Orangeworm attack group is now distributing a custom backdoor, Trojan.Kwampirs. While their motives aren't entirely clear yet, it seems that Orangeworm is attacking large international corporations in an attempt to access critical organizational and customer information. The attack group, who have previously conducted targeted attacks against organizations in various industries, now primarily seems to be targeting the Healthcare sector in the United States, Europe, and Asia.

Kwampirs trojan serves as a backdoor and provides Orangeworm with remote access to machines they have compromised. The trojan first establishes persistence on the machine by confirming the main payload is loaded upon system reboot. Kwampirs then collects information about the compromised machine to determine its value. If there is value, the trojan propagates throughout the network, copying itself over network shares and infecting as many machines as possible. The trojan also connects to its control and command servers, most likely to exfiltrate the victims' information.

In recent attacks, Kwampirs malware has been controlling X-RAY and MRI machines, as well as machines containing patients' personal information. In addition to Healthcare, Orangeworm also target Manufacturing, Information Technology, Agriculture, and Logistics organizations and corporations.

ThreatSTOP protects its customers against Kwampirs trojan. To ensure you are protected, make sure that TS Originated - Core Threats - IPs and TS Originated - Core Threats - Domains targets are enabled.


If you do not have a ThreatSTOP account and would like to learn more, sign up for a quick demo.