Kinsing
Kinsing is a Linux-focused malware/cryptomining threat best known for spreading cryptocurrency miners on compromised systems, including cloud and containerized environments. The content associates it with exploitation of exposed services and known vulnerabilities, including execution in an Ubuntu container via an open Docker daemon API, abuse of Apache ActiveMQ RCE CVE-2023-46604, exploitation of PHPUnit CVE-2017-9841, and delivery observed in Log4Shell-related activity. Kinsing has also been reported exploiting Apache ActiveMQ to add the Sharpire backdoor as part of a multi-stage intrusion.
Its post-compromise behavior includes SSH-based propagation and credential abuse. The content states Kinsing has used valid SSH credentials to access remote hosts, attempted to brute-force hosts over SSH, used SSH for lateral movement, parsed files such as /etc/hosts and SSH known_hosts to discover remote systems, searched for private keys, and reused SSH-reachable trust relationships to spread. These behaviors align with worm-like expansion across Linux hosts.
Kinsing is repeatedly referenced as a common rival in the Linux cryptomining ecosystem: other malware families explicitly kill or remove Kinsing processes, and kill lists include typo variants such as kingsin and kinsin. This indicates Kinsing is a well-established Linux cryptojacking family. High-confidence targeting context in the content is Linux systems, especially exposed cloud/container infrastructure. No unique Kinsing-specific IOC set is provided in the content beyond the cited exploitation vectors and SSH-related behaviors.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner. The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI) application endpoints for obtaining initial access to enterprise networks.
Red Canary detected an adversary executing discovery commands on dozens of cloud-based Linux endpoints vulnerable to a critical remote code vulnerability (CVE-2023-46604) in Apache ActiveMQ... Security researchers have previously identified adversaries exploiting CVE-2023-46604 for malware deployment, to spread TellYouThePass, Ransomhub and HelloKitty ransomware, along with Kinsing... Finally, the adversary used curl to download two ActiveMQ JAR files... These two JAR files constitute a legitimate patch for CVE-2023-46604. | ...along with Kinsing, a malware strain known for targeting Linux systems to spread cryptominers.
VulnCheck's exploit intelligence data shows CVE-2017-9841 has been leveraged by several botnets including RondoDox, Kinsing, KashmirBlack, Sysrv and Androxgh0st.
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
"...delivery of the Kinsing cryptocurrency miner."
"x522, which kills competing miners such as XMRig and Kinsing, and launches the miner with a c3pool.org configuration"
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
"actors leverage legitimate credentials to log into external remote services"; "used legitimate credentials to gain initial access, maintain access, and exfiltrate data"; "used valid accounts for initial access and privilege escalation"
Execution
5 techniques
Execution
Examples include "CookieMiner has looked for files in the user's home directory with 'wallet' in their name using find .", "Kinsing has used the find command to search for specific files", and "APT41 has executed file /bin/pwd on exploited victims."
Persistence
3 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
1 technique
Stealth
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
"Sandworm Team used a script to attempt RPC authentication against a number of hosts"; "Agrius engaged in various brute forcing activities via SMB"; "Chaos conducts brute force attacks against SSH services to gain initial access"; "Fox Kitten has brute forced RDP credentials"; "Turla may attempt to connect ... using net use commands and a predefined list ... of passwords."
Ebury has intercepted unencrypted private keys as well as private key pass-phrases. Hildegard has searched for private keys in .ssh. jRAT can steal keys for VPNs and cryptocurrency wallets. Kinsing has searched for private keys. Machete has scanned and looked for cryptographic keys and certificate file extensions. TeamTNT has searched for unsecured SSH keys. Troll Stealer collects all data in victim .ssh folders by creating a compressed copy that is subsequently exfiltrated.
Discovery
4 techniques
Discovery
Earth Lusca used the command powershell "Get-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list - property * | findstr "Address"" to find the network information of successfully logged-in accounts to discovery addresses of other machines.
During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
2 techniques
Lateral Movement
Command and Control
2 techniques
Command and Control
IOCs tracked for this family
51 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
38 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a competing cryptomining malware family whose processes are terminated by lambsys.
A rival Linux cryptomining malware family referenced as a competitor that lambsys explicitly detects and kills, including typo-variant process names and persistence artifacts.
Botnet involved in exploiting exposed PHPUnit eval-stdin.php instances via CVE-2017-9841.
Malware referenced via an external report about container vulnerability exploitation; the content itself does not provide additional details.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.