The aim of the attacks was to infect devices with malicious software for cryptocurrency mining.
Cybersecurity company F6 (formerly F.A.C.C.T., and Group-IB in Russia) registered a wave of attacks by the Kinsing group on Russian companies in the finance, logistics and telecommunications sectors in the second quarter of 2025.
The aim of these attacks was to infect devices with malicious software for cryptocurrency mining. According to F6, the Kinsing group has been operating outside Russia since 2019, and this year it launched a large-scale offensive against Russian users for the first time.
The company said:
In the spring of 2025, one of the company's clients recorded a cyberattack attempt on its external servers. With a list of IP addresses from which the attack was carried out, he turned to the cyber intelligence (Threat Intelligence) department of F6 for attribution - to find out who was behind the attack.
As a result of checking Indicators of Compromise (IoCs), analyzing network traffic, correlating with external Threat Intelligence sources and comparing the identified tactics, techniques and procedures (TTPs) of the attacker, F6 specialists came across the Kinsing group. This cybercriminal group, named after the Kinsing malware, which it actively uses in its attacks, is also known as H2Miner and Resourceful Wolf. The group specializes in cryptojacking - the illegal use of computing resources of infected systems to mine cryptocurrency, mainly Monero (XMR), as well as the creation and expansion of botnets.
The main difference between Kinsing is that it does not resort to phishing attacks. Attackers scan the company's infrastructure to identify vulnerabilities in the software, which they then use to execute malicious code in the system. Kinsing attacks target the server Linux systems of companies.
