Inside TeamTNT's Impressive Arsenal: A Look Into A TeamTNT
Server
By Anomali Threat Research
Published: 2025-12-18 · Archived: 2026-04-05 18:18:35 UTC
This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve
detection capabilities for related attacks.
Key FindingsOverviewTechnical AnalysisConclusionEndnotesIOCsMITRE ATT&CK TTPsAppendix
AAppendix B
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 1 of 12

Authored By: Tara Gould
Key Findings
Anomali Threat Research has discovered an open server to a directory listing that we attribute with high
confidence to the German-speaking threat group, TeamTNT.
The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.
Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also
hosted on the server.
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 2 of 12

This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve
detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups
leveraging their tools.
Overview
Anomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve
scripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The
directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The
contents of the directory contain metadata, scripts, source code, and stolen credentials.
TeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically
uses cryptojacking malware and have been active since at least April 2020.[1] TeamTNT activity throughout 2021
has targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT
activity.
[2]
Technical Analysis
Scripts (/cmd/)
Overview of /cmd/
Figure 1 - Overview of /cmd/
Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/
directory. The objective of the scripts vary and include the following:
AWS Credential Stealer
Diamorphine Rootkit
IP Scanners
Mountsploit
Scripts to set up utils
Scripts to setup miners
Scripts to remove previous miners
Snippet of AWS Credential Stealer Script
Figure 2 - Snippet of AWS Credential Stealer Script
Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The
AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2)
server.
Chimaera_Kubernetes_root_PayLoad_2.sh
Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh
Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves
the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236.
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 3 of 12

Binaries (/bin/)
Overview of /bin
Figure 4 - Overview of /bin
Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that
TeamTNT use in their operations.
Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a
XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The
folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same
binaries have been found on a TeamTNT Docker, noted in Appendix A.
Screenshot of TeamTNTbot.c
Figure 5 - Screenshot of TeamTNTbot.c
Bot Commands
Figure 6 - Bot Commands
Lasty, the /bin/ folder also contains utilities including masscan, ngrok, peirates, pnscan, wget, zgrab. These
utilities will be used to aid in carrying out the malicious activity.
Conclusion
TeamTNT is a highly-active group that continues to evolve and target cloud infrastructure. The discovery of their
infrastructure gives insight into their toolsets. It is unknown at this time whether TeamTNT have purposefully left
this server open to directory listing, and why. However this is not the first time TeamTNT server has been open, as
reported by Unit42 in June 2021.[4] Furthermore, the group appears unbothered with having their toolset
publicized, and will engage with security researchers on Twitter, even giving recommendations of how the tools
should be utilized.[5]
Endnotes
[1]
 “Tracking The Activities of TeamTNT,” Trend Micro, accessed October 5, 2021, published July 20, 2021,
https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf.
[2]
 “TeamTNT With New Campaign Aka “Chimaera”,” accessed October 5, 2021, published September 8, 2021, 
https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera.
[3]
 ”TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations,” Palo Alto, accessed
October 6, 2021, published June 4, 2021, https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/.
[4]
 Ibid.
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 4 of 12

