The TeamTNT threat group has updated Black-T - its crypto-mining worm - with Linux password-stealing capabilities and with an additional network scanner to help facilitate its spread to other vulnerable devices.


While known mostly for actively targeting Docker instances to use compromised systems for unauthorized Monero (XMR) mining, the group now shifted their tactics by upgrading their cryptojacking malware to also collect user credentials.

As Unit 42 researchers found TeamTNT is hard at work boosting their malware's capabilities, this time adding memory password scraping capabilities via mimipy (with support for Windows/Linux/macOS) and mimipenguin (Linux support), two open-source Mimikatz equivalents targeting *NIX desktops.