TeamTNT is a threat cluster best known for Linux-focused intrusions in cloud and containerized environments, where it has been associated with cryptomining activity and related post-compromise tradecraft. It is widely referenced in the context of Linux malware operations and is notable for targeting the growing population of Linux workloads in public cloud infrastructure. TeamTNT has been cited among prominent Linux threats observed during the broader rise in Linux-targeting malware.
Available high-confidence reporting in this context links TeamTNT to cryptominer deployment on Linux systems. It is also referenced in ATT&CK-aligned detection material related to exfiltration over alternative protocols, indicating association with tradecraft that may include DNS-based exfiltration behavior. TeamTNT is therefore relevant both as a Linux malware operator and as an example of adversaries whose activity may blend commodity payloads with living-off-the-land techniques.
TeamTNT is commonly discussed alongside Linux behavioral detection challenges because attackers in this space often abuse legitimate administrative tools and services, making simple signature-based detection insufficient unless defenders already possess known malware samples. The threat is especially relevant to defenders monitoring cloud-hosted Linux servers, containers, and other internet-exposed Linux infrastructure.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct technique documented for this family, organized by ATT&CK tactic.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a known Linux-focused cryptomining threat used as an example of malware that signature-based detection can efficiently identify.
Annotations ID Technique Tactic T1048 Exfiltration Over Alternative Protocol Exfiltration TeamTNT
Threat actor group known for deploying cryptomining malware on Linux cloud environments.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.