[5]
 “HildeGard@TeamTNT,” Twitter, accessed October 6, 2021, published September 9, 2021,
https://twitter.com/HildeTNT/status/1436026656695672839.
[6]
 “Malicious Docker Images Still Used For Malicious Purposes,” CounterCraft, accessed October 5, 2021,
published September 29, 2021, https://www.countercraftsec.com/blog/post/using-malicious-docker-images-more-teamtnt-docker-abuse/.
IOCs
Hashes
91917fec033047a97a64be297454e6d7 ./init/r.sh
644749dda45caedda59f32f7991f0ffd ./cmd/grab/aws2.sh
7756f215ec37b1f545d1d8648a6d78d0 ./cmd/grab/aws-cloud.sh
273ef84fbe3d495bff371e64cbf74b36 ./cmd/grab/aws.sh
b20ab8eb3c3db7d20cecf44024762bd2 ./cmd/Setup.User.curl.sh
1f6353c16d11e0e841129d55dfd9ac74 ./cmd/Setup_WeaveScope.sh
fb3346a3cb6add01efade50b53dd211f ./cmd/Setup_RainBow_Miner.sh
ee9c391c98dee5331ac467854f0ae262 ./cmd/Kubernetes_root_PayLoad_2.2.sh
bcf76b649b5c6016b4071d197b1ce111 ./cmd/setup_moneroocean_miner.sh
7cced044d94a7ac6415598e663b46b26 ./cmd/Setup_ETH_MinerService.sh
e85c28315dcdae18ab273775c29cefa7 ./cmd/gpu/ati.sh
26870afb9524e1ab2eb396d15a222676 ./cmd/gpu/nvidia.sh
27fd3a594fd66f4c113ab1f70a95f82e ./cmd/gpu/c3pool_gpu.sh
a8415b189839b9585193e2b2ec63d6f3 ./cmd/DockerAPI-SSH-BreakOut.sh
45fc2131a4e60bb7545a2b1b235d66ef ./cmd/Kubernetes_root_PayLoad_1.sh
f7b90d0f91ed25806d49ca281a7db10c ./cmd/init.sh
940c1c591677efbe91d165751296dddd ./cmd/ld.so.preload.sh
4f476e9ea8aed60e29bf06ffe758f841 ./cmd/Setup_ETH_Miner.sh
9ca7f7e428ff5e3dbe943efe8ed0df31 ./cmd/GRABBER_google-cloud.sh
e2fcb71452e7e4057d144bd1c525432a ./cmd/CLEAN.TeamTNT.sh
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 5 of 12

c491a19742c352b2c6221037dfac7a4a ./cmd/GRABBER_aws-cloud.sh
3bfed4e4d3b828c427629f764d65bd57 ./cmd/setup/all.glib.sh
66d63fc99fb80c7a1fb67f712582725b ./cmd/setup/docker.ethminer.sh
26870afb9524e1ab2eb396d15a222676 ./cmd/setup/nvidia.sh
846b5ff8a0f64b9af3d22157cb437a5c ./cmd/setup/all.golang.sh
701bc6594b2e06952451d266ced2032a ./cmd/setup/ngrok.sh
03c43133db24a7b3f1e8a4d5c268668d ./cmd/setup/tmate.sh
39ea1f63f9ae414c56ab3dc66a7569cd ./cmd/setup/apt.zgrab.sh
64bcf5dc015e53c868950204e2cae3f1 ./cmd/setup/all.tsh.sh
779a0bd628b67834116309bf3b3278ed ./cmd/setup/docker.sh
de036084f92920a921bc2a43b82a8149 ./cmd/Kubernetes_temp_PayLoad_1.sh
4090469125917070c22203b7d973f52e ./cmd/Kubernetes.LAN.IP.Range.sh
406caa94137d5c1e18b9ee7d5c72d72d ./cmd/clean/jupyter.sh
b62fbf2f2a7859e69deeb75fa1153b41 ./cmd/clean/TeamTNT.sh
0d173ab9281f013221a94b4289443a16 ./cmd/Kubernetes_temp_PayLoad_2.sh
d88c87f1afb6de12d885fc0fbc33b605 ./cmd/Kubernetes_scan_LAN_IPs.sh
a0c7366cd907197702aed089463af482 ./cmd/install-NVIDIA-driver.sh
287794e108f3a4b07654ce83f6f41b38 ./cmd/Kubernetes_root_PayLoad_2.sh
15d4150a3190e0630a6182a882be5cad ./cmd/fix/nameserver.sh
fd65800ea90386abbdd2b099cb4cdb45 ./cmd/fix/systemfix.sh
419c721fd5eb8f740cb1f971af5dc745 ./cmd/init_main_root.sh
d2c6d0fed174f4cbb09d1596e46258a6 ./cmd/MOUNTSPLOIT_V2.sh.txt
c491a19742c352b2c6221037dfac7a4a ./cmd/GRABBER_aws-cloud2.sh
51a4ba442533bd0d69e0da7dd46e3d9c ./cmd/clean.sh
fefbc41c9514a9a4f4c4e88ead3ebd89 ./cmd/ssh_user.sh
3f9466ee106e947a4cea13d57ce96ed1 ./cmd/exp/ssh.rsa.sh
fffe69fabf5d014579686d8bc790e70f ./cmd/exp/ssh.axx.sh
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 6 of 12

