In the second quarter of 2025, researchers observed a wave of attacks against Russian companies in the finance, logistics, and telecom sectors. Behind these attacks was the Kinsing hacking group (aka H2Miner and Resourceful Wolf), whose goal was to infect victims’ devices with Kinsing and XMRig malware for cryptocurrency mining.
F6 analysts say the group has been active since 2019, but this year it has carried out large-scale attacks on Russian users for the first time.
Previously, most Kinsing attacks were recorded in North America, Western Europe, and Asia. In 2024, Russian researchers reported the discovery of a Kinsing attack, but did not specify its target or geographic location.
In the spring of 2025, one of F6’s clients recorded an attempted cyberattack against its external servers. Armed with a list of IP addresses from which the attack was conducted, the client turned to F6’s cyber intelligence department for attribution — that is, to determine who was behind the attack.
As a result of a thorough examination of indicators of compromise, analysis of network traffic, correlation with external sources, and mapping of the observed tactics, techniques, and procedures, the specialists zeroed in on the Kinsing group.
The hacker group took its name from the Kinsing malware, which it actively uses in its attacks. Kinsing specializes in cryptojacking—the illicit use of infected systems’ computing resources to mine cryptocurrencies, primarily Monero (XMR)—as well as in creating and expanding botnets.
The researchers report that, unlike most other groups, Kinsing does not resort to phishing attacks. Instead, the attackers scan the company’s infrastructure to identify software vulnerabilities that are then used to execute malicious code.
In the event of a successful attack on the victim’s device, a malicious script is downloaded and launched that searches for competing miners and, upon detection, removes them and installs the group’s miner.
Kinsing attacks are mainly aimed at companies’ Linux server systems. Infection with a cryptominer can cause slowdowns and reduced performance, and accelerate equipment wear.
“The case of Kinsing attacks against Russian companies clearly demonstrates the need to build defenses even against the rarest and most exotic cyberthreats. Cybercriminal groups are not confined to specific industries or regions. At any moment, they can turn their weapons against users anywhere in the world,” comments Vladislav Kugan, an analyst with the Cyberattack Research Department of F6’s Threat Intelligence division.