>samit_hota
Back to adversary profiles
G0139HighActive

Threat Actor Profile: TeamTNT (G0139)

Samit Hota·
Suspected Origin
Germany
Motivation
Financial Gain (Cryptojacking, Credential Theft)
Aliases
None documented
Target Sectors
Energy & Utilities, Information Services, Data Processing Services, Construction, Software Publishers, Wired and Wireless Telecommunications Carriers, Computer Systems Design and Related Services
Associated Malware
Hildegard, Black-T, TNTbotinger, XMRig, T-Rex Miner, CGMiner, BFGMiner, SGMiner, RainbowMiner, lolMiner, Tsunami, Mirai, Sliver
#threat-actor#g0139

Overview

TeamTNT, tracked as G0139, is a prominent and highly specialized cybercrime group that has focused its operations almost exclusively on cloud and containerized environments since at least October 2019. This group is primarily driven by financial gain, achieved through the deployment of cryptocurrency miners (cryptojacking) and the monetization of stolen cloud credentials and server access. Their primary target infrastructure includes Docker, Kubernetes, and Redis instances, as well as major cloud providers like Amazon Web Services (AWS) and Google Cloud.

TeamTNT is an anomaly in the threat landscape due to its unusual public persona. The group has been assessed with high confidence to be of German origin, with evidence such as German language in their scripts, social media posts, and interactions with security researchers. An individual identified as “Hildegard” claims to lead the group and is reportedly active on platforms like Twitter (under the handle HildeTNT), where they have been known to interact with security researchers and even publicize campaign successes – a rare behavior for a threat actor. This transparency, while unusual, offers unique insights into their evolving methodologies. The group’s persistent targeting of cloud resources highlights a clear understanding of cloud-native environments and their vulnerabilities, making them a significant threat to organizations leveraging such infrastructure.

Tactics & Techniques

TeamTNT’s modus operandi typically begins with initial access gained by exploiting misconfigurations in cloud environments. They frequently target exposed Docker daemons on common ports (2375, 2376, 4243, 4244), misconfigured kubelets that allow anonymous access, vulnerable Redis instances, and leaked SSH credentials. For reconnaissance, they deploy network scanning tools such as Masscan, pnscan, zgrab, and zmap to identify open Docker API ports and Kubernetes clusters.

Once a foothold is established, TeamTNT aggressively pursues credential access and enumeration of the environment. They have developed capabilities to scrape memory for passwords using mimipy and mimipenguins, which are Linux equivalents to the Windows-focused Mimikatz. Additionally, they hunt for AWS credentials (including from instance metadata services), SSH keys, Docker credentials, Kubernetes service tokens, and other application-specific credentials. The group employs open-source tools like Lazagne to retrieve stored passwords from various applications.

For execution, TeamTNT commonly deploys malicious container images, often based on Alpine Linux, and executes sophisticated shell or batch scripts. They leverage the kubelet API to run commands directly within containers. Persistence is achieved through creating cryptocurrency mining system services, adding startup scripts, and establishing local privileged users with SSH access, often deploying their own public keys. They also modify /etc/ld.so.preload for library injection to hide malicious processes.

A significant aspect of TeamTNT’s operations is their robust defense evasion techniques. They use libprocesshider to cloak their activities by overwriting readdir() and readdir64() functions, making malicious processes invisible to utilities like ps. Processes are often disguised with legitimate Linux names, such as bioset. To hinder analysis, payloads are frequently encrypted (e.g., with AES) or packed using tools like UPX and Ezuri. The group is known to clear command history, delete scripts post-execution, disable iptables, and uninstall cloud security agents (like those from Alibaba and Tencent). They also modify DNS resolvers to use public servers, bypassing internal DNS monitoring. TeamTNT actively scans for and removes rival cryptominers, such as Kinsing, to ensure exclusive resource utilization.