80f3f20d5923c3a35022f065da9ea924 ./cmd/Setup_tmate.sh
e275c26583f08e6fdbb6045c7b2db647 ./cmd/CLEAN.other.miners.sh
68df6dc236a2f8d7231ca362b89148fe ./cmd/ssh_user2.sh
7d91732b7c8feced0ea698c83769e51d ./bin/ngrok/aarch64
0429e95cf9e7f631c944f23f82b89b54 ./bin/ngrok/x86_64
5cdd0e39fc9be0a13134f26aba70ede1 ./bin/golang/go1.12.7.linux-386.tar.gz
23bad8d12c43fc3e3a0568dbc8f19c85 ./bin/ethminer/cuda-9-x86_64.tar.gz
ae929d06265be0310c3f2eb6c44314d7 ./bin/a.t.b/TeamTNTbot.c
11d85a39722734273adb7a0b21ac29a6 ./bin/a.t.b/aarch64
5e4424e2a11e53e36eb10eff417fd19a ./bin/a.t.b/jupyter
cffb2c0fbb0bb4a98024a682a982199b ./bin/a.t.b/x86_64
2c22a520cd1ed4fc8e249d333724412d ./bin/xmrig.tar.gz
777e1d9b717d339a7582e06ab28d0dd3 ./bin/bot_root/aarch64
bdb404a243e374cda8948a5480f263e6 ./bin/bot_root/x86_64
d901256374ddd1770270971856bf735a ./bin/masscan/x86_64.rpm
7400bf51827682ec6a43b2d1c0a93eca ./bin/masscan/aarch64.rpm
c1d28488c149ad232ad3073605eeaf35 ./bin/masscan/aarch64.apk
ce43c3c74bde98127a91cd0224f1fa26 ./bin/masscan/masscan.sh
87b30ac544d39a044b66ef103f36c357 ./bin/masscan/aarch64
422385becd4e08062b56f57afbc5ae6b ./bin/masscan/x86_64
d4314256672783e773171fd25ac21f78 ./bin/pnscan/aarch64.deb
f7a515b639dc08d8061fa56ffacbecac ./bin/pnscan/x86_64.deb
3102067a3822ff1c3c17999e3e2b602d ./bin/pnscan/x86_64.rpm
db8bc741c40388270bd88cfa1ff2aa41 ./bin/pnscan/aarch64
d3ba2c41757b203ad0a12d1028074bbf ./bin/pnscan/pnscan.tar.gz
89d7c2db1f892139ee567d7ae29133a9 ./bin/pnscan/x86_64
d3fae6436a45bfbc22fda8bcb66b27c0 ./bin/zgrab/ppc64le
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 7 of 12

79b8b3d73c8e8c4b1f74a48a617690db ./bin/zgrab/i386
d5869c7c642aff3d91839aaa3f4b0671 ./bin/zgrab/aarch64
26c8f6597826fbdebb5df4cd8cd34663 ./bin/zgrab/x86_64
bc4084451fcf1439a23a081e32a6c532 ./bin/pei/pei32
07179295144082d0291759d5cf2d19c2 ./bin/pei/pei64
d9dd55f66b3d783864f21684c612b406 ./bin/tshd/x86_64
3634fd8b0be6de05eb6df806a4f7b11e ./bin/bot/TNT_gpu
bd703ac4ea6ec7127fc9b8f8ce4d7c1e ./bin/bot/SSHSPR
13e2c82ecd3bfee92c75f30cf0f40cdc ./bin/bot/chimaera.cc_Version2.c
1221631e5fd5628435b6dfef15899fce ./bin/bot/chimaera.cc
73a9c6eaa8afc2b02699f172f294b496 ./bin/bot/TNT_gpu.c
29c0f22199b6abb07f5f2a6a6037396b ./bin/bot/AWS
13e2c82ecd3bfee92c75f30cf0f40cdc ./bin/bot/chimaera.cc.c
cd7a98f04de9713b602c314743e5bf55 ./bin/bot/TeamTNTbot.c
5718175711512e3fb20f5cf556c57924 ./bin/src/scope
677000fb99bf02e3c477a4349df76319 ./bin/src/log_clean.c
068f3a272598e55dc02382818f4de70e ./bin/src/master.zip
b767837f26b23ec978c1c8b42f9457a1 ./bin/src/rbm.zip
3c61212d7bfb2c27834bb1d36c389273 ./bin/src/tsh.tar.gz
7950de1f8f013cf3bf2c4eaa8ff4a3e5 ./bin/src/bash.tar.gz
1dc06ba731199951436705f4969e5b4e ./bin/src/dia/Makefile
8ab4cecc4fbf10a1de46a5f0823e0a94 ./bin/src/dia/chimaeraxmr.h
7d4ee4e30088c680b9a50e3924ecce20 ./bin/src/dia/chimaeraxmr.c
b62ce36054a7e024376b98df7911a5a7 ./bin/src/xmrig.so
4b05c9ad17a82104dba978ab68cec49a ./bin/src/chimaeraxmr.tar.gz
1254351aa752d5876ad225243bed69a8 ./CHIMAERA/bin/xmrigCC/kuben3.tar.gz
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 8 of 12

Network
45.9.148.182
45.9.148.182/cmd
45.9.148.182/CHIMAERA
45.9.148.182/bin
45.9.148.182/in
45.9.148.182/init
51.79.226.64
85.214.149.236 (appears to have been compromised)
MITRE ATT&CK TTPs
Technique ID Name
Execution T1059.004 Command and Scripting Interpreter: Unix
  T1609 Container Administration Command
Defense Evasion T1140 Deobfuscate/Decode Files or Information
  T1070.003 Indicator Removal on Host: Clear Command History
  T1070.004 Indicator Removal on Host: File Deletion
  T1027 Obfuscated Files or Information
  T1027.002 Obfuscated Files or Information: Software Packing
  T1036.005 Masquerading: Match Legitimate Names or Locations
Credential Access T1552.001 Unsecured Credentials: Credentials In Files
  T1552.004 Unsecured Credentials: Private Keys
  T1552.005 Unsecured Credentials: Instance Metadata API
Discovery T1046 Network Service Scanning
  T1082 System Information Discovery
Command and Control T1071 Application Layer Protocol
  T1105 Ingress Tool Transfer
  T1219 Remote Access Software
  T1102 Web Service
Impact T1496 Resource Hijacking
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 9 of 12

Appendix A
Docker Images
TeamTNT are also hosting malicious docker images on a Docker repo named “alpineos”. The account contains 25
images, which includes XMRig, a reverse shell, moneroocean, kubepwn, and TeamTNTbot builder. In some of
these images the scripts are reaching out to the scripts described above. In September 2021, CounterCraft released
research on the “alpinos/dockerapi” image.[6]
TeamTNT Docker Repo
Figure 11 - TeamTNT Docker Repo
Docker Image
alpineos/dockerapi
alpineos/wscopescan
alpineos/dsbo
alpineos/xxcrace
alpineos/firstt
alpineos/scopeppc64le
alpineos/tntxmrigbuilder
alpineos/simpledockerxmr
alpineos/ttdft
alpineos/tntbotbuilder
alpineos/minion
alpineos/xmrigcc
alpineos/fluxfaxpax
alpineos/scopeaarch64
alpineos/scanaround
alpineos/kirito
alpineos/kndb
alpineos/jupyter
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 10 of 12

alpineos/java
alpineos/revs
alpineos/lftk
alpineos/basicxmr
alpineos/lft
alpineos/weavescope
Iran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 11 of 12

When 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks
The Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now
Source: https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
Page 12 of 12

  https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server    
When 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks
The Iran Cyber Threat Machine Isn’t Slowing Down-Here’s What CISOs Need to Know Now
Source: https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server      
   Page 12 of 12