TeamTNT threat group has modified versions of malicious shell scripts, that can run on-premise, in containers, or other Linux instances, to mine cryptocurrency in AWS.

TeamTNT’s shell scripts

Along with credential stealer scripts, various TeamTNT payloads are focused on crypto-mining, persistence, and lateral movement by discovering and deploying all Kubernetes pods in a local network.
  • The names of some of these scripts are Kubernetes_root_PayLoad_2[.]sh, Kubernetes_root_PayLoad_1[.]sh, init[.]sh, init_main_root[.]sh, and Setup_Rainbow_miner[.]sh.
  • One of the scripts comes with login credentials for the primary distribution server and another one with an API key that might facilitate remote access to a tmate shared terminal session.

Furthermore, some of the scripts have defence evasion functions aimed at disabling Alibaba cloud security tools, Tencent Cloud Monitor, and third-party BMC Helix Cloud Security agents.

Similar campaign

Recently, LemonDuck botnet was found targeting Docker to mine cryptocurrency on Linux systems.
  • Similarly, it avoids detection by targeting Alibaba Cloud's monitoring service and disabling it in a similar way as TeamTNT.
  • It runs an anonymous mining operation using proxy pools for hiding wallet addresses.


Cybercriminals are now prominently targeting cloud environments and TeamTNT is already a prominent player known for targeting cloud infrastructure. Continue taking the right measures to protect your systems from such threats.
Cyware Publisher