{
	"id": "68940ced-1237-4020-bd5c-9702dc946d56",
	"created_at": "2026-04-06T01:30:41.295542Z",
	"updated_at": "2026-04-10T03:28:03.444867Z",
	"deleted_at": null,
	"sha1_hash": "755ff5be672151c84520f6583e918801d8a2cf13",
	"title": "New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58312,
	"plain_text": "New Orangeworm attack group targets the healthcare sector in the\r\nU.S., Europe, and Asia\r\nBy About the Author\r\nArchived: 2026-04-06 00:31:57 UTC\r\nSymantec has identified a previously unknown group called Orangeworm that has been observed installing a\r\ncustom backdoor called Trojan.Kwampirs within large international corporations that operate within the\r\nhealthcare sector in the United States, Europe, and Asia.\r\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related\r\nindustries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include\r\nhealthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that\r\nserve the healthcare industry, likely for the purpose of corporate espionage.\r\nSights set on healthcare\r\nBased on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic\r\nhacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of\r\nplanning before launching an attack.\r\nFigure 1. Nearly 40 percent of Orangeworm’s victims operate within the healthcare industry\r\nFigure 1. Nearly 40 percent of Orangeworm’s victims operate within the healthcare industry\r\nAccording to Symantec telemetry, almost 40 percent of Orangeworm’s confirmed victim organizations operate\r\nwithin the healthcare industry. The Kwampirs malware was found on machines which had software installed for\r\nthe use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm\r\nwas observed to have an interest in machines used to assist patients in completing consent forms for required\r\nprocedures. The exact motives of the group are unclear.\r\nFigure 2. The biggest number of Orangeworm’s victims are located in the U.S.\r\nFigure 2. The biggest number of Orangeworm’s victims are located in the U.S.\r\nThe biggest number of Orangeworm’s victims are located in the U.S., accounting for 17 percent of the infection\r\nrate by region. While Orangeworm has impacted only a small set of victims in 2016 and 2017 according to\r\nSymantec telemetry, we have seen infections in multiple countries due to the nature of the victims operating large\r\ninternational corporations.\r\nThe biggest number of Orangeworm’s victims are located in the U.S., accounting for 17 percent of the\r\ninfection rate by region.\r\nHealthcare providers caught in the crosshairs\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia\r\nPage 1 of 4\n\nWe believe that these industries have also been targeted as part of a larger supply-chain attack in order for\r\nOrangeworm to get access to their intended victims related to healthcare. Orangeworm’s secondary targets include\r\nManufacturing, Information Technology, Agriculture, and Logistics. While these industries may appear to be\r\nunrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical\r\nimaging devices sold directly into healthcare firms, IT organizations that provide support services to medical\r\nclinics, and logistical organizations that deliver healthcare products.\r\n \r\nPost-compromise activities\r\nOnce Orangeworm has infiltrated a victim’s network, they deploy Trojan.Kwampirs, a backdoor Trojan that\r\nprovides the attackers with remote access to the compromised computer.\r\nWhen executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before\r\nwriting the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an\r\nattempt to evade hash-based detections.\r\nTo ensure persistence, Kwampirs creates a service with the following configuration to ensure that the main\r\npayload is loaded into memory upon system reboot:\r\nNew Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia\r\nThe backdoor also collects some rudimentary information about the compromised computer including some basic\r\nnetwork adapter information, system version information, and language settings.\r\nOrangeworm likely uses this information to determine whether the system is used by a researcher or if the victim\r\nis a high-value target. Once Orangeworm determines that a potential victim is of interest, it proceeds to\r\naggressively copy the backdoor across open network shares to infect other computers.  \r\nIt may copy itself to the following hidden file shares:\r\nADMIN$\r\nC$WINDOWS\r\nD$WINDOWS \r\nE$WINDOWS\r\nInformation gathering\r\nAt this point, the attackers proceed to gather as much additional information about the victim’s network as\r\npossible, including any information pertaining to recently accessed computers, network adapter information,\r\navailable network shares, mapped drives, and files present on the compromised computer.