Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)
Essential information
- Published
- 31/10/2025 09:30
- Modified
- 31/10/2025 10:56
- Tags
- 2025-10-31 CVE-2023-46604 activemq cobaltstrike cryptocurrency mining h2miner meterpreter powershell empire sharpire vulnerability exploitation xmrig
- Related entities
- 2 vulnerabilities (cve), 4 observables, 1 intrusion sets (apt), 2 techniques (mitre), 5 malware, 2 others
Description
The Kinsing threat actor continues to distribute malware by exploiting known vulnerabilities, particularly CVE-2023-46604 in ActiveMQ. They target both Linux and Windows systems, using various malware types including XMRig, Stager, and Sharpire. The attack process involves exploiting the ActiveMQ vulnerability to execute remote commands, installing downloaders, and using tools like CobaltStrike, Meterpreter, and PowerShell Empire to control infected systems. The actor's main objectives include cryptocurrency mining, information theft, and potential ransomware installation. The vulnerability has also been exploited by other groups such as Andariel, HelloKitty, and Mauri ransomware. Organizations are advised to apply security updates to mitigate the risk.