Cybersecurity company F6 (formerly F.A.C.C.T., and Group-IB in Russia) registered a wave of attacks by the Kinsing group on Russian companies in the finance, logistics and telecommunications sectors in the second quarter of 2025.
The aim of these attacks was to infect devices with malicious software for cryptocurrency mining. According to F6, the Kinsing group has been operating outside Russia since 2019, and this year it launched a large-scale offensive against Russian users for the first time.
The company said:
In the spring of 2025, one of the company's clients recorded a cyberattack attempt on its external servers. With a list of IP addresses from which the attack was carried out, he turned to the F6 Threat Intelligence department for attribution - to find out who was behind the attack.
As a result of checking Indicators of Compromise (IoCs), analyzing network traffic, correlating with external Threat Intelligence sources, and comparing the identified tactics, techniques, and procedures (TTPs) of the attacker, F6 specialists came across the Kinsing group. This cybercriminal group, named after the malicious software Kinsing, which it actively uses in its attacks, is also known as H2Miner and Resourceful Wolf. The group specializes in cryptojacking - the illegal use of computing resources of infected systems for mining cryptocurrency, mainly Monero (XMR), as well as creating and expanding botnets.
The main difference between Kinsing is that it does not resort to phishing attacks. Attackers scan the company's infrastructure to identify vulnerabilities in the software, which they then use to execute malicious code in the system. Kinsing attacks target the server Linux systems of companies.