{
	"id": "acd5ea1e-5616-4f1c-b1cd-a39a4b22a1f8",
	"created_at": "2026-04-06T00:11:22.661508Z",
	"updated_at": "2026-04-10T03:27:04.630397Z",
	"deleted_at": null,
	"sha1_hash": "4e1738f045235307c32ec0f3a8c368e2ce6ab67d",
	"title": "Team TNT Deploys Malicious Docker Image on Docker Hub",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3091543,
	"plain_text": "Team TNT Deploys Malicious Docker Image on Docker Hub\r\nBy Siddharth Sharma\r\nPublished: 2021-10-07 · Archived: 2026-04-05 17:21:47 UTC\r\nThe Uptycs Threat Research Team recently identified a campaign in which the TeamTNT threat actors deployed a\r\nmalicious container image (hosted on Docker Hub) with an embedded script to download Zgrab scanner and\r\nmasscanner—penetration testing tools used for banner grabbing and port scanning respectively. Using the\r\nscanning tools inside the malicious Docker image, the threat actor tries to scan for more targets in the victim’s\r\nsubnet and perform further malicious activities.\r\nCriminal groups continue to target Docker Hub, GitHub, and other shared repositories with container images and\r\nsoftware components that include malicious scripts and tools. They often aim to spread coinminer malware,\r\nhijacking the computing resources of victims to mine cryptocurrency.\r\nIn this post, we will detail the technical analysis of the malicious components deployed by the TeamTNT threat\r\nactor.\r\nAlpineos Profile - Responsible Disclosure\r\nThe malicious Docker image was hosted in Docker Hub under the handle name alpineos, a community user who\r\njoined Docker Hub on May 26, 2021. At the time of this writing, alpineos profile was hosting 25 Docker images\r\n(See Figure 1).\r\nFigure 1: Alpineos Docker hub handle\r\nThe Dockerapi image which we analysed had 5,400 downloads within approximately two weeks of being added.\r\nAnother Docker image from the repository, ‘basicxmr’ has been downloaded more than 100,000 times. This\r\nclearly suggests that the profile is actively developing malicious images.\r\nhttps://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nPage 1 of 10\n\nThe Uptycs Threat Research Team reported the Docker image hosted in the Docker Hub website to the security\r\nteam on September, 30 2021.\r\nTeamTNT threat actor\r\nTeamTNT is a well known threat actor which targets *nix based systems and misconfigured Docker container\r\nenvironments. Threat actors associated with TeamTNT mostly use open-source tools in their campaigns, such as\r\nXMrig miner, Tsunami IRC bot (a.k.a kaiten) and the diamorphine rootkit.\r\nThe Attack Kill Chain\r\nThe attack kill chain we observed TeamTNT using is shown below (see Figure 2).\r\nFigure 2: TeamTNT attack life cycle\r\nThe different stages of the attack kill chain depicted above are as follows:\r\nUsing the monero-ocean shell script, TeamTNT/Hilde deployed a new malicious Docker image named\r\nDockerapi which was hosted on Docker hub website. \r\nUsing Docker, the malicious image was run with the privilege flag, and was mounted with the victim host\r\nand victim host’s network configuration. \r\nThe malicious Docker image had an embedded shell script named ‘pause’.\r\nThe ‘pause’ shell script inside the malicious Docker image had commands to install masscanner and the\r\nzgrab tool.\r\nhttps://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nPage 2 of 10\n\nAfter setting up the scanning tools, the functions in the ‘pause’ script start scanning rigorously in the victim\r\nsubnet on Docker related ports for more target virtual machines (nodes). A node is a part of Docker swarm.\r\nA Docker swarm is a group of physical or virtual machines (nodes) operating in a cluster. \r\nOnce the target node is found as a result of the Docker-related port scan in the victim subnet, the pause\r\nshell script runs the misconfigured alpine Docker image remotely (from the victim machine) in the target\r\nnode, passing a base64 command as command line. The command:\r\n1. Generates the ssh keys and adds it to authorized_keys file.\r\n2. Logs into the target node’s host via ssh and downloads the monero-ocean shell script from the C2\r\n(teamtnt[.]red) into the target node’s host.\r\nThe monero-ocean shell script in this campaign later deploys Xmrig miner and the Tsunami IRC bot on the\r\nsystem it is being run on.\r\nThe monero-ocean shell script also downloads another shell script (diamorphine shell script) which\r\ndownloads and deploys the diamorphine rootkit to the victim’s system.\r\nThe diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root\r\nprivilege to the pid.\r\nTechnical Analysis\r\nThe monero-ocean shell script (c21d1e12fea803793b39225aee33fe68b3184fff384b1914e0712e10630e523e) used\r\nas initial vector had the following command to deploy alpineos/Dockerapi Docker image onto the victim system\r\n(see Figure 3)\r\nFigure 3: Command to deploy Dockerapi container image\r\nThe command shown above runs the Dockerapi image with the following:\r\n--privilege flag\r\n--net flag to have host’s network configuration inside container\r\n/host mounted inside container image\r\nUsing the command Docker ps, we can identify the malicious Docker image runs pause shell script (see Figure 4).\r\nFigure 4: Dockerapi image runs pause shell script \r\nThe pause shell script inside Docker image installs basic utilities and the scanning tools Zgrab and masscan (see\r\nFigure 5).\r\nhttps://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nPage 3 of 10\n\nFigure 5: Initial setup done by pause shell script\r\nUpon installation of these tools, commands inside the pause shell script start heavy scanning on Docker related\r\nports in an attempt to target more nodes (machines) in the victim subnet (see Figures 6,7).