The notorious hacker group TeamTNT has launched a sophisticated new cryptomining campaign, targeting cloud-native environments and, specifically, Docker containers exposed to the internet. Known for their aggressive cryptojacking attacks since 2019, TeamTNT is using a multi-stage approach to infiltrate vulnerable cloud environments and monetize compromised servers by mining cryptocurrency and renting out breached systems to third parties. The group has shifted from relying solely on malware to leveraging Docker Hub as a distribution platform for harmful Alpine Linux images that contain the open-source Sliver command-and-control (C2) framework, allowing them to maintain remote control over infected servers.
At the core of this campaign is a scanning process conducted with tools like masscan and ZGrab to identify exposed Docker API endpoints across nearly 16.7 million IP addresses. When a vulnerable endpoint is found, TeamTNT deploys a Docker container that initiates an attack script, dubbed “Docker Gatling Gun” (TDGGinit.sh), which installs cryptominers and executes additional post-exploitation tasks. Aqua Security’s director of threat intelligence, Assaf Morag, reported that the campaign also uses the anondns service, providing anonymized DNS resolution to shield TeamTNT’s C2 communications from detection. The group’s infrastructure was initially uncovered in an early stage by Datadog, prompting TeamTNT to adapt its approach, emphasizing their agility and evolving tactics.
In this campaign, TeamTNT has also moved away from the previously used Tsunami backdoor, opting instead for the Sliver framework, which offers advanced C2 capabilities and reflects a maturing attack strategy. This framework allows TeamTNT to control infected servers more effectively, manage cryptomining operations, and remotely execute commands on compromised machines. The group’s attack script runs on compromised Docker instances, turning them into a Docker Swarm that can be rented out on platforms such as Mining Rig Rentals, which provides illicit mining services on a larger scale and diversifies TeamTNT’s monetization methods.
The latest TeamTNT campaign highlights the ongoing risk that cryptojacking groups pose to cloud infrastructures, especially for organizations that leave Docker daemons and other cloud services exposed or unprotected. Security experts recommend that companies lock down their Docker API endpoints, implement strict access controls, and continuously monitor for suspicious activity to prevent their systems from being swept into such operations. The growing sophistication of TeamTNT’s tactics underscores the need for heightened cloud security vigilance as the group continues to expand and refine its cryptomining campaigns.
