{
	"id": "6de7f4c4-52bc-4c12-9021-748ba3b09c1b",
	"created_at": "2026-04-06T00:19:53.088041Z",
	"updated_at": "2026-04-10T03:27:04.646911Z",
	"deleted_at": null,
	"sha1_hash": "fed5513daa061e0ebb277c5b2cf29cc70b3dc303",
	"title": "Inside TeamTNT's Impressive Arsenal: A Look Into A TeamTNT Server",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2957204,
	"plain_text": "Inside TeamTNT's Impressive Arsenal: A Look Into A TeamTNT\r\nServer\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-05 18:18:35 UTC\r\nThis inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve\r\ndetection capabilities for related attacks.\r\nKey FindingsOverviewTechnical AnalysisConclusionEndnotesIOCsMITRE ATT\u0026CK TTPsAppendix\r\nAAppendix B\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 1 of 12\n\nAuthored By: Tara Gould\r\nKey Findings\r\nAnomali Threat Research has discovered an open server to a directory listing that we attribute with high\r\nconfidence to the German-speaking threat group, TeamTNT.\r\nThe server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.\r\nOther server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also\r\nhosted on the server.\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 2 of 12\n\nThis inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve\r\ndetection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups\r\nleveraging their tools.\r\nOverview\r\nAnomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve\r\nscripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The\r\ndirectory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The\r\ncontents of the directory contain metadata, scripts, source code, and stolen credentials.\r\nTeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically\r\nuses cryptojacking malware and have been active since at least April 2020.[1] TeamTNT activity throughout 2021\r\nhas targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT\r\nactivity.\r\n[2]\r\nTechnical Analysis\r\nScripts (/cmd/)\r\nOverview of /cmd/\r\nFigure 1 - Overview of /cmd/\r\nContained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/\r\ndirectory. The objective of the scripts vary and include the following:\r\nAWS Credential Stealer\r\nDiamorphine Rootkit\r\nIP Scanners\r\nMountsploit\r\nScripts to set up utils\r\nScripts to setup miners\r\nScripts to remove previous miners\r\nSnippet of AWS Credential Stealer Script\r\nFigure 2 - Snippet of AWS Credential Stealer Script\r\nSome notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The\r\nAWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2)\r\nserver.\r\nChimaera_Kubernetes_root_PayLoad_2.sh\r\nFigure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh\r\nAnother interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves\r\nthe XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236.\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 3 of 12\n\nBinaries (/bin/)\r\nOverview of /bin\r\nFigure 4 - Overview of /bin\r\nWithin the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that\r\nTeamTNT use in their operations.\r\nAmong the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a\r\nXMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The\r\nfolder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same\r\nbinaries have been found on a TeamTNT Docker, noted in Appendix A.\r\nScreenshot of TeamTNTbot.c\r\nFigure 5 - Screenshot of TeamTNTbot.c\r\nBot Commands\r\nFigure 6 - Bot Commands\r\nLasty, the /bin/ folder also contains utilities including masscan, ngrok, peirates, pnscan, wget, zgrab. These\r\nutilities will be used to aid in carrying out the malicious activity.