Active since April, the TeamTNT botnet is typically a cryptojacking operation, known for downloading the XMRig cryptomining tool to mine Monero. However, in the recent variants, its scripts have been enhanced to perform additional functionalities besides mining cryptocurrency.

The latest behavior

TeamTNT botnet has been evolving exponentially over the past few months. Recently, Trend Micro researchers have observed the TeamTNT botnet updated with Docker API and AWS credentials stealing capabilities, along with several other updates. 
  • The malicious scripts can prepare the environment on the victim machine by checking for the presence of security solutions, needed resources, tools, and computer power, which will be needed for further operations.
  • The script has been also used to search and map new vulnerable container APIs for future exploitation.
  • After setting the environment, the shell script focuses on the stealing and exfiltration of AWS and Docker API credentials.
  • In addition, TeamTNT makes sure to leave backdoors in case it needs to remotely connect to the targets.

Recent TeamTNT activities

From scanning and stealing AWS credentials to targeting misconfigured Kubernetes installations, the botnet has been consistently enhancing its capabilities.
  • In the last month, the TeamTNT group developed its own IRC (Internet Relay Chat) bot named TNTbotinger, which is capable of carrying out DDoS attacks.
  • In October, the threat actor had relied on a cryptojacking malware named Black-T that targets cloud systems and stops crypto-jacking worms, such as the Crux worm, ntpd miner, and a Redis-backup miner.


The evolution of the tactics of TeamTNT botnet indicates that system admins should continuously monitor and audit devices, especially those used to access the office network. Users are recommended to regularly patch and update systems to ensure that the systems’ defenses are updated and adhere to the shared responsibility model.

Cyware Publisher