\r\nWe have observed the attackers executing the following commands within victim environments:\r\nNew Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia\r\nPage 2 of 4\n\nNo concern about being discovered\r\nKwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over\r\nnetwork shares. While this method is considered somewhat old, it may still be viable for environments that run\r\nolder operating systems such as Windows XP. This method has likely proved effective within the healthcare\r\nindustry, which may run legacy systems on older platforms designed for the medical community. Older systems\r\nlike Windows XP are much more likely to be prevalent within this industry.\r\nAdditionally, once infected, the malware cycles through a large list of command and control (C\u0026C) servers\r\nembedded within the malware. It appears while the list is extensive, not all of the C\u0026Cs are active and continue to\r\nbeacon until a successful connection is established. Despite modifying a small part of itself while copying itself\r\nacross the network as a means to evade detection, the operators have made no effort to change the C\u0026C\r\ncommunication protocol since its first inception.\r\nBoth of these methods are considered particularly “noisy” and may indicate that Orangeworm is not overly\r\nconcerned with being discovered. The fact that little has changed with the internals of Kwampirs since its first\r\ndiscovery may also indicate that previous mitigation methods against the malware have been unsuccessful, and\r\nthat the attackers have been able to reach their intended targets despite defenders being aware of their presence\r\nwithin their network.\r\nKwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying\r\nitself over network shares.\r\nNo hallmarks of a nation-state actor\r\nWhile Orangeworm is known to have been active for at least several years, we do not believe that the group bears\r\nany hallmarks of a state-sponsored actor—it is likely the work of an individual or a small group of individuals.\r\nThere are currently no technical or operational indicators to ascertain the origin of the group.\r\nProtection\r\nSymantec customers are protected against Orangeworm and Symantec has also made efforts to notify identified\r\ntargets of its operations.\r\nCustomers with Intelligence Services or WebFilter-enabled products are protected against activity associated with\r\nthe Orangeworm group. These products include:\r\nWeb Security Service (WSS)\r\nProxySG\r\nAdvanced Secure Gateway (ASG)\r\nSecurity Analytics\r\nContent Analysis\r\nMalware Analysis\r\nSSL Visibility\r\nPacketShaper\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia\r\nPage 3 of 4\n\nSymantec has the following specific detections in place for tools used by Orangeworm:\r\nAnti-virus (AV):\r\nTrojan.Kwampirs\r\nIntrusion prevention system (IPS):\r\nSystem Infected: Trojan.Kwampirs Activity\r\nSystem Infected: Trojan.Kwampirs Activity 2\r\nSystem Infected: Trojan.Kwampirs Activity 4\r\nIndicators of Compromise\r\nNew Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia\r\nThreat Hunter Team\r\nThreat Hunter Team\r\nSymantec and Carbon Black\r\nSource: https://symantec-blogs.broadcom.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
	],
	"report_names": [
		"orangeworm-targets-healthcare-us-europe-asia"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c4acd072-595e-4d33-9ce9-bbf41010bb1a",
			"created_at": "2023-01-06T13:46:38.751893Z",
			"updated_at": "2026-04-10T02:00:03.088252Z",
			"deleted_at": null,
			"main_name": "Orangeworm",
			"aliases": [],
			"source_name": "MISPGALAXY:Orangeworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3e0bc1b7-0dd7-444a-964b-64dfb5145c8f",
			"created_at": "2022-10-25T15:50:23.413202Z",
			"updated_at": "2026-04-10T02:00:05.388465Z",
			"deleted_at": null,
			"main_name": "Orangeworm",
			"aliases": [
				"Orangeworm"
			],
			"source_name": "MITRE:Orangeworm",
			"tools": [
				"Kwampirs",
				"netstat",
				"ipconfig",
				"cmd",
				"Arp",
				"Systeminfo"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6a60b1ba-609f-4bed-b15b-3ffc050d2ac6",
			"created_at": "2022-10-25T16:07:24.033083Z",
			"updated_at": "2026-04-10T02:00:04.846068Z",
			"deleted_at": null,
			"main_name": "Orangeworm",
			"aliases": [
				"G0071"
			],
			"source_name": "ETDA:Orangeworm",
			"tools": [
				"Kwampirs",
				"LOLBAS",
				"LOLBins",
				"Living off the Land"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439041,
	"ts_updated_at": 1775791683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/755ff5be672151c84520f6583e918801d8a2cf13.pdf",
		"text": "https://archive.orkl.eu/755ff5be672151c84520f6583e918801d8a2cf13.txt",
		"img": "https://archive.orkl.eu/755ff5be672151c84520f6583e918801d8a2cf13.jpg"
	}
}