THREATOPS Actor Dossier
LIVE ← Dashboard

TeamTNT

G01391 reports
aliases · TeamTNT
Export dossier:
1
Reports
6
Techniques
4
Tactics
2
Countries
83%
Hunt coverage
1
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1590.005 (IP Addresses), T1588.006 (Vulnerabilities), T1552.004 (Private Keys).
  • Primary targeting: US, DE.
  • Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
  • Hunt coverage 83% of 6 observed techniques (1 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2026-05-07 · last 2026-05-07
0
7d
0
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months

Vulnerabilities in this actor's reporting · 5

Overview

Analyst triage
Intelligence summary

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected