216.73.217.80

The Return of the Kinsing

· Published 26/03/2026 18:34 · Modified 27/03/2026 00:10

Export JSON

Essential information

Published
26/03/2026 18:34
Modified
27/03/2026 00:10
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
activemq cve-2023-38646 cve-2023-46604 cve-2025-55182 go kinsing linux metabase react2shell
Tags
2026-03-26 CVE-2023-38646 CVE-2023-46604 CVE-2025-55182 activemq go kinsing linux metabase react2shell
Related entities
3 vulnerabilities (cve), 5 indicators, 5 observables, 1 intrusion sets (apt), 10 techniques (mitre)

Description

A Canary Intelligence team analysis revealed the resurgence of the malware, exploiting three CVEs: (), (), and (). The attacks, originating from IP 212.113.98.30, converged on a shared staging host at 78.153.140.16. The malware's tactics include downloading and installing a -based binary and a stealthy libsystem.so component. The exploitation methods involve retrieving and executing malicious scripts, leading to the installation of 's core components. This cluster of activity demonstrates how older malware families can remain relevant by exploiting new vulnerabilities without significantly changing their core binaries.

External references