{
	"id": "fa72788e-5a0d-4332-9b19-66c37cb948ca",
	"created_at": "2026-04-06T00:13:05.840997Z",
	"updated_at": "2026-04-10T13:12:18.56551Z",
	"deleted_at": null,
	"sha1_hash": "f0e1acdaa3f335a3a7022a5d0a49bd69d5b7b31f",
	"title": "Threat Actors Exploit Misconfigured Apache Hadoop YARN",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71447,
	"plain_text": "Threat Actors Exploit Misconfigured Apache Hadoop YARN\r\nBy By: Alfredo Oliveira, David Fiser Jul 27, 2021 Read time: 5 min (1372 words)\r\nPublished: 2021-07-27 · Archived: 2026-04-05 13:13:05 UTC\r\nTo examine this risk, we experimented with exposing such services in the wild. We then learned that it didn’t take\r\ntoo long for threat actors to find the exposed service and deploy various malicious payloads. In the following\r\nsection, we will discuss the malware families targeting exposed YARN services.\r\nPayloads deployed in the attacks: Kinsing and other cryptojacking malware\r\nAs cryptojackingnews- cybercrime-and-digital-threats malware is known to be one of the dominant and common\r\npayloads for Linux environmentsnews- cybercrime-and-digital-threats, it is no surprise that they were deployed in\r\nthe YARN service as well. In this case, the payload belongs to a well-known malware family — Kinsing (detected\r\nas Trojan.Linux.KINSING.AB and Trojan.SH.KINSING.G).\r\nAt the onset of the attack, the threat actors send commands to the exposed service via an HTTP POST request. As\r\nan unintended response, the YARN then creates a launch script that incorporates the attackers’ commands.\r\nOnce the Hadoop container script is executed, it downloads a remote script that deploys Kinsing malware.\r\nIt also deploys a Go-compiled binary with spreading capability. This binary communicates with the remote\r\ncommand-and-control (C\u0026C) server, providing a backdoor to the infected system as well as deploying the known\r\nKinsing cryptojacking process called kdevtmpfsi.\r\nNotably, Kinsing is not the only cryptojacking malware found there. The cryptocurrency mining arena remains a\r\nbattlefield for resources. We found a competitor cryptojacking malware in Hadoop YARN as well. This competing\r\nmalware then proceeds to eradicate Kinsing from the system.\r\nWhat are the tactics used in these attacks?\r\nThreat actors aiming to exploit these misconfigured cloud services commonly employ several tactics.\r\nFirst, threat actors disable the system’s protection. As security solutions for cloud services become more popular in\r\nenterprises, threat actors adapt by searching for and attempting to uninstall protection software. This functionality is\r\ncommon in cryptojacking malware.\r\nThreat actors also gather credentials. With the ever-increasing variety of platforms that require authentication for\r\naccess, the need for access tokens and so-called secrets — sensitive information such as credentials used to access\r\nsystems — also grow. It’s not uncommon for users who have a hard time keeping track of them to save these on the\r\nmachines where they are used. Sadly, this is done without any additional protection. Threat actors are aware of this,\r\nand those who successfully access the systems actively seek these unshielded credentials.\r\nhttps://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nPage 1 of 10\n\nAnd of course, they don’t stop with harvesting: they also use these credentials to gain entry into other systems —\r\neven non-cloud ones — to infect them. We have similarly observed this behavior in a previous research paper on\r\nTeamTNTservices. With this, it can be deduced that threat actors try to infiltrate as many systems as possible to\r\nmaximize their gains.