{
	"id": "067d69b2-1738-4520-9fd8-4c9fc0d2ce5f",
	"created_at": "2026-04-06T00:19:34.389181Z",
	"updated_at": "2026-04-10T03:27:04.746196Z",
	"deleted_at": null,
	"sha1_hash": "3b6f44180d41aa6f022942317bb5efe535a1ea4f",
	"title": "TeamTNT Now Deploying DDoS-Capable IRC Bot TNTbotinger",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 167141,
	"plain_text": "TeamTNT Now Deploying DDoS-Capable IRC Bot TNTbotinger\r\nBy By: David Fiser Dec 18, 2020 Read time: 5 min (1447 words)\r\nPublished: 2020-12-18 · Archived: 2026-04-05 15:15:59 UTC\r\nEarlier this year, we saw how  the cybercrime group TeamTNT attacked exposed Docker APIs news article using the XMRig\r\ncryptocurrency miner. Over time, we observed how TeamTNT expanded the functionality of its attacks, which has come to\r\ninclude the stealing of Amazon Web Services (AWS) secure shell (SSH) credentials and a self-replicating behavior for\r\npropagation.\r\nHere we discuss TeamTNT’s latest attack, which involves the use of the group’s own IRC (Internet Relay Chat) bot. The\r\nIRC bot is called TNTbotinger and is capable of distributed denial of service (DDoS).\r\nIt’s important to note that the attackers must first be able to perform remote code execution (RCE) on the initial target\r\nmachine in order to successfully wage this attack on a system. Malicious actors can perform RCE by exploiting\r\nmisconfiguration issues, abusing unpatched vulnerabilities, and taking advantage of security flaws such as weak or reused\r\npasswords and keys, or leaked credentials.\r\nTechnical analysis\r\nThe initial spread starts with a malicious shell script that’s run on a victim machine. The shell script checks for the presence\r\nof the /dev/shm/.alsp file, which can also be an indicator of compromise. If the file is not found, the script starts doing its\r\njob.\r\nFigure 1. The malicious script checks for the presence of the /dev/shm/.alsp file in a system\r\nThe script will then try to install curl, wget, bash, make, gcc, and pnscan packages. \r\nFigure 2. The malicious script attempts to install curl, wget, make, gcc, and pnscan packages\r\nBecause of the package managers used in the malicious script, specifically apt-get and yum, we assume that the authors\r\nimplemented support for both Debian and Red Hat-based distributions of Linux.\r\nThe script will then attempt to download and execute multiple binaries, including pnscan, a tool used for port scanning. This\r\ntool is also downloaded manually in case it is not found in the expected directory.\r\nhttps://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html\r\nPage 1 of 7\n\nThe following are the executed binaries in this attack:\r\n/dev/shm/sbin\r\n/usr/bin/tshd\r\n/usr/bin/kube\r\n/usr/bin/bioset\r\nAfterward, the script steals several pieces of confidential information from the infected system, such as:\r\nRSA (Rivest-Shamir-Adleman) keys used for SSH access (AWS path included)\r\nBash history\r\nAWS and Docker configuration files\r\n/etc group, /etc/passwd, /etc/shadow, /etc/gshadow\r\nThe malicious actors will then upload this stolen information using a TGZopen on a new tab (tar.gz) file via an HTTP POST\r\nrequest to an attacker-provided URL. We suspect that the collected information will serve as a knowledge base for the\r\nimprovement of subsequent attacks.\r\nFigure 3. Stolen information from an infected machine is uploaded via a TGZ file to a malicious URL\r\nThe script also tries to find accessible devices, based on the output of the ip route command, which would show routes to\r\naccessible networks. This information is then passed to the pnscan tool for a scan of the active SSH daemons on the\r\nnetwork. The keys found on the system are used for authentication attempts on the newly discovered devices. If these\r\nattempts are successful, the same payload is deployed on the new devices and the attack propagates.\r\nFigure 4. The malicious script performs a scan of active SSH daemons on an infected network and attempts to\r\nuse stolen keys to access network-connected devices\r\nA closer look at relevant binaries\r\nThe binary target platform is CPUs based on the x86-64 instruction set. The first layer of all these binaries is packed by the\r\nwell-known UPX packer.\r\nhttps://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html\r\nPage 2 of 7\n\n/dev/shm/sbin\r\nThe binary is compiled using the Go compiler and contains an ELF (Executable and Linkable Format) file that uses AES\r\n(Advanced Encryption Standard) encryption. We presume that the packer used is a Go version of LaufzeitCrypter.  \r\nFigure 5. A Go-compiled binary that contains an AES-encrypted ELF file\r\nAfter decrypting the file, we found the binary’s final payload: an XMRig cryptocurrency miner.\r\n/usr/bin/tshd\r\nThis bind shell listens on TCP (Transmission Control Protocol) port 51982. The communication is encrypted with a hard-coded key.\r\nFigure 6. The bind shell that listens on TCP port 51982\r\n/usr/bin/bioset\r\nThis is a bind shell that listens on TCP port 1982. The communication is encrypted using the Blowfish encryption\r\nalgorithmopen on a new tab with a hard-coded key. After analysis, we discovered that this implementation does not work\r\ncorrectly on some platforms. The binary also renames its process name to systemd.\r\nhttps://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html\r\nPage 3 of 7\n\nFigure 7. The bind shell that listens on TCP port 1982\r\n/usr/bin/kube\r\nThis binary is Go-compiled and contains an AES-encrypted ELF file. This is dynamically loaded during execution, and the\r\nsame packer with the Go version of LaufzeitCrypter is used. The AES key and initialization vector (IV) are hard-coded in\r\nthe binary.\r\nThe final payload of this binary is an IRC bot, which the authors named TNTbotinger. This bot features the following DDoS\r\ncommands:                                                                                          \r\nDDoS command Function\r\nPAN \u003ctarget\u003e \u003cport\u003e \u003csecs\u003e                       An advanced SYN flooder that kills most network drivers\r\nUDP \u003ctarget\u003e \u003cport\u003e \u003csecs\u003e\r\nA UDP (User Datagram Protocol)\r\nflooder                                             \r\nUNKNOWN \u003ctarget\u003e \u003csecs\u003e                          Nonspoof UDP flooder                            \r\nRANDOMFLOOD \u003ctarget\u003e \u003cport\u003e\r\n\u003csecs\u003e              \r\nA SYN-ACK flooder\r\nNSACKFLOOD \u003ctarget\u003e \u003cport\u003e \u003csecs\u003e                A new-generation ACK flooder                              \r\nNSSYNFLOOD \u003ctarget\u003e \u003cport\u003e \u003csecs\u003e A new-generation SYN flooder\r\nSYNFLOOD \u003ctarget\u003e \u003cport\u003e \u003csecs\u003e                  A classic SYN flooder\r\nhttps://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html\r\nPage 4 of 7\n\nACKFLOOD \u003ctarget\u003e \u003cport\u003e \u003csecs\u003e A classic ACK flooder\r\nGETSPOOFS A command that gets the current spoofing                                 \r\nSPOOFS \u003csubnet\u003e                                  A command that changes spoofing to a subnet                              \r\nKILLALL A command that kills all current packeting                               \r\nTNTbotinger also has the following IRC bot commands:                                              \r\nIRC bot command Function\r\nNICK \u003cnick\u003e Changes the nickname of the client\r\nSERVER \u003cserver\u003e Changes servers                                           \r\nIRC \u003ccommand\u003e Sends a command to the server                          \r\nDISABLE                                          Disables all packeting from the client                    \r\nENABLE Enables all packeting from the client\r\nKILL Kills the client                                          \r\nVERSION Requests the version of the client\r\nHELP  Displays the help file                                 \r\nGET \u003chttp address\u003e \u003csave as\u003e Downloads a file from the web and saves it to a disk                   \r\nUPDATE \u003chttp address\u003e \u003csrc:bin\u003e Updates the bot                   \r\nHACKPKG \u003chttp address\u003e \u003cbin name\u003e Installs a binary with no dependencies\r\nThis bot also features the following Unix shell commands:\r\nUnix shell command Function\r\nSH \u003ccommand\u003e Executes a command                                        \r\nhttps://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html\r\nPage 5 of 7\n\nISH \u003ccommand\u003e                                   \r\nEnables the facilities of an operating system to be made available to\r\ninteractive users\r\nSHD \u003ccommand\u003e Executes a daemonized command                             \r\nBASH\r\n\u003ccommand\u003e                                      \r\nExecutes a command using Bash (if applicable)\r\nSYSINFO \r\nCollects information and reports about system configuration, setup, and\r\nusage\r\nRSHELL \u003cserver\u003e\r\n\u003cport\u003e                          \r\nOpens remote shell\r\nConclusion and security recommendations\r\nThe Linux threat landscape is constantly evolving. This latest attack from TeamTNT is a good example of how the whole\r\nnetwork segment, including the cloud, could be compromised by malicious actors. We are seeing just how serious they are in\r\nensuring the increased success rates and stability of their attacks, as evidenced here by TeamTNT’s use of the wget/curl\r\nbinaries for payload deployment and use of bind shell redundancy.\r\nIn a successful TNTbotinger attack, attackers will be able to infiltrate an infected system. Once inside, they will be able to\r\nsee vulnerable instances on accessible network segments, and they can perform RCE on devices that are supposed to be\r\nshielded from the outside world.\r\nIt’s important for enterprises to adopt stringent security practices such as the following to keep their systems secure:\r\nImplement policies that prioritize continuous monitoring and auditingopen on a new tab of devices, especially those\r\nused to access the office network.\r\nAdhere to the principle of least privilegenews article when granting permissions.\r\nRegularly patch and update systemsnews article to reduce exposure to vulnerabilities and other critical threats.\r\nEnsure that passwords are strongopen on a new tab. Change default passwordsnews article and adjust security\r\nsettings based on the enterprise’s needs.\r\nTrend Micro solutions\r\nThe Trend Micro Network Defenseproducts solution preserves the integrity of networks, prevents breaches and targeted\r\nattacks, and ensures that critical data, communications, intellectual property, and other intangible assets are not exploited by\r\nmalicious actors. It provides a next-generation intrusion prevention system (IPS), anomaly detection, custom sandbox\r\nanalysis, and threat insight.\r\nCloud-specific security solutions such as Trend Micro Hybrid Cloud Securityproducts can help protect cloud-native systems\r\nand their various layers. It’s powered by the Trend Micro Cloud One™products security services platform for cloud\r\nbuilders, which provides automated protection for the continuous integration and continuous delivery (CI/CD) pipeline and\r\napplications. It also helps identify and resolve security issues sooner and improve delivery time for DevOps teams. The\r\nTrend Micro Cloud One platform includes:\r\nWorkload Securityproducts: runtime protection for workloads\r\nContainer Securityproducts: automated container image and registry scanning\r\nFile Storage Securityproducts: security for cloud file and object storage services\r\nNetwork Securityproducts: cloud network layer IPS security\r\nApplication Securityproducts: security for serverless functions, APIs, and applications\r\nConformityproducts: real-time security for cloud infrastructure — secure, optimize, comply\r\nhttps://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html\r\nPage 6 of 7\n\nIndicators of compromise\r\nFile\r\nname\r\nFunctionality SHA-256 Trend Micro detecti\r\nSSH\r\nShell script\r\ndropper,\r\nuploader\r\nD9C46904D5BB808F2F0C28E819A31703F5155C4DF66C4C4669F5D9E81F25DC66 Trojan.SH.MALXMR\r\nsbin XMRig E52646F7CB2886D8A5D4C1A2692A5AB80926E7CE48BDB2362F383C0C6C7223A2 Trojan.Linux.BTCWA\r\ntshd\r\nBind shell\r\n(TCP port\r\n51982)\r\n252BF8C685289759B90C1DE6F9DB345C2CFE62E6F8AAD9A7F44DFB3C8508487A Backdoor.Linux.REK\r\nkube IRC botB666CD08B065132235303727F2D77997A30355AE0E5B557CD08D41C9ADE7622D Trojan.Linux.MALXM\r\nbioset\r\nBind shell\r\n(TCP port\r\n1982)\r\nE15550481E89DBD154B875CE50CC5AF4B49F9FF7B837D9AC5B5594E5D63966A3 Trojan.Linux.MALXM\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html\r\nhttps://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"
	],
	"report_names": [
		"teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"
	],
	"threat_actors": [
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434774,
	"ts_updated_at": 1775791624,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b6f44180d41aa6f022942317bb5efe535a1ea4f.pdf",
		"text": "https://archive.orkl.eu/3b6f44180d41aa6f022942317bb5efe535a1ea4f.txt",
		"img": "https://archive.orkl.eu/3b6f44180d41aa6f022942317bb5efe535a1ea4f.jpg"
	}
}