{ "id": "ec846174-7706-46de-8b2e-7fb49b3fc212", "created_at": "2026-04-06T00:15:23.437284Z", "updated_at": "2026-04-10T13:11:39.715306Z", "deleted_at": null, "sha1_hash": "bdd272a3d12333e3ef1af19b58b3aff8de965c93", "title": "TeamTNT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 77101, "plain_text": "TeamTNT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:19:59 UTC\r\nSince Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured\r\nDocker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking\r\noperations. They have shifted their focus on compromising Kubernetes Clusters.\r\n2024-09-18 ⋅ Group-IB ⋅ Nam Le Phuong, Vito Alfano\r\nStorm clouds on the horizon: Resurgence of TeamTNT?\r\nTeamTNT 2023-07-13 ⋅ Aqua Nautilus ⋅ Assaf Morag, Ofek Itach\r\nTeamTNT Reemerged with New Aggressive Cloud Campaign\r\nTeamTNT 2023-07-05 ⋅ Aqua Nautilus ⋅ Assaf Morag, Ofek Itach\r\nThreat Alert: Anatomy of Silentbob’s Cloud Attack\r\nTeamTNT Tsunami 2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nThief Libr\r\nTeamTNT Watchdog 2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nAdept Libra\r\nTeamTNT TeamTNT 2022-03-02 ⋅ CyberArk ⋅ CyberArk Labs\r\nConti Group Leaked!\r\nTeamTNT Conti TrickBot 2022-02-18 ⋅ Intezer ⋅ Intezer\r\nTeamTNT Cryptomining Explosion\r\nTeamTNT 2022-02-09 ⋅ vmware ⋅ VMWare\r\nExposing Malware in Linux-Based Multi-Cloud Environments\r\nACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike 2022-01-01 ⋅ Toli Security ⋅ Toli Security\r\nActive crypto-mining operation by TeamTNT\r\nTeamTNT 2021-12-07 ⋅ sysdig ⋅ Alberto Pellitteri\r\nThreat news: TeamTNT stealing credentials using EC2 Instance Metadata\r\nTeamTNT 2021-12-01 ⋅ Trend Micro ⋅ Trend Micro Research\r\nAnalyzing How TeamTNT Used Compromised Docker Hub Accounts\r\nTeamTNT 2021-11-03 ⋅ Trend Micro ⋅ Alfredo Oliveira, David Fiser\r\nTeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments\r\nTeamTNT 2021-10-07 ⋅ Uptycs ⋅ Siddharth Sharma\r\nTeam TNT Deploys Malicious Docker Image On Docker Hub\r\nTeamTNT 2021-10-06 ⋅ Anomali ⋅ Tara Gould\r\nInside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server\r\nTeamTNT 2021-09-14 ⋅ Cado Security ⋅ Cado Security\r\nTeamTNT Script Employed to Grab AWS Credentials\r\nTeamTNT Tsunami 2021-09-08 ⋅ AT\u0026T ⋅ Ofer Caspi\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt\r\nPage 1 of 2\n\nTeamTNT with new campaign aka “Chimaera”\r\nTeamTNT 2021-09-01 ⋅ Intezer ⋅ Intezer\r\nTeamTNT: Cryptomining Explosion\r\nTeamTNT Tsunami 2021-07-20 ⋅ Trend Micro ⋅ Alfredo Oliveira, David Fiser\r\nTracking the Activities of TeamTNT: A Closer Look at a Cloud-Focused Malicious Actor Group\r\nTeamTNT 2021-02-20 ⋅ Malpedia ⋅ Malpedia\r\nMalpedia Website for Malware Family Team TNT\r\nTeamTNT TeamTNT 2021-02-17 ⋅ Aquasec ⋅ Assaf Morag\r\nThreat Alert: TeamTNT Pwn Campaign Against Docker and K8s Environments\r\nTeamTNT TeamTNT 2021-02-03 ⋅ Palo Alto Networks Unit 42 ⋅ Ariel Zelivansky, Aviv Sasson, Jay Chen\r\nHildegard: New TeamTNT Malware Targeting Kubernetes\r\nTeamTNT TeamTNT 2021-01-27 ⋅ AT\u0026T ⋅ Ofer Caspi\r\nTeamTNT delivers malware with new detection evasion tool\r\nTeamTNT TeamTNT 2021-01-05 ⋅ Lacework Labs ⋅ Lacework Labs\r\nTeamTNT Builds Botnet from Chinese Cloud Servers\r\nTeamTNT TNTbotinger TeamTNT 2020-12-21 ⋅ Intezer ⋅ Intezer\r\nTop Linux Cloud Threats of 2020\r\nAgeLocker AnchorDNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN\r\nPenquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT\r\n2020-12-02 ⋅ Aqua Nautilus ⋅ Assaf Morag, Idan Revivo\r\nThreat Alert: Fileless Malware Executing in Containers\r\nTeamTNT 2020-09-30 ⋅ Aqua Nautilus ⋅ Assaf Morag\r\nThreat Alert: TeamTNT is Back and Attacking Vulnerable Redis Servers\r\nTeamTNT 2020-08-25 ⋅ Aqua Nautilus ⋅ Assaf Morag\r\nDeep Analysis of TeamTNT Techniques Using Container Images to Attack\r\nTeamTNT Tsunami XMRIG 2020-08-17 ⋅ Cado Security ⋅ Chris Doman\r\nTeam TNT – The First Crypto-Mining Worm to Steal AWS Credentials\r\nTeamTNT TeamTNT 2020-08-17 ⋅ Cado Security ⋅ Chris Doman, James Campbell\r\nTeam TNT - The First Crypto-Mining Worm to Steal AWS Credentials\r\nTeamTNT\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt" ], "report_names": [ "elf.teamtnt" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e16a6567-2b9a-4419-960b-1e03fccc8812", "created_at": "2023-01-06T13:46:39.128684Z", "updated_at": "2026-04-10T02:00:03.224215Z", "deleted_at": null, "main_name": "NOTROBIN", "aliases": [], "source_name": "MISPGALAXY:NOTROBIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434523, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bdd272a3d12333e3ef1af19b58b3aff8de965c93.pdf", "text": "https://archive.orkl.eu/bdd272a3d12333e3ef1af19b58b3aff8de965c93.txt", "img": "https://archive.orkl.eu/bdd272a3d12333e3ef1af19b58b3aff8de965c93.jpg" } }