{
	"id": "1138122f-a770-4fb8-a933-a0b70a744051",
	"created_at": "2026-04-06T00:08:26.405044Z",
	"updated_at": "2026-04-10T03:27:04.699634Z",
	"deleted_at": null,
	"sha1_hash": "d81e73f678a9dc9b12af503559063122ecc78502",
	"title": "Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1830513,
	"plain_text": "Hildegard: New TeamTNT Cryptojacking Malware Targeting\r\nKubernetes\r\nBy Jay Chen, Aviv Sasson, Ariel Zelivansky\r\nPublished: 2021-02-03 · Archived: 2026-04-05 18:05:41 UTC\r\nExecutive Summary\r\nIn January 2021, Unit 42 researchers detected a new malware campaign targeting Kubernetes clusters. The attackers gained\r\ninitial access via a misconfigured kubelet that allowed anonymous access. Once getting a foothold into a Kubernetes cluster,\r\nthe malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations.\r\nBased on the tactics, techniques and procedures (TTP) that the attackers used, we believe this is a new campaign from\r\nTeamTNT. We refer to this new malware as Hildegard, the username of the tmate account that the malware used.\r\nTeamTNT is known for exploiting unsecured Docker daemons and deploying malicious container images, as documented in\r\nprevious research (Cetus, Black-T and TeamTNT DDoS). However, this is the first time we found TeamTNT targeting\r\nKubernetes environments. In addition to the same tools and domains identified in TeamTNT's previous campaigns, this new\r\nmalware carries multiple new capabilities that make it more stealthy and persistent. In particular, we found that TeamTNT’s\r\nHildegard malware:\r\nUses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat\r\n(IRC) channel.\r\nUses a known Linux process name (bioset) to disguise the malicious process.\r\nUses a library injection technique based on LD_PRELOAD to hide the malicious processes.\r\nEncrypts the malicious payload inside a binary to make automated static analysis more difficult.\r\nWe believe that this new malware campaign is still under development due to its seemingly incomplete codebase and\r\ninfrastructure. At the time of writing, most of Hildegard's infrastructure has been online for only a month. The C2 domain\r\nborg[.]wtf was registered on Dec. 24, 2020, the IRC server went online on Jan. 9, 2021, and some malicious scripts have\r\nbeen updated frequently. The malware campaign has ~25.05 KH/s hashing power, and there is 11 XMR (~$1,500) in the\r\nwallet.\r\nThere has not been any activity since our initial detection, which indicates the threat campaign may still be in the\r\nreconnaissance and weaponization stage. However, knowing this malware's capabilities and target environments, we have\r\ngood reason to believe that the group will soon launch a larger-scale attack. The malware can leverage the abundant\r\ncomputing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to\r\nthousands of applications running in the clusters.\r\nPalo Alto Networks customers running Prisma Cloud are protected from this threat by the Runtime Protection feature,\r\nCryptominer Detection feature and the Prisma Cloud Compute Kubernetes Compliance Protection, which alerts on an\r\ninsufficient Kubernetes configuration and provides secure alternatives.\r\nhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nPage 1 of 10\n\nFigure 1. Attacker and malware’s movement.\r\nTactics, Techniques and Procedures\r\nFigure 1 illustrates how the attacker entered, moved laterally and eventually performed cryptojacking in multiple containers.\r\n1. The attacker started by exploiting an unsecured Kubelet on the internet and searched for containers running inside the\r\nKubernetes nodes. After finding container 1 in Node A, the attacker attempted to perform remote code execution\r\n(RCE) in container 1.