.\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 4 of 13\n\nFigure 5. Local Docker image creation for Monero mining.\r\nProject Jupyter\r\nAdditionally, the Project Jupyter application is listed as a target of TeamTNT operations through two sources within the\r\nChimaera repository, first within the search.sh script as the target for credential scraping, and as a beta lateral movement\r\nscript, spread_jupyter_tmp.sh (SHA256: 0d7912e62bc663c9ba6bff21ae809e458b227e3ceec0abac105d20d5dc533a22).\r\nUnit 42 researchers also found reference to Project Jupyter within a known TeamTNT actor’s Twitter account. The Twitter\r\naccount, @HildeTnT, posted the following image (Figure 6) on their Twitter feed, replying to a potentially compromised\r\nJupyter endpoint. The German-language text translates to “Hahaha we take that as a compliment ^^ btw blocking the shell\r\nalone brings 0% security …” The presence of this Twitter exchange highlights the fact that TeamTNT is actively using the\r\nscripts listed within the Chimaera repository and targeting these additional cloud applications.\r\nFigure 6. TeamTNT actor replying to a message from a potentially compromised Jupyter endpoint.\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 5 of 13\n\nPeirates\r\nUnit 42 researchers have identified that TeamTNT actors are using the open source container and cloud penetration tool\r\nPeirates. As seen in Figure 7, Peirates allows actors to perform several attack functions against AWS and Kubernetes\r\ninstances. This tool could enable TeamTNT actors to investigate and identify misconfigurations or potential vulnerabilities\r\nwithin Kubernetes and Cloud environments and could allow TeamTNT to perform additional compromising actions against\r\ncloud infrastructure.\r\nFigure 7. Peirates penetration testing options.\r\nMonero Mining Operations\r\nTeamTNT operations are still focused on cryptojacking. The previous sections presented the findings of new techniques\r\nused by TeamTNT actors to expand their cryptojacking infrastructure. The following section will focus on the findings\r\nrelated to the processes of mining applications TeamTNT uses to perform their cryptojacking operations.\r\nLocal Docker Image\r\nOf interest is the script file docker.container.local.spread.txt, which lists the name of a local Docker image, as shown in\r\nFigure 8. The Docker image is a local Docker image, meaning it is not hosted and downloaded from an external docker\r\nrepository such as Docker Hub. Researchers did search Docker Hub for the presence of this Docker image and none were\r\nfound.\r\nFigure 8. Contents of the docker.container.local.spread.txt.\r\nThe Docker container is created to provide a host for TeamTNT’s Monero (XMR) mining operation. Shown in Figure 5, a\r\nDocker image is created with the name mangletmpuser/fcminer. This image is then started and directed to navigate to the\r\nChimaera repository file setup_xmr.sh, (SHA256:\r\n5ddd226d400cc0b49d0175ba06a7e55cb2f5e9586111464bcf7b3bd709417904), which will initiate the Docker cryptomining\r\nprocess, using the open source XMRig application within a Docker container.\r\nNew Monero Wallet\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 6 of 13\n\nUnit 42 researchers identified a new Monero wallet address that has never before been witnessed in relation to TeamTNT\r\noperations,\r\n46EPFzvnX5GH61ejkPpNcRNm8kVjs8oHS9VwCkKRCrJX27XEW2y1NPLfSa54DGHxqnKfzDUVW1jzBfekk3hrCVCmAUrFd3H\r\nThis Monero wallet address was associated with the Monero public mining pool pool.supportxmr[.]com:3333, as shown in\r\nFigure 9.