\r\nIt should be emphasized that if the private key that the threat actors used for accessing another system was\r\nprotected by the owner with at least a passphrase encrypting for the key, the infection of the target system will be\r\nunsuccessful. This highlights the importance of employing such security precautions.\r\nFinally, as we shared in our previous research on the Linux threat landscapenews- cybercrime-and-digital-threats,\r\nwe found out that it is quite common for threats to spread from one infected device to another. To do this, threat\r\nactors are using port scanning tools such as masscan to identify exposed and vulnerable services. Once these\r\nservices are identified, the threat actors try to deploy their payload.\r\nSince the Hadoop YARN service can also run on Windows, threats that were crafted for this platform can also be\r\nfound in the cluster. \r\nStrengthening cloud service security\r\nAs reliance on online systems continues to grow, cloud services are becoming a vital part of enterprises. Cloud\r\nsecurity should not be taken for granted. Here are some recommendations:\r\nDeliberately configure cloud service. Users can maximize the built-in security settings afforded by these\r\nplatforms.\r\nEmploy the principle of least privilege. Here, users will only be granted the minimum amount of access\r\nrequired for their task.\r\nAdhere to the shared responsibility model. Users, and not just cloud service providers, are responsible for\r\nkeeping these platforms secure.\r\nDon’t store credentials in plaintext; consider using secret vaults. These store secrets in encrypted form.\r\nThey can also be used to alter secrets from one place and reflect that modification to multiple applications\r\nwithout the need for a code change.\r\nCloud security solutions, such as Trend Micro Cloud One™products, help enterprises secure cloud services. The\r\nplatform includes:\r\nWorkload Securityproducts: runtime protection for workloads\r\nContainer Securityproducts: automated container image and registry scanning\r\nFile Storage Securityproducts: security for cloud file and object storage services\r\nNetwork Securityproducts: cloud network layer IPS security\r\nApplication Securityproducts: security for serverless functions, APIs, and applications\r\nConformityproducts: real-time protection for cloud infrastructure — secure, optimize,\r\ncomplyproducts\r\nIndicators of Compromise\r\nHashes\r\nhttps://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nPage 2 of 10\n\nSHA-265 Trend Micro Pattern Detection\r\n25d19152363063eb2b1976b416452e63ad21c205f727837d38d17\r\n001831f17f3\r\nTrojan.Linux.KINSING.AB\r\nec5ed2498945a5b0b1c1f149e201d7395bf3cb1c50f471d82050002\r\n8ffe19d53\r\nTrojan.SH.KINSING.G\r\nd17b00fd7687d2de31b0dd3b43d468f1de281002228361ef3125b92\r\nde0c08772\r\nTrojan.SH.CVE20207961.SM\r\n6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb43\r\n3cc459938b\r\nCoinminer.Linux.MALXMR.PUWEMA\r\n11547e36146e0b0956758d48faeb19d4db5e737dc942bc7498ed86\r\na8010bdc8b\r\nCoinminer.Win32.MALXMR.TIAOODGJ\r\n1caf7ed35dcb8eddb5bca9120294bc79e7d9a24d451bc0fbebb2195\r\nfa5826808\r\nCoinminer.Win32.MALXMR.TIAOODGJ\r\n7cd493e9a14eb33279a96fe025aae0ff37712a300e83dd334cff8ce1\r\n38fd721a\r\nCoinminer.Win32.MALXMR.TIAOODGJ\r\n83c4ff76659aec8db03942b3b7094736e4377048166839d3ab4760\r\n67fbc2f892\r\nCoinminer.Win32.MALXMR.TIAOODGJ\r\n559a8ff34cf807e508d32e3a28864c687263587fe4ffdcefe3f462a70\r\n72dcc74\r\nCoinminer.Win32.MALXMR.TIAOODDS\r\n/16.845.00\r\na5604893608cf08b7cbfb92d1cac20868808218b3cc453ca86da0a\r\nbaeadc0537\r\nCoinminer.Win64.MALXMR.SMA\r\n/16.845.00\r\nhttps://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nPage 3 of 