Threat Actor Profile
High APT
Description

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)

Confidence Score
90%
Known Aliases
TeamTNT
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (56)
T1074.001 - Local Data Staging
Collection
T1071 - Application Layer Protocol
Command and Control
T1071.001 - Web Protocols
Command and Control
T1102 - Web Service
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1219 - Remote Access Tools
Command and Control
T1552.001 - Credentials In Files
Credential Access
T1552.004 - Private Keys
Credential Access
T1552.005 - Cloud Instance Metadata API
Credential Access
T1014 - Rootkit
Defense Evasion
T1027.002 - Software Packing
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1070.002 - Clear Linux or Mac System Logs
Defense Evasion
T1070.003 - Clear Command History
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1222.002 - Linux and Mac File and Directory Permis…
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1610 - Deploy Container
Defense Evasion
T1007 - System Service Discovery
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1120 - Peripheral Device Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1613 - Container and Resource Discovery
Discovery
T1680 - Local Storage Discovery
Discovery
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.004 - Unix Shell
Execution
T1059.009 - Cloud API
Execution
T1059.013 - Container CLI/API
Execution
T1204.003 - Malicious Image
Execution
T1569.003 - Systemctl
Execution
T1609 - Container Administration Command
Execution
T1048 - Exfiltration Over Alternative Protocol
Exfiltration
T1496.001 - Compute Hijacking
Impact
T1021.004 - SSH
Lateral Movement
T1098.004 - SSH Authorized Keys
Persistence
T1133 - External Remote Services
Persistence
T1136.001 - Local Account
Persistence
T1543.002 - Systemd Service
Persistence
T1543.003 - Windows Service
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1611 - Escape to Host
Privilege Escalation
T1595.001 - Scanning IP Blocks
Reconnaissance
T1595.002 - Vulnerability Scanning
Reconnaissance
T1583.001 - Domains
Resource Development
T1587.001 - Malware
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['TeamTNT'],
 'created': '2021-10-01T01:57:31.229Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat '
                'group that has primarily targeted cloud and containerized '
                'environments. The group as been active since at least October '
                '2019 and has mainly focused its efforts on leveraging cloud '
                'and container resources to deploy cryptocurrency miners in '
                'victim environments.(Citation: Palo Alto Black-T October '
                '2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer '
                'TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm '
                'August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: '
                'Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September '
                '2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer '
                'TeamTNT Explosion September 2021)',
 'external_references': [{'external_id': 'G0139',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0139'},
                         {'description': 'AT&T Alien Labs. (2021, September '
                                         '8). TeamTNT with new campaign aka '
                                         'Chimaera. Retrieved September 22, '
                                         '2021.',
                          'source_name': 'ATT TeamTNT Chimaera September 2020',
                          'url': 'https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera'},
                         {'description': 'Cado Security. (2020, August 16). '
                                         'Team TNT – The First Crypto-Mining '
                                         'Worm to Steal AWS Credentials. '
                                         'Retrieved September 22, 2021.',
                          'source_name': 'Cado Security TeamTNT Worm August '
                                         '2020',
                          'url': 'https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/'},
                         {'description': 'Chen, J. et al. (2021, February 3). '
                                         'Hildegard: New TeamTNT Cryptojacking '
                                         'Malware Targeting Kubernetes. '
                                         'Retrieved April 5, 2021.',
                          'source_name': 'Unit 42 Hildegard Malware',
                          'url': 'https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/'},
                         {'description': 'Fiser, D. Oliveira, A. (n.d.). '
                                         'Tracking the Activities of TeamTNT A '
                                         'Closer Look at a Cloud-Focused '
                                         'Malicious Actor Group. Retrieved '
                                         'September 22, 2021.',
                          'source_name': 'Trend Micro TeamTNT',
                          'url': 'https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf'},
                         {'description': 'Fishbein, N. (2020, September 8). '
                                         'Attackers Abusing Legitimate Cloud '
                                         'Monitoring Tools to Conduct Cyber '
                                         'Attacks. Retrieved September 22, '
                                         '2021.',
                          'source_name': 'Intezer TeamTNT September 2020',
                          'url': 'https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/'},
                         {'description': 'Intezer. (2021, September 1). '
                                         'TeamTNT Cryptomining Explosion. '
                                         'Retrieved October 15, 2021.',
                          'source_name': 'Intezer TeamTNT Explosion September '
                                         '2021',
                          'url': 'https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf'},
                         {'description': 'Kol, Roi. Morag, A. (2020, August '
                                         '25). Deep Analysis of TeamTNT '
                                         'Techniques Using Container Images to '
                                         'Attack. Retrieved September 22, '
                                         '2021.',
                          'source_name': 'Aqua TeamTNT August 2020',
                          'url': 'https://blog.aquasec.com/container-security-tnt-container-attack'},
                         {'description': 'Quist, N. (2020, October 5). '
                                         'Black-T: New Cryptojacking Variant '
                                         'from TeamTNT. Retrieved September '
                                         '22, 2021.',
                          'source_name': 'Palo Alto Black-T October 2020',
                          'url': 'https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/'},
                         {'description': 'Stroud, J. (2021, May 25). Taking '
                                         "TeamTNT's Docker Images Offline. "
                                         'Retrieved September 16, 2024.',
                          'source_name': 'Lacework TeamTNT May 2021',
                          'url': 'https://www.lacework.com/blog/taking-teamtnt-docker-images-offline'}],
 'id': 'intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca',
 'modified': '2025-10-22T03:04:28.916Z',
 'name': 'TeamTNT',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['Will Thomas, Cyjax', 'Darin Smith, Cisco'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.4'}
Quick Actions
Related TTPs (56)
Local Data Staging
Collection
Application Layer Protocol
Command and Control
Web Protocols
Command and Control
Web Service
Command and Control
Ingress Tool Transfer
Command and Control
View All 56 TTPs
Back to Threat Actors
Dashboard Home