Introduction Over the last three years, various cyber security companies wrote about TeamTNT TTPs, notably about the use of tmate as their tool of choice for backdooring Linux servers after a compromise: TeamTNT: Cryptomining Explosion (Intezer, 2021) Attackers Abusing Various Remote Control Tools (ASEC, 2022) TeamTNT Reemerged with New Aggressive Cloud Campaign (Aqua, 2023) In this short blog post, we examine the traces left behind from a tmate installation and some hints on where to find tr...
