Kinsing
Essential information
- Confidence
- 100/100
- Is family
- Yes
- Published
- 06/04/2021 14:22
- Modified
- 27/03/2026 01:06
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Related entities
- 47 attack patterns (mitre), 1 intrusion sets (apt), 3 countries, 68 indicators, 9 vulnerabilities (cve)
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (47)
-
T1027 usesObfuscated Files or Information MITRE
-
T1574 usesHijack Execution Flow MITRE
-
T1496 usesResource Hijacking MITRE
-
T1113 usesScreen Capture MITRE
-
T1053.003 usesCron MITRE
-
T1055.001 usesDynamic-link Library Injection MITRE
-
T1018 usesRemote System Discovery MITRE
-
T1210 usesExploitation of Remote Services MITRE
-
T1059.004 usesUnix Shell MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1102 usesWeb Service MITRE
-
T1056 usesInput Capture MITRE
Intrusion sets (APT) (1)
-
Kinsing usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Countries (3)
-
Brazil targets
-
China targets
-
United States of America targets
Indicators (68)
-
stix 100/100 Revoked· Valid until 02/12/2024 · Source: AlienVault
-
http://193.178.170.47/kinsingindicatesstix 100/100 Revoked· Valid until 31/10/2022 · Source: AlienVault -
http://195.2.79.26/cf.shindicatesstix 100/100 Revoked· Valid until 25/07/2022 · Source: AlienVault -
http://195.2.84.209/kinsingindicatesstix 100/100 Revoked· Valid until 31/10/2022 · Source: AlienVault -
stix 100/100 Revoked
is__elf
· Valid until 10/09/2022 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/12/2024 · Source: AlienVault
-
stix 100/100 Revoked
Multios.Coinminer.Miner-6781728-2
· Valid until 05/02/2025 · Source: AlienVault -
stix 100/100 Revoked· Valid until 03/03/2025 · Source: AlienVault
-
http://193.178.170.47/wb.shindicatesstix 100/100 Revoked· Valid until 31/10/2022 · Source: AlienVault -
http://94.103.89.159/wb.shindicatesstix 100/100 Revoked· Valid until 31/10/2022 · Source: AlienVault -
stix 100/100 Revoked
Trojan:Linux/CoinMiner.K SHA256 of ed57d213d1e958d639a8de927ccbbcb431d72eae
· Valid until 09/12/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 18/12/2023 · Source: AlienVault
Vulnerabilities (CVE) (9)
Oracle WebLogic Server contains an unspecified vulnerability allowing an unauthenticated attacker to perform remote code execution. This vulnerability is related to CVE-2020-14882.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …
- Attack vector
- Network
- Published
- 02/11/2023
- Modified
- 21/12/2025
Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.
- Published
- 25/04/2022
- Modified
- 20/12/2025
Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console …
- Attack vector
- Network
- Published
- 24/08/2023
- Modified
- 21/12/2025
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
- Published
- 27/06/2022
- Modified
- 20/12/2025
Oracle WebLogic Server contains an unspecified vulnerability in the Console component with high impacts to confidentilaity, integrity, and availability.
- Published
- 03/11/2021
- Modified
- 20/12/2025
GNU C Library's dynamic loader ld.so contains a buffer overflow vulnerability when processing the GLIBC_TUNABLES environment variable, allowing a local attacker to …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 03/10/2023
- Modified
- 15/05/2026
Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …
- Published
- 02/06/2022
- Modified
- 27/05/2026