The Return of the Kinsing
Essential information
- Published
- 26/03/2026 18:34
- Modified
- 27/03/2026 00:10
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- activemq cve-2023-38646 cve-2023-46604 cve-2025-55182 go kinsing linux metabase react2shell
- Tags
- 2026-03-26 CVE-2023-38646 CVE-2023-46604 CVE-2025-55182 activemq go kinsing linux metabase react2shell
- Related entities
- 3 vulnerabilities (cve), 5 indicators, 5 observables, 1 intrusion sets (apt), 10 techniques (mitre)
Description
A Canary Intelligence team analysis revealed the resurgence of the Kinsing malware, exploiting three CVEs: CVE-2023-46604 (ActiveMQ), CVE-2023-38646 (Metabase), and CVE-2025-55182 (React2Shell). The attacks, originating from IP 212.113.98.30, converged on a shared staging host at 78.153.140.16. The malware's tactics include downloading and installing a Go-based Linux binary and a stealthy libsystem.so component. The exploitation methods involve retrieving and executing malicious scripts, leading to the installation of Kinsing's core components. This cluster of activity demonstrates how older malware families can remain relevant by exploiting new vulnerabilities without significantly changing their core binaries.