Lateral movement is achieved by exploiting stolen credentials, leveraging Docker Swarm for broader reach, and compromising cloud-native network mesh applications like Weave Scope. The ultimate impact of their attacks is financial, leading to significant resource hijacking for cryptojacking, which translates to direct monetary costs for victims in cloud billing, alongside the risk of data theft.

Notable Campaigns

TeamTNT has executed several notable campaigns demonstrating their evolving capabilities:

  • Black-T (October 2020): This campaign marked a significant evolution, introducing memory password scraping capabilities via mimipy and mimipenguins. Black-T also featured code to actively identify and terminate competing cryptojacking worms, solidifying TeamTNT’s dominance over compromised resources.
  • Hildegard (January 2021): The Hildegard campaign specifically targeted Kubernetes environments, exploiting misconfigured kubelets for initial access. The associated malware, also named Hildegard, incorporated advanced stealth features, including the use of tmate reverse shells and IRC channels for command and control (C2), process disguising, and payload encryption.
  • Chimaera (July 2021): This widespread campaign expanded TeamTNT’s targeting to a broader range of operating systems, including Windows, various Linux distributions, AWS, Docker, and Kubernetes. Chimaera saw the integration of new open-source tools, notably Lazagne, for extensive credential theft, leading to thousands of infections globally and allegedly compromising over 10,000 devices.
  • Docker Gatling Gun (October 2024): This recent campaign demonstrates TeamTNT’s continued activity and adaptation. It leverages compromised Docker daemons, extending attacks by appending them to Docker Swarms and utilizing Docker Hub for malware distribution. Notably, it replaces the older Tsunami backdoor with the more sophisticated Sliver malware.

Associated Malware & Tools

TeamTNT frequently employs a mix of custom malware and readily available open-source tools to achieve its objectives:

  • Custom Malware:
    • Hildegard: A sophisticated malware specifically designed to target Kubernetes clusters, known for its stealth and persistence mechanisms.
    • Black-T: A cryptojacking variant focused on stealing AWS credentials and competing with other miners.
    • TNTbotinger: An IRC bot primarily used for C2 communications and capable of launching Distributed Denial of Service (DDoS) attacks.
  • Cryptominers: The group predominantly uses XMRig for Monero mining, but has also been observed with T-Rex Miner, CGMiner, BFGMiner, SGMiner, RainbowMiner, and lolMiner.
  • Backdoors & Rootkits: They have used Tsunami and Mirai for remote access, the PHP web administrator b374k shell, the open-source Diamorphine rootkit for hiding activities, and more recently, the stealthier Sliver C2 framework.
  • Scanning & Exploitation Tools: Popular open-source network scanners like Masscan, pnscan, zgrab, and zmap are routinely used for target identification. They also incorporate specialized tools like Peirates for Kubernetes and cloud penetration testing, and Weave Scope for targeting exposed Docker API ports.
  • Credential Harvesters: Beyond their custom capabilities, Lazagne is a key open-source tool for collecting stored credentials, while mimipy and mimipenguins facilitate memory password scraping.
  • Defense Evasion Tools: libprocesshider is a core tool for concealing malicious processes, and BOtB is used for container breakouts, exploiting CVE-2019-5736.
  • Utilities: Common Linux utilities such as curl, wget, pip, chattr, systemctl, history -c, and file compression tools like 7z are frequently observed in their scripts.

Current Status

TeamTNT has maintained a consistent presence in the threat landscape since its emergence in late 2019. While there were reports in late 2021 and early 2022 suggesting the group might be disbanding or that other actors like WatchDog were mimicking their tactics, subsequent and more recent intelligence confirms their ongoing activity.

The group “abruptly vanished in 2022, then re-emerged in 2023”. More concretely, the “Docker Gatling Gun” campaign observed in October 2024 indicates a clear return to form and continued evolution, replacing older tools with newer, stealthier alternatives like Sliver. Continuous updates from security vendors tracking their infrastructure and campaigns, including recent observations up to July 2026, strongly confirm that TeamTNT remains an active and evolving threat actor. Their ongoing focus on cloud and container environments means they continue to pose a significant risk to organizations with such deployments.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call