Kinsing
Essential information
- Confidence
- 100/100
- Is family
- Yes
- Published
- 06/04/2021 14:22
- Modified
- 27/03/2026 01:06
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Related entities
- 47 attack patterns (mitre), 1 intrusion sets (apt), 3 countries, 68 indicators, 9 vulnerabilities (cve)
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (47)
-
T1027 usesObfuscated Files or Information MITRE
-
T1574 usesHijack Execution Flow MITRE
-
T1496 usesResource Hijacking MITRE
-
T1113 usesScreen Capture MITRE
-
T1053.003 usesCron MITRE
-
T1055.001 usesDynamic-link Library Injection MITRE
-
T1018 usesRemote System Discovery MITRE
-
T1210 usesExploitation of Remote Services MITRE
-
T1059.004 usesUnix Shell MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1102 usesWeb Service MITRE
-
T1056 usesInput Capture MITRE
Intrusion sets (APT) (1)
-
Kinsing usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Countries (3)
-
Brazil targets
-
China targets
-
United States of America targets
Indicators (68)
-
stix 100/100 Revoked
PUA_Crypto_Mining_CommandLine_Indicators_Oct21 SHA256 of 6296e8ed40e430480791bf7b4fcdafde5f834837
· Valid until 09/12/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 03/03/2025 · Source: AlienVault
-
stix 100/100 Revoked
Trojan:Linux/CoinMiner.K SHA256 of 430e3d3bb3a4ebf30b9345b8fc7a2a6cf69ba8a8
· Valid until 09/12/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/12/2024 · Source: AlienVault
-
rx.unmineable.comindicatesstix 100/100 RevokedCoinMiner
· Valid until 19/12/2024 · Source: AlienVault -
stix 100/100 Revoked
Multios.Coinminer.Miner-6781728-2
· Valid until 02/12/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/12/2024 · Source: AlienVault
-
stix 100/100 Revoked
crime_h2miner_kinsing
· Valid until 24/02/2025 · Source: AlienVault -
stix 100/100 Revoked
Trojan:Linux/CoinMiner.AF!MTB
· Valid until 03/03/2025 · Source: AlienVault -
http://185.14.30.35/kinsingindicatesstix 100/100 Revoked· Valid until 31/10/2022 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/12/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/12/2024 · Source: AlienVault
Vulnerabilities (CVE) (9)
Oracle WebLogic Server contains an unspecified vulnerability allowing an unauthenticated attacker to perform remote code execution. This vulnerability is related to CVE-2020-14882.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …
- Attack vector
- Network
- Published
- 02/11/2023
- Modified
- 21/12/2025
Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.
- Published
- 25/04/2022
- Modified
- 20/12/2025
Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console …
- Attack vector
- Network
- Published
- 24/08/2023
- Modified
- 21/12/2025
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
- Published
- 27/06/2022
- Modified
- 20/12/2025
Oracle WebLogic Server contains an unspecified vulnerability in the Console component with high impacts to confidentilaity, integrity, and availability.
- Published
- 03/11/2021
- Modified
- 20/12/2025
GNU C Library's dynamic loader ld.so contains a buffer overflow vulnerability when processing the GLIBC_TUNABLES environment variable, allowing a local attacker to …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 03/10/2023
- Modified
- 15/05/2026
Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …
- Published
- 02/06/2022
- Modified
- 27/05/2026