{
	"id": "6664fc28-65d1-4247-b113-231d9993aab9",
	"created_at": "2026-04-06T00:08:37.253676Z",
	"updated_at": "2026-04-10T03:27:04.724917Z",
	"deleted_at": null,
	"sha1_hash": "438d68c8de123a74ef627d6d2405d9443fb82902",
	"title": "Threat Alert: TeamTNT Pwn Campaign Against Docker and K8s Environments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50166,
	"plain_text": "Threat Alert: TeamTNT Pwn Campaign Against Docker and K8s\r\nEnvironments\r\nPublished: 2021-02-17 · Archived: 2026-04-05 13:23:05 UTC\r\nLast week, TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection\r\nof container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons,\r\nKubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open\r\nbackdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. In this blog, I will explore\r\nthese container images and what they were designed to do.\r\nThe Docker Hub account ‘heavy0x0james’ was created on June 3rd, 2019. In February 2021, the adversaries\r\nuploaded six malicious container images that have been observed to perform attacks in the wild. All six container\r\nimages initially run a shell file named init.sh , but in each image it does something different. Then the attackers\r\nleverage a binary named zgrab (MD5= 7691c55732fded10fca0d6ccc64e41dc) in order to scan the internet for\r\nmore victims.\r\nBelow is the list of these malicious container images and their capabilities:\r\nContainer images Capabilities\r\nWescopwn\r\nRun a cryptominer\r\nExecute a worm\r\nScan ports 80, 443, 8080, 8888\r\nLook for vulnerable weave scope applications\r\nExecute Tsunami malware\r\nTornadopwn\r\nExecute a worm\r\nScan AWS IP ranges\r\nScan ports 80, 443, 8080, 8888\r\nLook for vulnerable Kubeflow and Jupyter notebooks\r\nJaganod\r\nExecute a trojan (/usr/local/lib/dockerd.so)\r\nExecute a worm\r\nScan ports 80, 2375, 2376, 4243, 4040, 8888\r\nLook for vulnerable Docker daemons, vulnerable weave scope applications and\r\nvulnerable Kubeflow and Jupyter notebooks\r\nhttps://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment\r\nPage 1 of 3\n\nAwspwner\r\nExecute a worm\r\nScan AWS IP ranges\r\nScan ports 2375, 2376, 2377, 4244, 4243\r\nExecute AWS keys grabber\r\nTornadorangepwn\r\nExecute a worm\r\nScan ports 80, 443, 8080, 8888\r\nExecute AWS keys grabber\r\nConclusion\r\nOver the last few years, we at Team Nautilus have detected many kinds of attacks against Docker and Kubernetes\r\nenvironments, but this is the first time that we see a campaign designed to massively and systematically scan the\r\ninternet, search for specific misconfigurations or outdated software, and attack the potential victims. Some of\r\nthese images deploy a cryptominer, some open backdoors, and others are looking to steal AWS keys. These\r\nfindings should alert security practitioners that even the smallest misconfiguration even for a fraction of time\r\nmatters as it can result in a cyberattack.\r\nWhen working with Docker and K8s environments, we recommend following these security best practices:\r\n1. Regularly update your cloud software, specifically Docker and Kubernetes projects. Previous versions\r\ntypically have more known vulnerabilities.\r\n2. If possible, avoid exposing unnecessary APIs to the internet. Additionally, try limiting APIs inbound and\r\noutbound traffic to your organization’s network range.\r\n3. Review authorization and authentication policies, basic security policies, and adjust them according to\r\nthe principle of least privilege.\r\n4. Regularly monitor the runtime environment. This includes monitoring the running containers, their\r\nimages, and the processes that they run. Investigate logs, mostly around user actions, look for actions you\r\ncan’t account for regular anomalies or outliers.\r\n5. Implement a security strategy where you can easily enforce runtime policies, as well as consider using\r\ncloud security tools that will widen your scope and reach within your cloud resources.\r\nIndications of Compromise (IOCs)\r\nheavy0x0james/dockgeddon:latest\r\nroot/dockerd (MD5= 091efbe14d22ecb8a39dd1da593f03f4)\r\nroot/dockerd (MD5= 091efbe14d22ecb8a39dd1da593f03f4)\r\nC2= 45[.]9[.]148[.]85\r\nhttps://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment\r\nPage 2 of 3\n\nheavy0x0james/wescopwn:latest\r\nroot/dockerd (MD5= 091efbe14d22ecb8a39dd1da593f03f4)\r\nroot/TNTfeatB0RG (MD5= 624e902dd14a9064d6126378f1e8fc73)\r\nC2= 45[.]9[.]148[.]85, borg[.]wtf\r\nheavy0x0james/tornadopwn:latest\r\nC2= 45[.]9[.]148[.]85\r\nheavy0x0james/jaganod:latest\r\nusr/local/lib/dockerd.so (MD5= e8b1dc73a3299325f5c9a8aed41ba352)\r\nroot/dockerd (MD5= 091efbe14d22ecb8a39dd1da593f03f4)\r\nC2= 45[.]9[.]148[.]85\r\nheavy0x0james/awspwner:latest\r\naws.sh\r\nC2= borg[.]wtf\r\nheavy0x0james/tornadorangepwn:latest\r\naws.sh\r\nC2= borg[.]w\r\nSource: https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment\r\nhttps://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment"
	],
	"report_names": [
		"teamtnt-campaign-against-docker-kubernetes-environment"
	],
	"threat_actors": [
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434117,
	"ts_updated_at": 1775791624,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/438d68c8de123a74ef627d6d2405d9443fb82902.pdf",
		"text": "https://archive.orkl.eu/438d68c8de123a74ef627d6d2405d9443fb82902.txt",
		"img": "https://archive.orkl.eu/438d68c8de123a74ef627d6d2405d9443fb82902.jpg"
	}
}