\r\n2. The attacker downloaded tmate and issued a command to run it and establish a reverse shell to tmate.io from\r\ncontainer 1. The attacker then continued the attack with this tmate session.\r\n3. From container 1, the attacker used masscan to scan Kubernetes's internal network and found unsecured Kubelets in\r\nNode B and Node C. The attacker then attempted to deploy a malicious crypto mining script (xmr.sh) to containers\r\nmanaged by these Kubelets (containers 2-7).\r\n4. Containers that ran xmr.sh started an xmrig process and established an IRC channel back to the IRC C2.\r\n5. The attacker could also create another tmate session from one of the containers (container 4). With the reverse shell,\r\nthe attacker could perform more manual reconnaissance and operations.\r\nThe indicators of compromise (IOCs) found in each container are listed below. These files are either shell script or\r\nExecutable Linkable Format (ELF). The IOC section at the end of the blog contains the hash and details of each file.\r\nContainer 1: TDGG was dropped and executed via Kubelet. TDGG then subsequently downloaded and executed\r\ntt.sh, api.key and tmate. The attacker used the established tmate connection to drop and run sGAU.sh, kshell,\r\ninstall_monerod.bash, setup_moneroocean_miner.sh and xmrig (MoneroOcean).\r\nContainer 2-7: xmr.sh was dropped and executed via Kubelet.\r\nContainer 4: The attacker also established a tmate session in this container. The attacker then dropped and executed\r\npei.sh, pei64/32, xmr3.assi, aws2.sh, t.sh, tmate,x86_64.so, xmrig and xmrig.so.\r\nFigure 2 maps the malware campaign's TTP to MITRE ATT\u0026CK tactics. The following sections will detail the techniques\r\nused in each stage.\r\nhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nPage 2 of 10\n\nFigure 2. Attacker’s tactics, techniques and procedures.\r\nInitial Access\r\nkubelet is an agent running on each Kubernetes node. It takes RESTful requests from various components (mainly kube-apiserver) and performs pod-level operations. Depending on the configuration, kubelet may or may not accept\r\nunauthenticated requests. Standard Kubernetes deployments come with anonymous access to kubelet by default. However,\r\nmost managed Kubernetes services such as Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE) and\r\nKubernetes operations (Kops) all enforce proper authentication by default.\r\nWe discovered that TeamTNT gained initial access with the Hildegard malware by executing commands on kubelets that\r\nallow anonymous access. This was achieved by accessing the kubelet’s run command API and executing commands on\r\nrunning containers.\r\nExecution\r\nHildegard uses kubelet’s API to execute commands inside containers. The initial commands create a tmate reverse shell that\r\nallows the attacker to carry out the subsequent operation. Unlike the techniques that TeamTNT used in the past, this malware\r\ncampaign did not pull or run any new container image.\r\nPrivilege Escalation\r\nAlthough Unit 42 researchers have not observed an attempt to perform privilege escalation, the malware dropped two\r\nadversarial tools, Peirates and BOtB, which are capable of breaking out of containers via known vulnerabilities or accessing\r\ncloud resources via exposed cloud credentials.\r\nContainer Breakout\r\nBOtB can perform a container breakout using a known vulnerability such as CVE-2019-5736. It can also escape from\r\nprivileged containers that have enabled CAPS and SYSCALLS.\r\nAccess to Cloud Resources\r\nPeirates can gather multiple infrastructures and cloud credentials. It looks for identity and access management (IAM)\r\ncredentials from cloud metadata services and service account tokens from the Kubernetes clusters. With the identified\r\ncredentials, it then further attempts to move laterally or gain control of the cluster. While we observed Peirates in use, the\r\ncontainer it was executed in had no credentials.