\r\nFigure 9. SupportXMR public mining pool configuration.\r\nIn Figure 10, this mining pool address displays that the TeamTNT mining operation has collected 6.52012192 Monero coins,\r\nwhich at the time of this writing equaled $1,788 USD. The mining operation was found to be operating at 77.7KH/s, across\r\neight mining workers at the time of this writing, and operations using this Monero wallet address have continued for 114\r\ndays. At an operating speed of 77.7KH/s, this operation is considered to be a small mining operation for a group like\r\nTeamTNT.\r\nFigure 10. SupportXMR mining pool dashboard.\r\nConclusion\r\nGiven TeamTNT’s integration of tools such as Peirates, their targeting of cloud native network mesh applications such as\r\nWeave, their operations around Kubernetes and Black-T, and their targeting and subsequent taunting of organizations using\r\nProject Jupyter, TeamTNT actors are suspected to be employing all tools listed within this blog on a regular basis. TeamTNT\r\nactors are specifically targeting cloud platforms in an attempt to circumvent future security detection tools and embed\r\nthemselves into the organization’s cloud environment.\r\nWe recommend that organizations operating with cloud environments monitor for and block all network connections\r\nassociated with TeamTNT’s Chimaera repository, as well as historic Command and Control (C2) endpoints. Using a cloud\r\nnative security platform will significantly reduce the cloud infrastructure’s attack surface and allow organizations to monitor\r\nfor risks.\r\nThe following tips are highly recommended by Unit 42 researchers to assist in the protection of cloud infrastructure.\r\nEnforce least-privilege IAM access policies to all cloud IAM roles and permissions. Where applicable, use short-lived or one-time-use IAM credentials for service accounts.\r\nMonitor and block network traffic to known malicious endpoints.\r\nOnly deploy vetted container images within production environments.\r\nImplement and use Infrastructure as Code (IaC) scanning platforms to prevent insecure cloud instances from being\r\ndeployed into production environments.\r\nUse cloud infrastructure configuration scanning tools that enable governance, risk management and compliance\r\n(GRC) to identify potentially threatening misconfigurations.\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 7 of 13\n\nUse cloud endpoint agents to monitor and prevent the running of known malicious applications within cloud\r\ninfrastructure.\r\nPalo Alto Networks Prisma Cloud customers are protected from these threats through the Runtime Protection feature,\r\nCryptominer Detection feature and the Prisma Cloud Compute Kubernetes Compliance Protection, which alerts on an\r\ninsufficient Kubernetes configuration and provides secure alternatives. Additionally, Palo Alto Networks VM-Series and\r\nCN-Series products offer cloud protections that can prevent network connections from cloud instances toward known\r\nmalicious IP addresses and URLs.