In the second quarter of 2025, researchers observed a wave of attacks against Russian companies in the finance, logistics, and telecom sectors. Behind these attacks was the Kinsing hacking group (aka H2Miner and Resourceful Wolf), whose goal was to infect victims’ devices with Kinsing and XMRig malware for cryptocurrency mining.
F6 analysts say the group has been active since 2019, but this year it has carried out large-scale attacks on Russian users for the first time.
Previously, most Kinsing attacks were recorded in North America, Western Europe, and Asia. In 2024, Russian researchers reported the discovery of a Kinsing attack, but did not specify its target or geographic location.
In the spring of 2025, one of F6’s clients recorded an attempted cyberattack against its external servers. Armed with a list of IP addresses from which the attack was conducted, the client turned to F6’s cyber intelligence department for attribution — that is, to determine who was behind the attack.
As a result of a thorough examination of indicators of compromise, analysis of network traffic, correlation with external sources, and mapping of the observed tactics, techniques, and procedures, the specialists zeroed in on the Kinsing group.
The hacker group took its name from the Kinsing malware, which it actively uses in its attacks. Kinsing specializes in cryptojacking—the illicit use of infected systems’ computing resources to mine cryptocurrencies, primarily Monero (XMR)—as well as in creating and expanding botnets.
The researchers report that, unlike most other groups, Kinsing does not resort to phishing attacks. Instead, the attackers scan the company’s infrastructure to identify software vulnerabilities that are then used to execute malicious code.
In the event of a successful attack on the victim’s device, a malicious script is downloaded and launched that searches for competing miners and, upon detection, removes them and installs the group’s miner.
Kinsing attacks are mainly aimed at companies’ Linux server systems. Infection with a cryptominer can cause slowdowns and reduced performance, and accelerate equipment wear.
“The case of Kinsing attacks against Russian companies clearly demonstrates the need to build defenses even against the rarest and most exotic cyberthreats. Cybercriminal groups are not confined to specific industries or regions. At any moment, they can turn their weapons against users anywhere in the world,” comments Vladislav Kugan, an analyst with the Cyberattack Research Department of F6’s Threat Intelligence division.
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →