Search Again
TeamTNT
Summary of Actor:TeamTNT is a cybercrime group primarily known for its use of cryptocurrency-mining malware. They have been active since at least 2019 and often target vulnerable Docker, Kubernetes, and Amazon Web Services (AWS) environments.
General Features:TeamTNT specializes in exploiting cloud environments to deploy cryptocurrency-mining malware. They are known for their use of open-source tools and scripting to automate attacks.
Related Other Groups: Rocke Group,Kinsing
Indicators of Attack (IoA):
- Exploitation of exposed Docker APIs
- Installation of cryptominers
- Use of Terraform to automate cloud infrastructure
- Scanning for exposed Docker and Kubernetes interfaces
Recent Activities and Trends:
- Latest Campaigns : Recently, TeamTNT has been observed exploiting vulnerabilities in Kubernetes clusters and AWS environments to deploy cryptocurrency miners and steal credentials.
- Emerging Trends : The group has shown an increasing interest in exploiting newer cloud services and utilizing advanced evasion techniques to avoid detection.
AdeptLibra
Adept Libra
Target Countries
Germany
Associated Malware/Software
Ursnif
Linux
sliver
XMRig
Windows
+3
️Related CVEs
ATT&CK IDs:
T1547
T1071.001 - Web Protocols
T1136
T1552.001 - Credentials In Files
T1571
+163
| Tactic | Id | Technique | |||
|---|---|---|---|---|---|
| Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1114 | Email Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1005 | Data from Local System |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1123 | Audio Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1113 | Screen Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1115 | Clipboard Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1530 | Data from Cloud Storage |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1560 | Archive Collected Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1119 | Automated Collection |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1065 | Uncommonly Used Port |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1008 | Fallback Channels |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1026 | Multiband Communication |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1571 | Non-Standard Port |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1104 | Multi-Stage Channels |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1132 | Data Encoding |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1102 | Web Service |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1219 | Remote Access Tools |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1095 | Non-Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1573 | Encrypted Channel |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1110 | Brute Force |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1555 | Credentials from Password Stores |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1111 | Multi-Factor Authentication Interception |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1539 | Steal Web Session Cookie |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1552 | Unsecured Credentials |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1081 | Credentials in Files |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1503 | Credentials from Web Browsers |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1027 | Obfuscated Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1085 | Rundll32 |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1218 | System Binary Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1014 | Rootkit |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1170 | Mshta |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1610 | Deploy Container |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1222 | File and Directory Permissions Modification |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1553 | Subvert Trust Controls |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1130 | Install Root Certificate |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1564 | Hide Artifacts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1127 | Trusted Developer Utilities Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1087 | Account Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1033 | System Owner/User Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1613 | Container and Resource Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1518 | Software Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1124 | System Time Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1526 | Cloud Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1049 | System Network Connections Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1217 | Browser Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1057 | Process Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1007 | System Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1016 | System Network Configuration Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1046 | Network Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1120 | Peripheral Device Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1018 | Remote System Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1012 | Query Registry |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1203 | Exploitation for Client Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1085 | Rundll32 |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1569 | System Services |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1204 | User Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1170 | Mshta |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1610 | Deploy Container |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1106 | Native API |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1011 | Exfiltration Over Other Network Medium |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1030 | Data Transfer Size Limits |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1565 | Data Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1531 | Account Access Removal |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1490 | Inhibit System Recovery |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1499 | Endpoint Denial of Service |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1486 | Data Encrypted for Impact |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1561 | Disk Wipe |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1529 | System Shutdown/Reboot |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1485 | Data Destruction |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1496 | Resource Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1489 | Service Stop |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1199 | Trusted Relationship |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1195 | Supply Chain Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1080 | Taint Shared Content |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1137 | Office Application Startup |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1525 | Implant Internal Image |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1060 | Registry Run Keys / Startup Folder |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1176 | Software Extensions |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1505 | Server Software Component |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1611 | Escape to Host |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1595 | Active Scanning |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1583 | Acquire Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1584 | Compromise Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1587 | Develop Capabilities |
Sub Techniques |
Detections |
Mitigations |
Total Count : 10
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool
https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt
https://unit42.paloaltonetworks.com/atoms/adept-libra/
https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45
https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/
https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials
https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment
Copyright © 2025 SOCRadar Cyber Intelligence Inc.
All rights
reserved.