\r\nDefense Evasion\r\nLibrary Injection\r\nHildegard uses LD_PRELOAD to hide the malicious process launched inside the containers. The malware modified the\r\n/etc/ld.so.preload file to intercept shared libraries’ imported functions. In particular, the malware overwrites two functions:\r\nreaddir() and readdir64(), which are responsible for returning the directory entries in the file system. The overwritten\r\nfunctions filter out queries made to directory entries under /proc. The functions then drop queries with keywords such as\r\ntmate, xmrig and ziggy. This way, when applications try to identify the running processes (by reading files under /proc) in\r\nhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nPage 3 of 10\n\nthe containers, tmate, xmrig and ziggy will not be found. Linux tools such as ps, top and many other container monitoring\r\ntools will be blinded from these malicious processes.\r\nFigure 3. Function that overwrites readdir64() in X86_64.so.\r\nEncrypted ELF Binary\r\nHildegard deploys an IRC agent built from the open-source project ziggystartux. To avoid being detected by automated\r\nstatic analysis tools, the ziggystartux ELF is encrypted and packed in another binary (ziggy). When the binary is executed,\r\nthe ziggystartux ELF is decrypted by a hardcoded Advanced Encryption Standard (AES) key and executed in memory.\r\nFigure 4. Unpacking and executing the payload.\r\nDisguised Process Name\r\nThe malware names the IRC process “bioset”, which is the name of a well-known Linux kernel process bioset. If one is only\r\nlooking at the names of the running processes on a host, one can easily overlook this disguised process.\r\nDNS Monitoring Bypass\r\nThe malware modifies the system DNS resolvers and uses Google’s public DNS servers to avoid being detected by DNS\r\nmonitoring tools.\r\nFigure 5. DNS resolver modification.\r\nhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nPage 4 of 10\n\nDelete Files and Clear Shell History\r\nAll the scripts are deleted immediately after being executed. TeamTNT also uses the “history -c” command to clear the shell\r\nlog in every script.\r\nFigure 6. The script clears the history and deletes itself.\r\nCredential Access\r\nHildegard searches for credential files on the host, as well as queries metadata for cloud-specific credentials. The identified\r\ncredentials are sent back to the C2.\r\nThe searched credentials include:\r\nCloud access keys.\r\nCloud access tokens.\r\nSSH keys.\r\nDocker credentials.\r\nKubernetes service tokens.\r\nThe metadata servers searched:\r\n169.254.169.254\r\n169.254.170.2\r\nFigure 7. The script looks for credentials.\r\nDiscovery\r\nHildegard performs several reconnaissance operations to explore the environment.\r\nIt gathers and sends back the host’s OS, CPU and memory information.\r\nIt uses masscan to search for kubelets in Kubernetes’ internal network.\r\nIt uses kubelet’s API to search for running containers in a particular node.\r\nhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nPage 5 of 10\n\nFigure 8. The script looks for system and network information.\r\nLateral Movement\r\nHildegard mainly uses the unsecured kubelet to move laterally inside a Kubernetes cluster. During the discovery stage, the\r\nmalware finds the exploitable kubelets and the containers these kubelets manage. The malware then creates C2 channels\r\n(tmate or IRC) and deploys malicious crypto miners in these containers. Although not observed by Unit 42 researchers, the\r\nattacker may also move laterally with the stolen credentials.