\r\nIndicators of Compromise\r\nChimaera Repository Files\r\nSHA256 File\r\na698562d56715c138750163c84727a1f2edb9d92f231994abf7ae82ef62006bf chimaera/bin/1.0.4.tar.gz\r\nbcd43d4046c64d15da4e87984306dd14dc80daa904a6477ad2b921c49c2f414d chimaera/bin/64bit/aws_zig\r\n3aae4a2bf41aedaa3b12a2a97398fa89a9818b4bec433c20b4e724505277af83 chimaera/bin/64bit/bob\r\n134e9ab62a8efe80a27e2869bd6e98d0afe635e0e0750eb117ff833dc9447c28 chimaera/bin/64bit/docker-escape\r\n45aabbda369956ff04ba4e6bf345cbaa072d49dd4b90c35c7be8c0c96a115733 chimaera/bin/64bit/hawkeye\r\ne673ef9910a9d6319be598be72430f1b04c299b48e5cd95ce7ccafac273072f3 chimaera/bin/64bit/index.html\r\n456041c34e7a992e76320121b7a6b5a47f12b1ed069e1de735543f5b2a1f1a68 chimaera/bin/64bit/pei\r\nbcd43d4046c64d15da4e87984306dd14dc80daa904a6477ad2b921c49c2f414d chimaera/bin/64bit/TNT_AWS\r\nd5063df016a6af531ed4e6dd222ff4dbbb5b3b0c9075ad642e94adde8e481cbe chimaera/bin/64bit/TNT_Kubernetes_e_u\r\n9504b74906cf2c4aba515de463f20c02107a00575658e4637ac838278440d1ae chimaera/bin/64bit/TNT_MassPwn\r\n15f8cf9c0ed9891f20be37130c1d0e30946e4e14e00a1b2824da22c6c94b8fe3 chimaera/bin/64bit/wget.rpm.tar.gz\r\nefdf041abcb93f97a3b46624d18d1c8153711f939298c46a4a48388e7ec1bd1e chimaera/bin/64bit/xmr\r\nee7799a42c2f487df7405d0aac06496c9a5bb58daecfb135f6f58e3b3aeedf69 chimaera/bin/64bit/xmr.xz\r\n900b17ae0081052fb63a7d74232048cfbc2716cdedbe0ab14cf64b7d387d4329 chimaera/bin/64bit/xmrig\r\n84078b10ad532834eb771231a068862182efb93ce1e4a8614dfca5ae3229ed94 chimaera/bin/64bit/xmrig_ps_e\r\n825c60dd1bb32cd6b7e6686f425c461532093b1e9f6ca662c1ea9b07ec7e470b\r\nchimaera/bin/64bit/xmrig-6.8.1-linux-static-x64.tar.gz\r\n99211429717c686167c1bcda6c5e55dc0e45f46bfdfe34f3bb272ce1378a47a3 chimaera/bin/64bit/zgrab\r\n8373c0e8abdd962f46d3808fb10589e4961e38cd96d68a4464d1811788a4f2b7 chimaera/bin/64bit/zmap\r\n73a4e43a50c533dffdce6575a630be808780d1b408a6dda335106de0c48926ac chimaera/bin/aarch64/bob\r\n24c75a2f86d3c0f13f77b453d476787607a87c1033dca501351846524a4e8ff6 chimaera/bin/aarch64/index.html\r\ne842c810b6ecb9c7634f1cfbf81b6245094528ac5584179eb8e6932eaa34f421 chimaera/bin/aarch64/traitor\r\n1e565e0672c4cd60b7db32c0ecc1abace6dfd8b6c2e0623c949d31536940fd62 chimaera/bin/aarch64/zgrab\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 8 of 13\n\n12466d33f1d0e9114b4c20e14d51ca3e7e374b866c57adb6ba5dfef3ee34ee5b chimaera/bin/irc_bot.c\r\n2287e71c5707ebb2885cd6afd0bff401e4465ca59c8c2498439859e6c8ec5175 chimaera/bin/mass.tar\r\nb6ddd29b0f74c8cfbe429320e7f83427f8db67e829164b67b73ebbdcd75d162d chimaera/bin/p.tar\r\n2f4ffa0e687b4e18e45770812a14ad4fc1ae3f735b4f8280f0dd241e045838fe chimaera/bin/pnscan_1.12+git20180612.orig.tar.g\r\n5f1c9e8dc98ff3e7cf32096225cbae96dacead6af82986d69bbc0032d0e8da84 chimaera/bin/rpm_deb_apk/i386-curl\r\n3d2481edc5fe122bae2fe316d803e131837606e38a7a3158f7cddc7b436dc6c2 chimaera/bin/rpm_deb_apk/setup_apps.sh\r\nf26f805c3a1c01ab4717cc3b4c91581249482b00bd29712ab0c36ba7ce74147c chimaera/bin/x86_64/bob\r\n0cdad862a1a695fe9cbf35592f92111e31ac848881fcd1deaa3c6ecd7c241ad7 chimaera/bin/x86_64/bot\r\n456041c34e7a992e76320121b7a6b5a47f12b1ed069e1de735543f5b2a1f1a68 chimaera/bin/x86_64/pei\r\nd2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f chimaera/bin/x86_64/tmate\r\n3cb401fdba1a0e74389ac9998005805f1d3e8ed70018d282f5885410d48725e1 chimaera/bin/x86_64/traitor\r\n84078b10ad532834eb771231a068862182efb93ce1e4a8614dfca5ae3229ed94 chimaera/bin/x86_64/xmrig\r\n4e4e01830dc64466683735d32778d17cfbffc7be75d647322240ecf9e2f9d700 chimaera/bin/x86_64/zgrab\r\n900b17ae0081052fb63a7d74232048cfbc2716cdedbe0ab14cf64b7d387d4329 