10\n\nb5584e223d79a1bac7dd75e707f8a6f1be2edd1334d194f30a1c060c\r\n11ec130d\r\nCoinminer.MSIL.MALXMR.TIAOODBF\r\ne7446d595854b6bac01420378176d1193070ef776788af12300eb77\r\n0a397bf7\r\nCoinminer.Linux.MALXMR.UWEKM\r\n/16.845.00\r\nfe0816092e006960f2261a3fa919b577aa392291bb0a11149805c651\r\nac633909\r\nCoinminer.SH.MALXMR.UWEKA\r\n1b7e6877d9cc8f4a64e097dbccac1eef9c596fed743d495d5eb9658\r\nbb92e3010\r\nTrojan.Win64.MALXMR.N\r\n01b4ccc7be55485ff529ca1f92fd5dbefcce93e13720a8b4d5d3385\r\ne944fff8a\r\nTrojan.SH.MALXMR.UWELB\r\nbc79c734cb4378e1d13e429b6237fcee52a1261a396219add751462\r\nd0a1ae1b0\r\nTrojan.Linux.MALXMR.UWELD\r\n508ec039ca9885f1afc6f15bb70adfa9ed32f9c2d0bff511052edb3989\r\n8951c7\r\nTrojan.Python.MALXMR.I\r\n653e638e6e38636b0f14ce233661947f624011ef36f7c7edbc8a7614\r\n248c3fce\r\nTrojan.Python.MALXMR.I\r\n599393e258d8ba7b8f8633e20c651868258827d3a43a4d0712125b\r\nc487eabf92\r\nPUA.Win64.PhoenixMiner.E\r\nf5d0572b2a5c76bfcf5986b6fbbc96d2cd44da36ae08d2633284fa4\r\n782fe68bf\r\nBackdoor.Linux.MIRAI.SMMR1\r\n/16.845.00\r\nfa212943d8c9a66e5087ffd73901a887fea6a5bc657db87575889d2\r\n0f99a2a40\r\nBackdoor.Linux.MIRAI.SMMR1\r\n/16.845.00\r\nhttps://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nPage 4 of 10\n\n8a932e992dde32dfa422691ccf46681050bb675472a2877fdc7d69fb\r\n36817c8a\r\nBackdoor.Linux.MIRAI.SMMR1\r\n/16.845.00\r\n1ab11b57b2848c4ed513acb453cc08b2be65087485ae5fb05b8535f\r\na99645d7b\r\nBackdoor.Linux.MIRAI.SMNM4\r\n/16.845.00\r\n6aa250a48dc8e50dd2d96e638eb223a72862441cf41972ecd8529\r\nd1c3fe02c8d\r\nBackdoor.Linux.MIRAI.SMNM4\r\n/16.845.00\r\n30a36bcc9c9939d7f1ce76965e17cbb0b4514c41ccfda0e8648f117a\r\n037c8567\r\nBackdoor.Linux.MIRAI.USDSEFM21\r\n/16.845.00\r\n807a6d1de933d35d2793d0932f6ea6a15ee4f76dd3ee91fff4c4f54\r\nc1bd0f2e1\r\nBackdoor.Linux.MIRAI.USDSEFM21\r\n/16.845.00\r\n44bd5e06802690ceef122c321bc9bc1b570c8738c9d23260ca32\r\nee0e4eba5e0f\r\nBackdoor.Linux.MIRAI.USDSEFM21\r\n/16.845.00\r\n1a372a7e7da228278fbeeff1964066eef45f3cf0ae3293031728c69\r\nfb8d92b3e\r\nBackdoor.Linux.MIRAI.USDSEFM21\r\n/16.845.00\r\n09634a6fab8acacf01b60c0acba85d222d4ad40483259d193cd5\r\n6c5311449d93\r\nBackdoor.Linux.MIRAI.USDSEFM21\r\n/16.845.00\r\nac7525e69dc3c07ce43344a8b58dca1436088dd2c21878e2dae8b\r\n30a69e4d80f\r\nBackdoor.Linux.MIRAI.USDSEFM21\r\n/16.845.00\r\n3c250e10153ae0eea58ee17e04868f4fed568f4587774de27f31affb\r\n85a7fa19\r\nBackdoor.Linux.MIRAI.USELVEO21\r\n/16.845.00\r\ne55c980a3eddb47a26af86af1ce80ae7a251648923770d5feea7c7\r\n4b1e7dfbf5\r\nBackdoor.Linux.MIRAI.USELVEO21\r\n/16.845.00\r\nhttps://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nPage 5 of 10\n\nfe176f4af1beabf9b85bb93f3f585d491209430a11e4376ea8106a2\r\n974761387\r\nBackdoor.Linux.MIRAI.USELVEO21\r\n/16.845.00\r\naaaf9574ee271ad917dad99318084256062bbbc7fe90449021963\r\n061104a250e\r\nBackdoor.Linux.MIRAI.USELVEO21\r\n/16.845.00\r\nb2ab91b682b3b36a31836df30d8298f804697240eddbb52910\r\n01c1c588ed832d\r\nBackdoor.Linux.MIRAI.USELVEO21\r\n/16.845.00\r\n23656bbf8b94a039f062d24e40fbea51b9aadb29eaeaa7e9a8\r\n34a43ff378bdab\r\nBackdoor.Linux.MIRAI.USELVEO21\r\n/16.845.00\r\n43cbd16376a32ad679aba66e276c644524f275851b991db7602\r\n95c9160e753f4\r\nBackdoor.Linux.MIRAI.SMMR1\r\n/16.845.00\r\n8971773fb614498d64a5220e48da87a9d395faa326bfc66d77\r\n5815908b18cdb5\r\nBackdoor.Linux.MIRAI.SMMR1\r\n/16.845.00\r\ne74d856b07ebcf4c3b21425918daed075f10b3b14f9f97aadf3a\r\n2ada96d8a892\r\nBackdoor.Linux.MIRAI.SMMR1\r\n/16.845.00\r\n2706f6fa6b0da69436513b0790a9194dcdd2463a5150b9d00\r\n699fa30708a9ff9\r\nELF_MIRAILOD.SM/16.845.00\r\n76d42ec36a9157ba20ccc643d59d8a735ea31016ac1064dc92\r\nb4843a578c1520\r\nBackdoor.Linux.GAFGYT.USELVEO21\r\n/16.845.00\r\n9a4c8cf6336544d27c62355b85a882fd8137a336d4aaa893d16\r\n07ef1b4aa2743\r\nBackdoor.Linux.GAFGYT.USELVEO21\r\n/16.845.00\r\n9aa8a11a52b21035ef7badb3f709fa9aa7e757788ad6100b4086f\r\n1c6a18c8ab2\r\nHackTool.Linux.PortScan.A/16.845.00\r\nhttps://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nPage 