\r\nImpact\r\nThe most significant impact of the malware is resource hijacking and denial of service (DoS). The cryptojacking operation\r\ncan quickly drain the entire system’s resources and disrupt every application in the cluster. The xmrig mining process joins\r\nthe supportxmr mining pool using the wallet address\r\n428uyvSqdpVZL7HHgpj2T5SpasCcoHZNTTzE3Lz2H5ZkiMzqayy19sYDcBGDCjoWbTfLBnc3tc9rG4Y8gXQ8fJiP5tqeBda.\r\nAt the time of writing, the malware campaign has ~25.05 KH/s hashing power and there is 11 XMR (~$1,500) in the wallet.\r\nFigure 12. Mining activity on supportxmr.\r\nConclusion\r\nUnlike a Docker engine that runs on a single host, a Kubernetes cluster typically contains more than one host and every host\r\ncan run multiple containers. Given the abundant resources in a Kubernetes infrastructure, a hijacked Kubernetes cluster can\r\nbe more profitable than a hijacked Docker host. This new TeamTNT malware campaign is one of the most complicated\r\nattacks targeting Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far. In particular,\r\nthe threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C2. These efforts\r\nmake the malware more stealthy and persistent. Although the malware is still under development and the campaign is not yet\r\nwidely spread, we believe the attacker will soon mature the tools and start a large-scale deployment.\r\nPalo Alto Networks customers running Prisma Cloud are protected from this threat by the Runtime Protection features,\r\nCryptominer Detection and by the Prisma Cloud Compute Kubernetes Compliance Protection, which alerts on an\r\ninsufficient Kubernetes configuration and provides secure alternatives.\r\nhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nPage 6 of 10\n\nFigure 13. Prisma Cloud Compute Kubernetes compliance protections.\r\nFigure 14. Prisma Cloud Compute alerting on crypto mining incident.\r\nIndicators of Compromise\r\nDomains/IPs:\r\nDomain/IP Description\r\nThe.borg[.]wtf\r\n(45.9.150[.]36)\r\nThis machine hosts malicious files used in the campaign and receives the collected data to this\r\nC2.\r\nHosted files: TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig, xmrig.so,\r\nziggy, xmr3.assi\r\n147.75.47[.]199 The malware connects to this IP to obtain the victim host's public IP.\r\nteamtnt[.]red\r\n(45.9.148[.]108)\r\nThis host hosts malicious scripts and binaries.\r\nHosted files: pei.sh, pei64.\r\nBorg[.]wtf\r\n(45.9.148[.]108)\r\nThis host hosts malicious scripts and binaries.\r\nHosted files: aws2.sh\r\nirc.borg[.]wtf\r\n(123.245.9[.]147)\r\nThis host is one of the C2s. It runs an IRC server on port 6667.\r\nsampwn.anondns[.]net\r\n(13.245.9[.]147)\r\nThis host is one of the C2s. It runs an IRC server on port 6667.\r\n164.68.106[.]96 This host is one of the C2s. It runs an IRC server on port 6667.\r\n62.234.121[.]105 This host is one of the C2s. It runs an IRC server on port 6667.\r\nFiles:\r\nSHA256 File Name Type Description\r\n2c1528253656ac09c7473911b24b243f083e60b98a19ba1bbb050979a1f38a0f TDGG script\r\nThis script\r\ndownloads a\r\nexecutes tt.sh\r\n2cde98579162ab165623241719b2ab33ac40f0b5d0a8ba7e7067c7aebc530172 tt.sh script This script\r\ndownloads a\r\ntmate. It coll\r\nsystem infor\r\nfrom the vict\r\nhost and sen\r\nhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nPage 7 of 10\n\ncollected dat\r\nC2(45.9.150\r\nb34df4b273b3bedaab531be46a0780d97b87588e93c1818158a47f7add8c7204 api.key text\r\nThe API key\r\nfor creating a\r\ntmate session\r\nthe comprom\r\ncontainers.