\r\nConclusion\r\nTeamTNT is a highly-active group that continues to evolve and target cloud infrastructure. The discovery of their\r\ninfrastructure gives insight into their toolsets. It is unknown at this time whether TeamTNT have purposefully left\r\nthis server open to directory listing, and why. However this is not the first time TeamTNT server has been open, as\r\nreported by Unit42 in June 2021.[4] Furthermore, the group appears unbothered with having their toolset\r\npublicized, and will engage with security researchers on Twitter, even giving recommendations of how the tools\r\nshould be utilized.[5]\r\nEndnotes\r\n[1]\r\n “Tracking The Activities of TeamTNT,” Trend Micro, accessed October 5, 2021, published July 20, 2021,\r\nhttps://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf.\r\n[2]\r\n “TeamTNT With New Campaign Aka “Chimaera”,” accessed October 5, 2021, published September 8, 2021, \r\nhttps://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera.\r\n[3]\r\n ”TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations,” Palo Alto, accessed\r\nOctober 6, 2021, published June 4, 2021, https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/.\r\n[4]\r\n Ibid.\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 4 of 12\n\n[5]\r\n “HildeGard@TeamTNT,” Twitter, accessed October 6, 2021, published September 9, 2021,\r\nhttps://twitter.com/HildeTNT/status/1436026656695672839.\r\n[6]\r\n “Malicious Docker Images Still Used For Malicious Purposes,” CounterCraft, accessed October 5, 2021,\r\npublished September 29, 2021, https://www.countercraftsec.com/blog/post/using-malicious-docker-images-more-teamtnt-docker-abuse/.\r\nIOCs\r\nHashes\r\n91917fec033047a97a64be297454e6d7 ./init/r.sh\r\n644749dda45caedda59f32f7991f0ffd ./cmd/grab/aws2.sh\r\n7756f215ec37b1f545d1d8648a6d78d0 ./cmd/grab/aws-cloud.sh\r\n273ef84fbe3d495bff371e64cbf74b36 ./cmd/grab/aws.sh\r\nb20ab8eb3c3db7d20cecf44024762bd2 ./cmd/Setup.User.curl.sh\r\n1f6353c16d11e0e841129d55dfd9ac74 ./cmd/Setup_WeaveScope.sh\r\nfb3346a3cb6add01efade50b53dd211f ./cmd/Setup_RainBow_Miner.sh\r\nee9c391c98dee5331ac467854f0ae262 ./cmd/Kubernetes_root_PayLoad_2.2.sh\r\nbcf76b649b5c6016b4071d197b1ce111 ./cmd/setup_moneroocean_miner.sh\r\n7cced044d94a7ac6415598e663b46b26 ./cmd/Setup_ETH_MinerService.sh\r\ne85c28315dcdae18ab273775c29cefa7 ./cmd/gpu/ati.sh\r\n26870afb9524e1ab2eb396d15a222676 ./cmd/gpu/nvidia.sh\r\n27fd3a594fd66f4c113ab1f70a95f82e ./cmd/gpu/c3pool_gpu.sh\r\na8415b189839b9585193e2b2ec63d6f3 ./cmd/DockerAPI-SSH-BreakOut.sh\r\n45fc2131a4e60bb7545a2b1b235d66ef ./cmd/Kubernetes_root_PayLoad_1.sh\r\nf7b90d0f91ed25806d49ca281a7db10c ./cmd/init.sh\r\n940c1c591677efbe91d165751296dddd ./cmd/ld.so.preload.sh\r\n4f476e9ea8aed60e29bf06ffe758f841 ./cmd/Setup_ETH_Miner.sh\r\n9ca7f7e428ff5e3dbe943efe8ed0df31 ./cmd/GRABBER_google-cloud.sh\r\ne2fcb71452e7e4057d144bd1c525432a ./cmd/CLEAN.TeamTNT.sh\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 5 of 12\n\nc491a19742c352b2c6221037dfac7a4a ./cmd/GRABBER_aws-cloud.sh\r\n3bfed4e4d3b828c427629f764d65bd57 ./cmd/setup/all.glib.sh\r\n66d63fc99fb80c7a1fb67f712582725b ./cmd/setup/docker.ethminer.sh\r\n26870afb9524e1ab2eb396d15a222676 ./cmd/setup/nvidia.sh\r\n846b5ff8a0f64b9af3d22157cb437a5c ./cmd/setup/all.golang.sh\r\n701bc6594b2e06952451d266ced2032a ./cmd/setup/ngrok.sh\r\n03c43133db24a7b3f1e8a4d5c268668d ./cmd/setup/tmate.sh\r\n39ea1f63f9ae414c56ab3dc66a7569cd ./cmd/setup/apt.zgrab.sh\r\n64bcf5dc015e53c868950204e2cae3f1 ./cmd/setup/all.tsh.sh\r\n779a0bd628b67834116309bf3b3278ed ./cmd/setup/docker.sh\r\nde036084f92920a921bc2a43b82a8149 ./cmd/Kubernetes_temp_PayLoad_1.sh\r\n4090469125917070c22203b7d973f52e ./cmd/Kubernetes.LAN.IP.Range.sh\r\n406caa94137d5c1e18b9ee7d5c72d72d ./cmd/clean/jupyter.sh\r\nb62fbf2f2a7859e69deeb75fa1153b41 ./cmd/clean/TeamTNT.sh\r\n0d173ab9281f013221a94b4289443a16 ./cmd/Kubernetes_temp_PayLoad_2.sh\r\nd88c87f1afb6de12d885fc0fbc33b605 ./cmd/Kubernetes_scan_LAN_IPs.sh\r\na0c7366cd907197702aed089463af482 ./cmd/install-NVIDIA-driver.sh\r\n287794e108f3a4b07654ce83f6f41b38 ./cmd/Kubernetes_root_PayLoad_2.sh\r\n15d4150a3190e0630a6182a882be5cad ./cmd/fix/nameserver.sh\r\nfd65800ea90386abbdd2b099cb4cdb45 ./cmd/fix/systemfix.sh\r\n419c721fd5eb8f740cb1f971af5dc745 ./cmd/init_main_root.sh\r\nd2c6d0fed174f4cbb09d1596e46258a6 ./cmd/MOUNTSPLOIT_V2.sh.txt\r\nc491a19742c352b2c6221037dfac7a4a ./cmd/GRABBER_aws-cloud2.sh\r\n51a4ba442533bd0d69e0da7dd46e3d9c ./cmd/clean.sh\r\nfefbc41c9514a9a4f4c4e88ead3ebd89 ./cmd/ssh_user.sh\r\n3f9466ee106e947a4cea13d57ce96ed1 ./cmd/exp/ssh.rsa.sh\r\nfffe69fabf5d014579686d8bc790e70f ./cmd/exp/ssh.axx.sh\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 6 of 12\n\n80f3f20d5923c3a35022f065da9ea924 ./cmd/Setup_tmate.sh\r\ne275c26583f08e6fdbb6045c7b2db647 ./cmd/CLEAN.other.miners.sh\r\n68df6dc236a2f8d7231ca362b89148fe ./cmd/ssh_user2.sh\r\n7d91732b7c8feced0ea698c83769e51d ./bin/ngrok/aarch64\r\n0429e95cf9e7f631c944f23f82b89b54 ./bin/ngrok/x86_64\r\n5cdd0e39fc9be0a13134f26aba70ede1 ./bin/golang/go1.12.7.linux-386.tar.gz\r\n23bad8d12c43fc3e3a0568dbc8f19c85 ./bin/ethminer/cuda-9-x86_64.tar.gz\r\nae929d06265be0310c3f2eb6c44314d7 ./bin/a.t.b/TeamTNTbot.c\r\n11d85a39722734273adb7a0b21ac29a6 ./bin/a.t.b/aarch64\r\n5e4424e2a11e53e36eb10eff417fd19a ./bin/a.t.b/jupyter\r\ncffb2c0fbb0bb4a98024a682a982199b ./bin/a.t.b/x86_64\r\n2c22a520cd1ed4fc8e249d333724412d ./bin/xmrig.tar.gz\r\n777e1d9b717d339a7582e06ab28d0dd3 ./bin/bot_root/aarch64\r\nbdb404a243e374cda8948a5480f263e6 ./bin/bot_root/x86_64\r\nd901256374ddd1770270971856bf735a ./bin/masscan/x86_64.rpm\r\n7400bf51827682ec6a43b2d1c0a93eca ./bin/masscan/aarch64.rpm\r\nc1d28488c149ad232ad3073605eeaf35 ./bin/masscan/aarch64.apk\r\nce43c3c74bde98127a91cd0224f1fa26 ./bin/masscan/masscan.sh\r\n87b30ac544d39a044b66ef103f36c357 ./bin/masscan/aarch64\r\n422385becd4e08062b56f57afbc5ae6b ./bin/masscan/x86_64\r\nd4314256672783e773171fd25ac21f78 ./bin/pnscan/aarch64.deb\r\nf7a515b639dc08d8061fa56ffacbecac ./bin/pnscan/x86_64.deb\r\n3102067a3822ff1c3c17999e3e2b602d ./bin/pnscan/x86_64.rpm\r\ndb8bc741c40388270bd88cfa1ff2aa41 ./bin/pnscan/aarch64\r\nd3ba2c41757b203ad0a12d1028074bbf ./bin/pnscan/pnscan.tar.gz\r\n89d7c2db1f892139ee567d7ae29133a9 ./bin/pnscan/x86_64\r\nd3fae6436a45bfbc22fda8bcb66b27c0 ./bin/zgrab/ppc64le\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 7 of 12\n\n79b8b3d73c8e8c4b1f74a48a617690db ./bin/zgrab/i386\r\nd5869c7c642aff3d91839aaa3f4b0671 ./bin/zgrab/aarch64\r\n26c8f6597826fbdebb5df4cd8cd34663 ./bin/zgrab/x86_64\r\nbc4084451fcf1439a23a081e32a6c532 ./bin/pei/pei32\r\n07179295144082d0291759d5cf2d19c2 ./bin/pei/pei64\r\nd9dd55f66b3d783864f21684c612b406 ./bin/tshd/x86_64\r\n3634fd8b0be6de05eb6df806a4f7b11e ./bin/bot/TNT_gpu\r\nbd703ac4ea6ec7127fc9b8f8ce4d7c1e ./bin/bot/SSHSPR\r\n13e2c82ecd3bfee92c75f30cf0f40cdc ./bin/bot/chimaera.cc_Version2.c\r\n1221631e5fd5628435b6dfef15899fce ./bin/bot/chimaera.cc\r\n73a9c6eaa8afc2b02699f172f294b496 ./bin/bot/TNT_gpu.c\r\n29c0f22199b6abb07f5f2a6a6037396b ./bin/bot/AWS\r\n13e2c82ecd3bfee92c75f30cf0f40cdc ./bin/bot/chimaera.cc.c\r\ncd7a98f04de9713b602c314743e5bf55 ./bin/bot/TeamTNTbot.c\r\n5718175711512e3fb20f5cf556c57924 ./bin/src/scope\r\n677000fb99bf02e3c477a4349df76319 ./bin/src/log_clean.c\r\n068f3a272598e55dc02382818f4de70e ./bin/src/master.zip\r\nb767837f26b23ec978c1c8b42f9457a1 ./bin/src/rbm.zip\r\n3c61212d7bfb2c27834bb1d36c389273 ./bin/src/tsh.tar.gz\r\n7950de1f8f013cf3bf2c4eaa8ff4a3e5 ./bin/src/bash.tar.gz\r\n1dc06ba731199951436705f4969e5b4e ./bin/src/dia/Makefile\r\n8ab4cecc4fbf10a1de46a5f0823e0a94 ./bin/src/dia/chimaeraxmr.h\r\n7d4ee4e30088c680b9a50e3924ecce20 ./bin/src/dia/chimaeraxmr.c\r\nb62ce36054a7e024376b98df7911a5a7 ./bin/src/xmrig.so\r\n4b05c9ad17a82104dba978ab68cec49a ./bin/src/chimaeraxmr.tar.gz\r\n1254351aa752d5876ad225243bed69a8 ./CHIMAERA/bin/xmrigCC/kuben3.tar.gz\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 8 of 12\n\nNetwork\r\n45.9.148.182\r\n45.9.148.182/cmd\r\n45.9.148.182/CHIMAERA\r\n45.9.148.182/bin\r\n45.9.148.182/in\r\n45.9.148.182/init\r\n51.79.226.64\r\n85.214.149.236 (appears to have been compromised)\r\nMITRE ATT\u0026CK TTPs\r\nTechnique ID Name\r\nExecution T1059.004 Command and Scripting Interpreter: Unix\r\n  T1609 Container Administration Command\r\nDefense Evasion T1140 Deobfuscate/Decode Files or Information\r\n  T1070.003 Indicator Removal on Host: Clear Command History\r\n  T1070.004 Indicator Removal on Host: File Deletion\r\n  T1027 Obfuscated Files or Information\r\n  T1027.002 Obfuscated Files or Information: Software Packing\r\n  T1036.005 Masquerading: Match Legitimate Names or Locations\r\nCredential Access T1552.001 Unsecured Credentials: Credentials In Files\r\n  T1552.004 Unsecured Credentials: Private Keys\r\n  T1552.005 Unsecured Credentials: Instance Metadata API\r\nDiscovery T1046 Network Service Scanning\r\n  T1082 System Information Discovery\r\nCommand and Control T1071 Application Layer Protocol\r\n  T1105 Ingress Tool Transfer\r\n  T1219 Remote Access Software\r\n  T1102 Web Service\r\nImpact T1496 Resource Hijacking\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 9 of 12\n\nAppendix A\r\nDocker Images\r\nTeamTNT are also hosting malicious docker images on a Docker repo named “alpineos”. The account contains 25\r\nimages, which includes XMRig, a reverse shell, moneroocean, kubepwn, and TeamTNTbot builder. In some of\r\nthese images the scripts are reaching out to the scripts described above. In September 2021, CounterCraft released\r\nresearch on the “alpinos/dockerapi” image.[6]\r\nTeamTNT Docker Repo\r\nFigure 11 - TeamTNT Docker Repo\r\nDocker Image\r\nalpineos/dockerapi\r\nalpineos/wscopescan\r\nalpineos/dsbo\r\nalpineos/xxcrace\r\nalpineos/firstt\r\nalpineos/scopeppc64le\r\nalpineos/tntxmrigbuilder\r\nalpineos/simpledockerxmr\r\nalpineos/ttdft\r\nalpineos/tntbotbuilder\r\nalpineos/minion\r\nalpineos/xmrigcc\r\nalpineos/fluxfaxpax\r\nalpineos/scopeaarch64\r\nalpineos/scanaround\r\nalpineos/kirito\r\nalpineos/kndb\r\nalpineos/jupyter\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 10 of 12\n\nalpineos/java\r\nalpineos/revs\r\nalpineos/lftk\r\nalpineos/basicxmr\r\nalpineos/lft\r\nalpineos/weavescope\r\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 11 of 12\n\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nhttps://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server\r\nPage 12 of 12\n\n  https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server    \nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\nThe Iran Cyber Threat Machine Isn’t Slowing Down-Here’s What CISOs Need to Know Now\nSource: https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server      \n   Page 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server"
	],
	"report_names": [
		"inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server"
	],
	"threat_actors": [
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434793,
	"ts_updated_at": 1775791624,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fed5513daa061e0ebb277c5b2cf29cc70b3dc303.pdf",
		"text": "https://archive.orkl.eu/fed5513daa061e0ebb277c5b2cf29cc70b3dc303.txt",
		"img": "https://archive.orkl.eu/fed5513daa061e0ebb277c5b2cf29cc70b3dc303.jpg"
	}
}