F6 Experts Investigate Kinsing Group’s Attacks on Russian Companies

In Q2 2025, researchers identified a wave of cyberattacks targeting Russian companies in the finance, logistics, and telecom sectors. The activity was linked to the Kinsing hacking group—also known as H2Miner and Resourceful Wolf—whose primary objective was to infect victim systems with Kinsing malware and deploy XMRig for cryptocurrency mining.

Analysts at F6 note that while Kinsing has been active since 2019, this year marks its first large-scale campaign against Russian organizations. Historically, the group’s operations have been concentrated in North America, Western Europe, and Asia. In 2024, Russian researchers reported detecting a Kinsing incident but did not disclose the target or its location.

The 2025 Incident
In spring 2025, an F6 client detected an attempted intrusion against its external servers. The client provided F6’s Cyber Intelligence Department with a list of suspicious IP addresses, requesting attribution of the attack.

Following an in-depth investigation—covering compromise indicator analysis, network traffic inspection, correlation with external intelligence sources, and mapping of tactics, techniques, and procedures (TTPs)—F6 experts attributed the activity to Kinsing.

Who is Kinsing?
The group takes its name from the Kinsing malware, a tool it frequently deploys. Kinsing specializes in:

• Cryptojacking – the unauthorized use of computing resources to mine cryptocurrency, primarily Monero (XMR)
• Botnet creation and expansion

Unlike many threat actors, Kinsing does not rely on phishing campaigns. Instead, it scans corporate infrastructure for exploitable software vulnerabilities, then leverages them to execute malicious code.

Once an attack succeeds, a malicious script is downloaded to the target system. This script removes any competing cryptominers before installing Kinsing’s own mining payload.

Targets and Impact
Kinsing’s campaigns primarily affect Linux-based corporate servers. Consequences include:

• Noticeably slower system performance
• Reduced operational efficiency
• Accelerated hardware degradation

Expert Commentary

“The case of Kinsing’s attacks on Russian companies clearly demonstrates the need to build defenses even against rare and seemingly distant cyber threats. Cybercriminal groups are not bound by industry or geography—they can turn their tools against targets anywhere, at any time,” says Vladislav Kugan, Cyber Attack Research Analyst at F6’s Threat Intelligence Department.

Key Takeaways

• Group Profile: Cryptojacking-focused hacking group active since 2019
• Tactics: Exploits software vulnerabilities; does not use phishing
• Targets: Primarily Linux servers in finance, logistics, and telecom sectors
• Impact: System slowdowns, hardware wear, and unauthorized Monero mining