TeamTNT

Threat Actor updated 16 hours ago (2024-10-17T13:04:21.058Z)
Download STIX
Preview STIX
TeamTNT, a known threat actor group, has been identified as the force behind an advanced malware campaign targeting Kubernetes. The group's Hildegard malware is one of the most complex attacks seen to date in this area. Despite a common belief that TeamTNT disbanded in 2022, evidence of their activity dating back to 2023 has been discovered. This group is notorious for its cryptojacking attacks, using victims' IT resources to illicitly mine for cryptocurrency. Their tactics, techniques and procedures (TTPs) have shown overlaps with ongoing campaigns from previous years, indicating a consistent and persistent threat. The initial infection vector of the P2PInfect worm exploited Redis through CVE-2022-0543, a method uncommon among other cryptojacking-focused worms. However, similarities between these attacks and those orchestrated by Adept Libra (also known as TeamTNT), Thief Libra (WatchDog), and Money Libra (Kinsing) suggest possible connections. The Hildegard malware, named after the username of the tmate account used by the malware, is believed to be part of a new campaign from TeamTNT. The sophistication of these attacks underscores TeamTNT’s advanced skills in automation and attention to detail, from initial access to thwarting recovery attempts. In 2023, security companies SentinelOne and Aqua Security studied a TeamTNT cryptojacking campaign covering Google Cloud, Microsoft Azure, and Amazon Web Services (AWS). It was reported that TeamTNT mined over $8,100 worth of cryptocurrency from hijacked cloud infrastructure at a cost to their victims of more than $430,000. While this may not seem like significant profit, it does demonstrate the potential financial impact on victims. As such, the cybersecurity community continues to monitor TeamTNT closely, warning of impending Docker attacks and other potential threats.
Description last updated: 2024-10-17T12:22:01.263Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Thief Libra is a possible alias for TeamTNT. Thief Libra, also known as WatchDog, is a threat actor identified in the cybersecurity world for its malicious activities. The group's operations involve exploiting vulnerabilities to execute actions with harmful intent. A notable aspect of Thief Libra's modus operandi involves targeting Redis insta
2
Adept Libra is a possible alias for TeamTNT. Adept Libra, also known as TeamTNT, is a malicious threat actor that has been active in cybersecurity breaches since at least July 2021. The group is known for its innovative use of tools such as LaZagne to steal passwords from various operating systems, including Linux distributions in cloud-based
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Worm
Aws
Linux
Cybercrime
Kubernetes
Credentials
Docker
Azure
LaZagne
Redis
Nginx
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The P2pinfect Malware is associated with TeamTNT. P2Pinfect is a form of malware, malicious software designed to infiltrate and damage computer systems or devices without the user's knowledge. It can enter your system through suspicious downloads, emails, or websites and once inside, it has the ability to steal personal information, disrupt operatiUnspecified
2
Source Document References
Information about the TeamTNT Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
a month ago
Securityaffairs
a month ago
InfoSecurity-magazine
7 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
2 years ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
Trend Micro
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Unit42
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago