TeamTNT
TeamTNT is a threat cluster best known for Linux-focused intrusions in cloud and containerized environments, where it has been associated with cryptomining activity and related post-compromise tradecraft.
Profile source: Mallory opens in a new tabTeamTNT
Family profile
TeamTNT is a threat cluster best known for Linux-focused intrusions in cloud and containerized environments, where it has been associated with cryptomining activity and related post-compromise tradecraft. It is widely referenced in the context of Linux malware operations and is notable for targeting the growing population of Linux workloads in public cloud infrastructure. TeamTNT has been cited among prominent Linux threats observed during the broader rise in Linux-targeting malware.
Available high-confidence reporting in this context links TeamTNT to cryptominer deployment on Linux systems. It is also referenced in ATT&CK-aligned detection material related to exfiltration over alternative protocols, indicating association with tradecraft that may include DNS-based exfiltration behavior. TeamTNT is therefore relevant both as a Linux malware operator and as an example of adversaries whose activity may blend commodity payloads with living-off-the-land techniques.
TeamTNT is commonly discussed alongside Linux behavioral detection challenges because attackers in this space often abuse legitimate administrative tools and services, making simple signature-based detection insufficient unless defenders already possess known malware samples. The threat is especially relevant to defenders monitoring cloud-hosted Linux servers, containers, and other internet-exposed Linux infrastructure.
Capabilities
- Exfiltration
MITRE ATT&CK
TeamTNT in ATT&CK
1 distinct techniquesReporting
Research mentioning TeamTNT
Threat Detection Insights on Linux with Signatures and Behavior
If you have a known cryptominer binary—like the ones often deployed by Kinsing or TeamTNT—a YARA rule or a hash match is the most efficient way to flag it.
Detection: Excessive Usage of NSLOOKUP App | Splunk Security Content
Annotations ID Technique Tactic T1048 Exfiltration Over Alternative Protocol Exfiltration TeamTNT
Top Linux Cloud Threats of 2020
TeamTNT is listed among notable Linux malware discoveries of the year.