\r\nd2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f tmate ELF tmate v2.4.0\r\n74e3ccaea4df277e1a9c458a671db74aa47630928a7825f75994756512b09d64 sGAU.sh script\r\nThis script\r\ndownloads a\r\ninstalls mass\r\nscans Kubern\r\ninternal IP K\r\nrunning on p\r\n10250. If ma\r\nfinds an expl\r\nKubelet, it at\r\nto download\r\nexecute a\r\ncryptojackin\r\nin all the con\r\n8e33496ea00218c07145396c6bcf3e25f4e38a1061f807d2d3653497a291348c kshell script\r\nThe script pe\r\nremote code\r\nexecution in\r\ncontainers vi\r\nKubelet’s AP\r\nalso downloa\r\nexecutes xm\r\ntarget contai\r\n518a19aa2c3c9f895efa0d130e6355af5b5d7edf28e2a2d9b944aa358c23d887 install_monerod.bash script\r\nThe script is\r\nin this Githu\r\nIt pulls and b\r\nthe official m\r\nproject. It the\r\ncreates a use\r\n“monerodaem\r\nand starts the\r\nmonero serv\r\n5923f20010cb7c1d59aab36ba41c84cd20c25c6e64aace65dc8243ea827b537b setup_moneroocean_miner.sh script\r\nThe script is\r\nin this Githu\r\nIt pulls and r\r\nMoneroOcea\r\nadvanced ve\r\nxmrig.\r\na22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9 xmrig (oneroocean) ELF\r\nxmrig 6.7.2-\r\nThis binary i\r\nin\r\nMoneroOcea\r\nGithub repo.\r\nhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nPage 8 of 10\n\nee6dbbf85a3bb301a2e448c7fddaa4c1c6f234a8c75597ee766c66f52540d015 pei.sh script\r\nThis script\r\ndownloads a\r\nexecutes pei6\r\npei32, depen\r\nthe host’s\r\narchitecture.\r\n937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d pei64 ELF\r\nThis is a Kub\r\npenetration t\r\nfrom the peir\r\nproject. The\r\ncapable of es\r\nprivilege and\r\npivoting thro\r\nKubernetes c\r\n72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742 pei32 ELF\r\nSame as pei6\r\nfor i686\r\narchitecture.\r\n12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3 xmr3.assi script\r\nThe script\r\ndownloads a\r\naws2.sh, t.sh\r\nxmrig.\r\n053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e aws2.sh script\r\nThe script se\r\nfor cloud cre\r\nand sends th\r\nidentified\r\ncredentials to\r\n(the.borg[.]w\r\ne6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7 t.sh script\r\nThe script\r\ndownloads\r\nx86_64.so an\r\nfrom C2. It m\r\nld.so.preload\r\nstarts a tmate\r\nsession. It th\r\nsends back th\r\nvictim’s syst\r\nand tmate se\r\nC2.\r\n77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8 x86_64.so ELF\r\nThis shared o\r\nreplaces the\r\n/etc/ld.so.pre\r\nfile. It uses th\r\nLD_PRELO\r\ntrick to hide\r\ntmate proces\r\n78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983 xmrig ELF xmrig v6.7.0\r\n3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f xmrig.so ELF This shared o\r\nreplaces the\r\nhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nPage 9 of 10\n\n/etc/ld.so.pre\r\nIt uses the\r\nLD_PRELO\r\ntrick to hide\r\nxmrig proces\r\nfe0f5fef4d78db808b9dc4e63eeda9f8626f8ea21b9d03cbd884e37cde9018ee xmr.sh script\r\nThe script\r\ndownloads a\r\nexecutes xm\r\nziggy.\r\n74f122fb0059977167c5ed34a7e217d9dfe8e8199020e3fe19532be108a7d607 ziggy ELF\r\nziggy is a bin\r\npacks an enc\r\nELF. The bin\r\ndecrypts the\r\nruntime and\r\nin the memo\r\nencrypted EL\r\nbuilt from\r\nZiggyStarTu\r\nIRC client fo\r\nembedded de\r\nTable of Contents\r\nExecutive Summary\r\nTactics, Techniques and Procedures\r\nInitial Access\r\nExecution\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCommand and Control\r\nImpact\r\nConclusion\r\nIndicators of Compromise\r\nRelated Articles\r\nCloud Logging for Security and Beyond\r\nRoles Here? Roles There? Roles Anywhere: Exploring the Security of AWS IAM Roles Anywhere\r\nCloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on IAM, Exfiltration\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nhttps://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/"
	],
	"report_names": [
		"hildegard-malware-teamtnt"
	],
	"threat_actors": [
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434106,
	"ts_updated_at": 1775791624,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d81e73f678a9dc9b12af503559063122ecc78502.pdf",
		"text": "https://archive.orkl.eu/d81e73f678a9dc9b12af503559063122ecc78502.txt",
		"img": "https://archive.orkl.eu/d81e73f678a9dc9b12af503559063122ecc78502.jpg"
	}
}