{ "id": "aa2be91f-0a50-4737-bccb-b91e9ccda2c2", "created_at": "2026-04-06T00:10:44.251512Z", "updated_at": "2026-04-10T03:22:08.434812Z", "deleted_at": null, "sha1_hash": "7db7542684db64b912ddea81a37f21db802acc0d", "title": "FLASH CP 000111 MW Downgraded Version", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 36029, "plain_text": "FLASH CP 000111 MW Downgraded Version\r\nArchived: 2026-04-05 19:44:02 UTC\r\nTLP: WHITE\r\nTLP: WHITE\r\n25 March 2020\r\nAlert Number\r\nCP-000111-MW\r\nWE NEED YOUR\r\nHELP!\r\nIf you identify any\r\nsuspicious activity\r\nwithin your\r\nenterprise or have\r\nrelated information,\r\nplease contact\r\nFBI CYWATCH\r\nimmediately with\r\nrespect to the\r\nprocedures outlined\r\nin the Reporting\r\nNotice section of\r\nthis message.\r\nEmail:\r\ncywatch@fbi.gov\r\nPhone:\r\n1-855-292-3937\r\n*Note: This information is\r\nbeing provided by the FBI to\r\nassist cyber security\r\nspecialists protect against\r\nthe persistent malicious\r\nactions of cyber criminals.\r\nThe information is provided\r\nwithout any guaranty or\r\nwarranty and is for use at\r\nthe sole discretion of the\r\nrecipients.\r\nThe following information is being provided by the FBI, with no guarantees or\r\nwarranties, for potential use at the sole discretion of recipients in order to\r\nhttp://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html\r\nPage 1 of 2\n\nprotect against cyber threats. This data is provided in order to help cyber security\r\nprofessionals and system administrators to guard against the persistent malicious\r\nactions of cyber criminals.\r\nThis FLASH has been released TLP: WHITE : The information in this product may\r\nbe distributed without restriction, subject to copyright controls.\r\nKwampirs Malware Indicators of Compromise\r\nEmployed in Ongoing Cyber Supply Chain Campaign\r\nTargeting Global Industries\r\nSummary:\r\nThis is a re-release of FBI FLASH message (CP-000111-MW) previously\r\ndisseminated on 06 January 2020. Since at least 2016, an ongoing campaign using\r\nthe Kwampirs Remote Access Trojan (RAT) targeted several global industries,\r\nincluding the software supply chain, healthcare, energy, and financial sectors. The\r\nFBI assesses software supply chain companies are a key interest and target of the\r\nKwampirs campaign. This campaign is a two-phased approach. The first phase\r\nestablishes a broad and persistent presence on the targeted network, to include\r\ndelivery and execution of secondary malware payload(s). The second phase\r\nincludes the delivery of additional Kwampirs components or malicious payload(s)\r\nto further exploit the infected victim host(s).\r\nTechnical Details:\r\nPropagation, Persistence, Backdoor (Module 1):\r\nUpon successful infection, the Kwampirs RAT propagates laterally across the\r\ntargeted network via SMB port 445, using hidden admin shares such as\r\nADMIN$ and C$. The malware maintains persistence on the infected Windows\r\nhost by dropping a binary to the hard drive and creating a malicious Windows\r\nsystem service set to auto start upon reboot. The new malicious service scans and\r\ncatalogs the host configuration, encrypts the data, and transmits it to an external\r\nCommand and Control (C2) server via an HTTP GET request on port 80.\r\nSource: http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html\r\nhttp://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html" ], "report_names": [ "6821581-FLASH-CP-000111-MW-Downgraded-Version.html" ], "threat_actors": [], "ts_created_at": 1775434244, "ts_updated_at": 1775791328, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7db7542684db64b912ddea81a37f21db802acc0d.pdf", "text": "https://archive.orkl.eu/7db7542684db64b912ddea81a37f21db802acc0d.txt", "img": "https://archive.orkl.eu/7db7542684db64b912ddea81a37f21db802acc0d.jpg" } }