chimaera/bin/xmr/xmrig_u\r\n11b45924f96844764c7ae56ce0b6ac3c43d3a732bc7101d7ce85ea52d0455afd chimaera/bin/xmrig\r\n825c60dd1bb32cd6b7e6686f425c461532093b1e9f6ca662c1ea9b07ec7e470b chimaera/bin/xmrig-6.8.1-linux-static-x64.tar.gz\r\nacea877b5e4eb9a4f89c0607872bd718e818775dd70044ba6bcede26b481d079 chimaera/data/docker.container.local.spread.txt\r\nd4084c84b21a24ec7a75b1700c65835edea55ac146e86f874941f9ea4bc30ecd chimaera/init.sh\r\n43545f6cd370e6f200347bd9bbafdc3d94240775d816cd5e24dc8072d0f1c9b5 chimaera/pl/scan.pl\r\n55a53f325a46f0da8a15ce001595b9d27eeb03262a62c40f169a3c855c5e8319 chimaera/py/punk.base64.txt\r\nc2491f9b1f6eb9b1b31e84b0dd5505c5959947c47230af97dce18a49aab90e6b chimaera/py/punk.py\r\nde3747a880c4b69ecaa92810f4aac20fe5f6d414d9ced29f1f7ebb82cd0f3945 chimaera/sh/bd_aws.sh\r\n5265a344fd3d3c91d1e9169678e9dadf6296331ccf91132b99c728761bffb011 chimaera/sh/clean_aegis.sh\r\n0a8499cebddd96af4634e85be50e4f64c9d2c7c616677de171df99691239526b chimaera/sh/clean_crontab.sh\r\n881530fb9634cbf5cf12080f5d13e69cb9497c7ea223a4ac29e0d3c81de3053a chimaera/sh/clean_docker.sh\r\n5f845e765947c4568e1c201fdfeb016c19c940ca2f1636d1393a65a9ee367e8c chimaera/sh/clean_quartz.sh\r\n44cbddf5092818092439734cd478a0fd80f93949e4fec32553b78064029266af chimaera/sh/clean_tmp.sh\r\nd708b28231ef70edc707d3cfc1f9ed72aa06a6db15b7903a22b2cdba435e41f7 chimaera/sh/clean_v2.sh\r\n1946ddf0ade98a69650cdf5c6951d26abbb2ddb5224ea95279e1372a772a0f9c chimaera/sh/clean.sh\r\nb1f38b8648351bb7c743eed838658ea38975db40358c2af62d4e36905555a332 chimaera/sh/first_touch.sh\r\na1e9cd08073e4af3256b31e4b42f3aa69be40862b3988f964e96228f91236593 chimaera/sh/grab_aws-data.sh\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 9 of 13\n\n4e059d74e599757226f93ea8ddcfb794d4bcda605f0e553fbbef47b8b7c82d2b chimaera/sh/init.sh\r\n484d09b34cb7fb075647402b52f174b2645c6b2c7e8b271e648421893aacdfb4 chimaera/sh/kube.lateral.sh\r\n49b185d1a03124fd5f664fe908fe833d932124344216535b822a044e9d115234 chimaera/sh/lateral/_sort.sh\r\ned40bce040778e2227c869dac59f54c320944e19f77543954f40019e2f2b0c35 chimaera/sh/search.sh\r\n4a6a31b867ce9033691a6638997b0e46d89462d677e9a1f7d757e9f2efbd4c79 chimaera/sh/setup_bot.sh\r\ne9a58f006e5335d806da5fc772fb2b5dedcd977d6484f462169f7a64a636fb44 chimaera/sh/setup_crontab.sh\r\n61e94f41187a3ce31fd8ac0ae3798aaa0e8984e8ff76debe623e41fecf8d7a12 chimaera/sh/setup_hide.sh\r\n7270416ff49d679f123f560f135b25afe1754a370b0a4bf99368f1ebbc86cbb1 chimaera/sh/setup_mo.sh\r\n584c6efed8bbce5f2c52a52099aafb723268df799f4d464bf5582a9ee83165c1 chimaera/sh/setup_scope.sh\r\nec92f9a98e2c5449693792aa7fd77d0c7a5a98af13b0595ad3c46da739c44c80 chimaera/sh/setup_tmate.sh\r\n642551b7f4e088797cd37b19280261668c8b381dcf667ea7d0dafed1ec94e460 chimaera/sh/setup_unhide.sh\r\n5ddd226d400cc0b49d0175ba06a7e55cb2f5e9586111464bcf7b3bd709417904 chimaera/sh/setup_xmr.sh\r\n57689b87b6830411046d7bda19936707a0797bec9dffe03874d1a364c4f29c35 chimaera/sh/setup_xmr2.sh\r\nf9b5bd4372daf78346e4bb34677633a7795876a3c89c5965eb76f137a0fba448 chimaera/sh/setup_zmap_zgrab_jq_masscan.sh\r\nf194d5901d64811c72a2cf3a035b7c36ea36d444ea6291f64138d1e88929349d chimaera/sh/setup.sh\r\n30e35e225f23495f92c417337d205056c4fd2f8dd9e958365e84b522c3adc851 chimaera/sh/spread_docker_local.sh\r\n2e34f88bacc50e0ec06681d6857163b99046fec775a75297f774edd1f6b452c1 chimaera/sh/spread_docker_loop.sh\r\n0d7912e62bc663c9ba6bff21ae809e458b227e3ceec0abac105d20d5dc533a22 