New: Threat Exposure Validation Impact Report 2025
Learn More
Join our Summer Webinar Series on Threat Exposure Validation
Register Now
Come meet us at Black Hat USA 2025 | Booth 1640
Book a Meeting

Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For Years

June 9, 2022

Cado Labs' honeypot infrastructure was recently compromised by a complex and multi-stage cryptojacking attack. Although the attack utilised many TeamTNT TTPs, It is assessed with high confidence that the group WatchDog is continuing to repurpose TeamTNT payloads - as they've done in the past. The attack targets exposed Docker Engine API endpoints and Redis servers, and can propagate in a worm-like fashion. Several sophisticated techniques were employed, including timestomping, process hiding and exploitation of a misconfigured Redis database that leaves it vulnerable to remote code execution.