6 of 10\n\n1225cc15a71886e5b11fca3dc3b4c4bcde39f4c7c9fbce6bad5e4d3\r\nceee21b3a\r\nHKTL_SSHBRUTE/16.845.00\r\n558c12a703cac54a1a1206d80b12203d323b869e486a18c4340a0\r\n9ff0a482570\r\nTROJ_FRS.VSNW18E21/16.845.00\r\nb6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a\r\n86de09\r\nPUA.Win32.XMRig.KAZ\r\nURL\r\nURLs Category\r\nhxxp://update.aegis.aliyun.com/download/uninstall.sh Disease Vector\r\nhxxp://update.aegis.aliyun.com/download/quartz_uninstall.sh Disease Vector\r\nhxxp://h.epelcdn.com/dd210131/pm.sh Disease Vector\r\nhxxp://h.epelcdn.com/dd210131/phpupdate\r\nMalware Accomplice\r\nCoin Miners\r\nhxxp://176.123.7.127/id210131/phpupdate\r\nMalware Accomplice\r\nCoin Miners\r\nhxxp://176.123.7.127/id210131/newdat.sh Malware Accomplice\r\nhxxp://h.epelcdn.com/dd210131/newdat.sh Malware Accomplice\r\nhttps://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nPage 7 of 10\n\nhxxp://176.123.7.127/id210131/config.json Disease Vector\r\nhxxp://h.epelcdn.com/dd210131/config.json Disease Vector\r\nhxxp://176.123.7.127/id210131/networkmanager Malware Accomplice\r\nhxxp://h.epelcdn.com/dd210131/networkmanager Malware Accomplice\r\nhxxp://176.123.7.127/id210131/phpguard Malware Accomplice\r\nhxxp://h.epelcdn.com/dd210131/phpguard Malware Accomplice\r\nhxxp://h.epelcdn.com/dd210131/spre.sh Disease Vector\r\nhxxp://209.141.40.190/xms\r\nInsecure IoT Connections\r\nDisease Vector\r\nhxxp://209.141.40.190/hxx\r\nMalware Accomplice\r\nDisease Vector\r\nhxxp://209.141.40.190/pas\r\nDisease Vector\r\nCoin Miners\r\nhxxp://209.141.40.190/scan Disease Vector\r\nhxxp://bash.givemexyz.in/x86_64 Disease Vector\r\nhttps://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nPage 8 of 10\n\nhxxp://h.epelcdn.com/dd210131/1.0.4.tar.gz Disease Vector\r\nhxxp://h.epelcdn.com/dd210131/scan.sh Disease Vector\r\nhxxp://bash.givemexyz.in/i686 Disease Vector\r\nhxxp://bash.givemexyz.in/bashirc.i686\r\nMalware Accomplice\r\nDisease Vector\r\nhxxp://bash.givemexyz.in/x64b Malware Accomplice\r\nhxxp://bash.givemexyz.in/x32b Malware Accomplice\r\nhxxp://209.141.40.190/x86_64 Coin Miners\r\nhxxp://209.141.40.190/bashirc.x86_64\r\nDisease Vector\r\nCoin Miners\r\nhxxp://209.141.40.190/i686\r\nDisease Vector\r\nCoin Miners\r\nhxxp://209.141.40.190/bashirc.i686\r\nDisease Vector\r\nCoin Miners\r\nhxxp://168.138.143.186/batata/Winbox.arm6 Malware Accomplice\r\nhttps://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nPage 9 of 10\n\nhxxp://168.138.143.186/batata/Winbox.arm7 Malware Accomplice\r\nhxxp://168.138.143.186/batata/Winbox.m68k Malware Accomplice\r\nhxxp://209.141.40.190/ps\r\nDisease Vector\r\nCoin Miners\r\nhxxp://168.138.143.186/batata/Winbox.mips Malware Accomplice\r\nhxxp://168.138.143.186/batata/Winbox.mpsl Malware Accomplice\r\nhxxp://168.138.143.186/batata/Winbox.ppc Malware Accomplice\r\nhxxp://168.138.143.186/batata/Winbox.sh4 Malware Accomplice\r\nhxxp://168.138.143.186/batata/Winbox.spc Malware Accomplice\r\nhxxp://168.138.143.186/batata/Winbox.x86 Malware Accomplice\r\nSource: https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nhttps://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html"
	],
	"report_names": [
		"threat-actors-exploit-misconfigured-apache-hadoop-yarn.html"
	],
	"threat_actors": [
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434385,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0e1acdaa3f335a3a7022a5d0a49bd69d5b7b31f.pdf",
		"text": "https://archive.orkl.eu/f0e1acdaa3f335a3a7022a5d0a49bd69d5b7b31f.txt",
		"img": "https://archive.orkl.eu/f0e1acdaa3f335a3a7022a5d0a49bd69d5b7b31f.jpg"
	}
}