chimaera/sh/spread_jupyter_tmp.sh\r\n5ac76e1edfda445548c35364ba0c3dbb0bcb8a0236c303d2a4e2a94a7073a716 chimaera/sh/spread_kube_local.sh\r\n3ae9e772a025d192a689358e263445a8d953e090b1bbe62f83567034938e75b5 chimaera/sh/spread_kube_loop.sh\r\n9c7f2644e02cb48ab5ff17d541c07f11fd85e5e13cdc210faf34994771a4ca29 chimaera/sh/spread_ssh.sh\r\nfece70a9f33c2ed77a5833dba5b7188d5ec00a30fb00e43983e6939cac87fb99 chimaera/sh/xmr.sh.sh\r\n5bb45f372fb4df6a9c6a5460fa1845f5e96af53aa41939eb251cbe989a5cac6c chimaera/so/systemd.so\r\ne8cd937239d6bf43cb34c7947321a197b0d1067f05c3b21508bffa35a953a3c3 chimaera/so/tmate.so\r\n0af1b8cd042b6e2972c8ef43d98c0a0642047ec89493d315909629bcf185dffd chimaera/so/xmrig.so\r\n3b14c84525f2e56fe3ae7dec09163a4a9c03f11e6a8d65b021c792ad13ed2701 chimaera/spread/redis/b.sh\r\ndc8e4e45a46a65e70e3d67315ca76127b20ef4dcda2fd012a826b73ee26ab941 chimaera/up/aws_in.php\r\n6175648ebbe658e3d5984d5c45d5221bf8f8875599d9ce2d62d279b7bba5eeea chimaera/up/grabbed_data.php\r\ne6e1656ac258318e8226db00dbacdf6914f2dac2d174b1470903b096b7fbecff chimaera/up/tmate_in.php\r\n9cd9549e8b80ee3230bdb1130676ac2396de5e99428b45f14d93b705b157465a chimaera/up/working_tmp_dir/results_kubernetes\r\n79c7a022d2c807dea005fb5c0433eb984eea053d07123754acd864bede03be00 chimaera/working.txt\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 10 of 13\n\nMonero Wallet\r\n46EPFzvnX5GH61ejkPpNcRNm8kVjs8oHS9VwCkKRCrJX27XEW2y1NPLfSa54DGHxqnKfzDUVW1jzBfekk3hrCVCmAUrFd3H\r\nURL Address\r\n45.9.148[.]35/chimaera/bin/\r\n45.9.148[.]35/chimaera/data/\r\n45.9.148[.]35/chimaera/init/\r\n45.9.148[.]35/chimaera/pl/\r\n45.9.148[.]35/chimaera/py/\r\n45.9.148[.]35/chimaera/sh/\r\n45.9.148[.]35/chimaera/spread/\r\n45.9.148[.]35/chimaera/up/\r\npool.supportxmr[.]com\r\nAppendix\r\nIAM command AWS Link Function Description\r\naws iam get-account-authorization-detailsget-account-authorization-details\r\nRetrieves information about all IAM users, groups, roles and\r\npolicies in your AWS account, including their relationships to one\r\nanother.\r\naws iam get-account-password-policyget-account-password-policy\r\nRetrieves the password policy for the AWS account.\r\naws iam get-account-summaryget-account-summaryRetrieves information about IAM entity usage and IAM quotas in\r\nthe AWS account.\r\naws iam list-account-aliases\r\nlist-account-aliases\r\nLists the account alias associated with the AWS account. (Note:\r\nYou can have only one.)\r\naws iam list-groups list-groups Lists the IAM groups that have the specified path prefix.\r\naws iam list-instance-profiles\r\nlist-instance-profiles Lists the instance profiles that have the specified path prefix.\r\naws iam list-open-id-connect-providerslist-open-id-connect-providersLists information about the IAM OpenID Connect (OIDC) provider\r\nresource objects defined in the AWS account.\r\naws iam list-policies list-policies\r\nLists all the managed policies that are available in your AWS\r\naccount, including your own customer-defined managed policies\r\nand all AWS managed policies.\r\naws iam list-roles list-roles Lists the IAM roles that have the specified path prefix.\r\naws iam list-saml-providers\r\nlist-saml-providers\r\nLists the SAML provider resource objects defined in IAM in the\r\naccount.\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 11 of 13\n\naws iam list-server-certificates\r\nlist-server-certificatesLists the server certificates stored in IAM that have the specified\r\npath prefix.\r\naws iam list-users list-users Lists the IAM users that have the specified path prefix.\r\naws iam list-virtual-mfa-deviceslist-virtual-mfa-devicesLists the virtual MFA devices defined in the AWS account by\r\nassignment status.\r\naws iam get-credential-report\r\nget-credential-report Retrieves a credential report for the AWS account.\r\nTable 1. Enumerating AWS IAM configurations.\r\nTable 2. Enumeration Amazon EC2 instances.\r\nIAM command AWS Link Function Description\r\naws s3 ls ls List S3 objects and common prefixes under a prefix or all S3 buckets.\r\nTable 3. Enumerating available Amazon S3 buckets\r\nIAM command AWS Link Function Description\r\naws support describe-cases --include-resolved-casesdescribe-casesLists the interconnects owned by the AWS account or only\r\nthe specified interconnect.\r\nTable 4. Enumerating open AWS support cases.\r\nIAM command AWS Link Function Description\r\naws directconnect describe-connections\r\ndescribe-connections\r\nDisplays the specified connection or all connections in\r\nthis Region.\r\naws directconnect describe-interconnectsdescribe-interconnectsLists the interconnects owned by the AWS account or only\r\nthe specified interconnect.\r\naws directconnect describe-virtual-gatewaysdescribe-virtual-gatewaysLists the virtual private gateways owned by the AWS\r\naccount.\r\naws directconnect describe-virtual-interfacesdescribe-virtual-interfaces\r\nDisplays all virtual interfaces for an AWS account.\r\nTable 5. Enumerating available AWS network connections.\r\nIAM command AWS Link Function Description\r\naws cloudtrail\r\ndescribe-trails\r\ndescribe-trailsRetrieves settings for one or more trails associated with the current region\r\nfor your account.\r\naws cloudtrail list-public-keyslist-public-keysReturns all public keys whose private keys were used to sign the digest files\r\nwithin the specified time range.\r\nTable 6. Enumerating AWS CloudTrail operations.\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 12 of 13\n\nIAM command AWS Link Function Description\r\naws cloudformation\r\ndescribe-account-limits\r\ndescribe-account-limitsRetrieves your account's AWS CloudFormation limits, such as the\r\nmaximum number of stacks that you can create in your account.\r\naws cloudformation\r\ndescribe-stacks\r\ndescribe-stacks\r\nReturns the description for the specified stack. If no stack name was\r\nspecified, then it returns the description for all the stacks created.\r\naws cloudformation list-exports\r\nlist-exports\r\nLists all exported output values in the account and Region in which\r\nyou call this action.\r\naws cloudformation list-stacks\r\nlist-stacks\r\nReturns the summary information for stacks whose status matches\r\nthe specified StackStatusFilter.\r\nTable 7. Enumerating AWS CloudFormation operations.\r\nSource: https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nhttps://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments" ], "report_names": [ "teamtnt-operations-cloud-environments" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434556, "ts_updated_at": 1775791965, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2fa573dbd31f91e77fb409838bdb4b343c8bf759.pdf", "text": "https://archive.orkl.eu/2fa573dbd31f91e77fb409838bdb4b343c8bf759.txt", "img": "https://archive.orkl.eu/2fa573dbd31f91e77fb409838bdb4b343c8bf759.jpg" } }