Kinsing
Essential information
- Confidence
- 100/100
- Is family
- Yes
- Published
- 06/04/2021 14:22
- Modified
- 27/03/2026 01:06
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Related entities
- 47 attack patterns (mitre), 1 intrusion sets (apt), 3 countries, 68 indicators, 9 vulnerabilities (cve)
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (47)
-
T1057 usesProcess Discovery MITRE
-
T1133 usesExternal Remote Services MITRE
-
T1564 usesHide Artifacts MITRE
-
T1610 usesDeploy Container MITRE
-
T1083 usesFile and Directory Discovery MITRE
-
T1543 usesCreate or Modify System Process MITRE
-
T1136 usesCreate Account MITRE
-
T1219 usesRemote Access Tools MITRE
-
T1222.002 usesLinux and Mac File and Directory Permissions Modification MITRE
-
T1127 usesTrusted Developer Utilities Proxy Execution MITRE
-
T1552 usesUnsecured Credentials MITRE
-
T1053 usesScheduled Task/Job MITRE
Intrusion sets (APT) (1)
-
Kinsing usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Countries (3)
-
Brazil targets
-
China targets
-
United States of America targets
Indicators (68)
-
http://195.2.85.171/wb.shindicatesstix 100/100 Revoked· Valid until 31/10/2022 · Source: AlienVault -
http://202.28.229.174/kikindicatesstix 100/100 Revoked· Valid until 25/07/2022 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/12/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/03/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/12/2024 · Source: AlienVault
-
http://185.191.32.198/cf.shindicatesstix 100/100 Revoked· Valid until 25/07/2022 · Source: AlienVault -
stix 100/100 Revoked· Valid until 03/03/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/12/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/03/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 03/03/2025 · Source: AlienVault
-
http://195.2.79.26/kinsingindicatesstix 100/100 Revoked· Valid until 31/10/2022 · Source: AlienVault
Vulnerabilities (CVE) (9)
Oracle WebLogic Server contains an unspecified vulnerability allowing an unauthenticated attacker to perform remote code execution. This vulnerability is related to CVE-2020-14882.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …
- Attack vector
- Network
- Published
- 02/11/2023
- Modified
- 21/12/2025
Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.
- Published
- 25/04/2022
- Modified
- 20/12/2025
Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console …
- Attack vector
- Network
- Published
- 24/08/2023
- Modified
- 21/12/2025
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
- Published
- 27/06/2022
- Modified
- 20/12/2025
Oracle WebLogic Server contains an unspecified vulnerability in the Console component with high impacts to confidentilaity, integrity, and availability.
- Published
- 03/11/2021
- Modified
- 20/12/2025
GNU C Library's dynamic loader ld.so contains a buffer overflow vulnerability when processing the GLIBC_TUNABLES environment variable, allowing a local attacker to …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 03/10/2023
- Modified
- 15/05/2026
Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …
- Published
- 02/06/2022
- Modified
- 27/05/2026