\r\n \r\nFigure 6: Docker related scanned ports in the victim subnet\r\nFigure 7: Masscan and Zgrab commands used for scanning\r\nMasscan and zgrab\r\nMasscan and zgrab scanning commands are used in the Docker container image for scanning and banner grabbing.\r\nThe functionality of these commands is listed below.\r\nhttps://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nPage 4 of 10\n\nmasscan 1.0.0.0/8 -p2377 --rate 50000\r\nThe masscan works much like nmap utility which is used for scanning target IPs. In this case masscan scans with\r\na rate of 50,000 pks/sec which is a huge rate against the port 2377.\r\nzgrab --senders 200 --port 2377 --http=/v1.16/version --output-file=-2\u003edev/null\r\nThe zgrab tool is used for vulnerability scanning and part of the zmap project. In this case the attacker used zgrab\r\nwith 200 send coroutines (threads) for banner grabbing and saving the IP addresses with target opened ports in an\r\noutput file.\r\nAlpine Docker image deployment\r\nAs a result of scanning, once the target node is found, the command inside pause shell script performs the\r\nfollowing:\r\n1. Remotely runs the alpine Docker image with full privilege and host mounted on the target node.\r\n2. Uses a base64 encoded command which adds newly generated ssh keys to authorized_keys file. \r\n3. Using the same command, logs into the target node’s host with ssh and downloads the monero-ocean shell\r\nscript in the target host (see Figures 8,9).\r\nFigure 8: base64 encoded command passed with misconfigured alpine image\r\nFigure 9: Decoded base64 - Monero-ocean shell script getting downloaded and executed\r\nXmrig miner, IRC bot and DiaMorphine Rootkit\r\nThe monero-ocean shell script later deploys Xmrig miner and the Tsunami IRC bot on the system it is being run\r\non (see Figures 10 and 11).\r\nhttps://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nPage 5 of 10\n\nFigure 10: command to download XMrig miner\r\nFigure 11: command to download IRC bot\r\nThe IRC bot in the victim machine communicates with attacker C2 over port 8080 (see Figure 12).\r\nFigure 12: IRC communication on port 8080\r\nAlongside this, the monero-ocean shell script also contained the command to download diamorphine rootkit shell\r\nscript (see Figure 13).\r\nFigure 13: command to download diamorphine shell script\r\nThe diamorphine shell script (418d1ea67110b176cd6200b6ec66048df6284c6f2a0c175e9109d8e576a6f7ab)\r\ndeploys the diamorphine rootkit in the victim system (see Figure 14).\r\nhttps://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nPage 6 of 10\n\nFigure 14: Diamorphine Rootkit getting compiled and deployed\r\nThe diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root privilege to\r\nthe pid (see Figures 15 and 16).\r\nFigure 15: cr0 WP bit modification for syscall table hooking\r\nFigure 16: Hooked syscalls (getdents and kill)\r\nUptycs EDR detections\r\nThe Uptycs EDR armed with YARA process scanning detected the malware components involved in this\r\ncampaign with a threat score of 10/10 (see Figure 17,18,19). In addition, Uptycs offers the following abilities to\r\nsecure your container deployments:\r\nhttps://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nPage 7 of 10\n\nUptycs integrates with CI/CD tools so that developers can initiate image scans at build time to detect\r\nmalicious container images before they are deployed to production. \r\nUptycs continuously monitors and reports on compliance with the CIS Benchmark for Docker to identify\r\nmisconfigurations that attackers can exploit, and offer remediation guidance so that your team can quickly\r\nfix those issues.\r\nFigure 17: Uptycs EDR detection\r\nFigure 18: masscan command captured by the Uptycs EDR\r\nhttps://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nPage 8 of 10\n\nFigure 19: zgrab command captured by the Uptycs EDR\r\nConclusion\r\nDocker containers have become an integral part of the organisations. A lot of services nowadays run in isolated\r\nDocker containers. The threat actors on the other side are also trying to deploy malicious components to escape\r\nDocker containers and target host machines and the other nodes connected in a subnet and its swarm. Hence, to\r\nmaintain a robust security stance, it is crucial to be able to detect malicious images early in the CI/CD pipeline as\r\nwell as monitor all the container activities in runtime.\r\nThe EDR capabilities of Uptycs empowers security teams to detect and investigate attacks in their Docker\r\ninfrastructure.\r\nCredits: Thanks to Uptycs Threat Research Team members for their inputs and research.\r\nIOCs\r\nc21d1e12fea803793b39225aee33fe68b3184fff384b1914e0712e10630e523e  monero-ocean shell script\r\n418d1ea67110b176cd6200b6ec66048df6284c6f2a0c175e9109d8e576a6f7ab  diamorphine shell script\r\n497c5535cdc283079363b43b4a380aefea9deb1d0b372472499fcdcc58c53fef  pause shell script\r\n0534c5a5cde1e7d36103b690152a1b426fa87d15b3c4ff59b5bc988b99c3aaaf  Xmrig miner\r\nfe3c5c4f94b90619f7385606dfb86b6211b030efe19b49c12ead507c8156507a IRC bot\r\nteamtnt[.]red  C2\r\n45.9[.]148[.]182  IP address hosting the IRC bot\r\nhttps://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nPage 9 of 10\n\nWant to learn more about what threats you need to be on the look out for?\r\nDownload your copy of the Threat Research Bulletin.\r\nSource: https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nhttps://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools"
	],
	"report_names": [
		"team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools"
	],
	"threat_actors": [
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434282,
	"ts_updated_at": 1775791624,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e1738f045235307c32ec0f3a8c368e2ce6ab67d.pdf",
		"text": "https://archive.orkl.eu/4e1738f045235307c32ec0f3a8c368e2ce6ab67d.txt",
		"img": "https://archive.orkl.eu/4e1738f045235307c32ec0f3a8c368e2ce6ab67d.jpg"
	}
}