O RLY CYBER(vulncheck.com) Kinsing Botnet Expands Exploit Arsenal with CVE-2025-55182 Alongside Legacy CVEs on Shared Infrastructure
Kinsing botnet expands exploit arsenal with CVE-2025-55182 (React2Shell) alongside CVE-2023-46604 (ActiveMQ) & CVE-2023-38646 (Metabase), all converging on shared infrastructure (212.113.98.30 → 78.153.140.16). Uses in-memory bash stager (/dev/tcp) for CVE-2025-55182, classic Go-based miner + libsystem.so rootkit (ld.so.preload). MD5s: b3039abf2ad5202f4a9363b418002351 (kinsing), ccef46c7edf9131ccffc47bd69eb743b (rootkit).
Source: https://www.vulncheck.com/blog/return-of-the-kinsing
The Return of the Kinsing | Blog | VulnCheck
Canary Intelligence linked exploitation of CVE-2023-46604, CVE-2023-38646, and CVE-2025-55182 to the same Kinsing infrastructure, including a shared staging host and attacker IP first seen in the canary network on March 12, 2026. The research shows how an older malware family is still adapting by adding new exploit paths while continuing to rely on established infrastructure.