{ "id": "7fbd577b-d81f-4c7b-964f-6f39f3b9a650", "created_at": "2026-04-06T00:17:05.148458Z", "updated_at": "2026-04-10T03:34:22.567384Z", "deleted_at": null, "sha1_hash": "abcbde3a4ecaf320cc2c48783821d34ad139a452", "title": "Researchers Find New Evidence Linking Kwampirs Malware to Shamoon APT Hackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 206399, "plain_text": "Researchers Find New Evidence Linking Kwampirs Malware to\r\nShamoon APT Hackers\r\nBy The Hacker News\r\nPublished: 2022-03-14 · Archived: 2026-04-05 17:28:02 UTC\r\nNew findings released last week showcase the overlapping source code and techniques between the operators\r\nof Shamoon and Kwampirs, indicating that they \"are the same group or really close collaborators.\"\r\n\"Research evidence shows identification of co-evolution between both Shamoon and Kwampirs malware families\r\nduring the known timeline,\" Pablo Rincón Crespo of Cylera Labs said.\r\n\"If Kwampirs is based on the original Shamoon, and Shamoon 2 and 3 campaign code is based on Kwampirs, […]\r\nthen the authors of Kwampirs would be potentially the same as the authors of Shamoon, or must have a very\r\nstrong relationship, as has been seen over the course of many years,\" Rincón Crespo added.\r\nShamoon, also known as DistTrack, functions as an information-stealing malware that also incorporates a\r\ndestructive component that allows it to overwrite the Master Boot Record (MBR) with arbitrary data so as to\r\nrender the infected machine inoperable.\r\nhttps://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html\r\nPage 1 of 3\n\nThe malware, developed by the eponymous hacking crew also tracked as Magic Hound, Timberworm, COBALT\r\nGIPSY, was first documented by Broadcom-owned Symantec in August 2012. At least two updated versions of\r\nShamoon have since emerged, Shamoon 2 in 2016 and Shamoon 3 in 2018.\r\nIn July 2021, the U.S. government attributed Shamoon as the handiwork of Iranian state-sponsored actors, linking\r\nit to cyber offensives targeting industrial control systems.\r\nOn the other hand, attack activity involving the Kwampirs backdoor has been connected to a threat group known\r\nas Orangeworm, with Symantec disclosing an intrusion campaign aimed at entities in the healthcare sector in the\r\nU.S., Europe, and Asia.\r\n\"Kwampirs New Campaign Building Process\" explained by Cylera\r\n\"First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related\r\nindustries as part of a larger supply-chain attack in order to reach their intended victims,\" Symantec said in an\r\nanalysis in April 2018.\r\nCylera Labs' uncovering of the connection stems from malware artifacts and previously unnoticed components,\r\none of which is said to be an intermediary \"stepping stone\" version. It's a Shamoon dropper but sans the wiper\r\nfeature, while simultaneously reusing the same loader code as Kwampirs.\r\nWhat's more, code-level similarities have been uncovered between Kwampirs and subsequent versions of\r\nShamoon. This includes the functionality to retrieve system metadata, fetch MAC address, and the victim's\r\nkeyboard layout information as well as the use of the same InternetOpenW Windows API to craft HTTP requests\r\nto the command-and-control (C2) server.\r\n\"Shamoon 2 New Campaign Building Process\" explained by Cylera\r\nAlso put to use is a common template system to create the reporter module that houses capabilities to upload host\r\ninformation and download additional payloads to execute from their C2 servers, a feature that was missing in the\r\nfirst version of Shamoon.\r\nIn connecting the disparate dots, the investigation has led to the assessment that Kwampirs is likely based on\r\nShamoon 1 and that Shamoon 2 inherited some of its code from Kwampirs, implying that the operators of both the\r\nmalware are different sub-groups of a larger umbrella group or that it's the work of a single actor.\r\nhttps://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html\r\nPage 2 of 3\n\nSuch a claim isn't without precedence. Just last week, Cisco Talos detailed the TTPs of another Iranian actor called\r\nMuddyWater, noting that the nation-state actor is a \"conglomerate\" of multiple teams operating independently\r\nrather than a single threat actor group.\r\n\"These conclusions, if indeed correct, would recast Kwampirs as a large-scale, multi-year attack on global\r\nhealthcare supply chains conducted by a foreign state actor,\" the researchers concluded.\r\n\"The data gathered and systems accessed in these campaigns have a wide range of potential usage, including theft\r\nof intellectual property, gathering of medical records of targets like dissidents or military leaders, or\r\nreconnaissance to aid in the planning of future destructive attacks.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html\r\nhttps://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html" ], "report_names": [ "researchers-find-new-evidence-linking.html" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "c4acd072-595e-4d33-9ce9-bbf41010bb1a", "created_at": "2023-01-06T13:46:38.751893Z", "updated_at": "2026-04-10T02:00:03.088252Z", "deleted_at": null, "main_name": "Orangeworm", "aliases": [], "source_name": "MISPGALAXY:Orangeworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e0bc1b7-0dd7-444a-964b-64dfb5145c8f", "created_at": "2022-10-25T15:50:23.413202Z", "updated_at": "2026-04-10T02:00:05.388465Z", "deleted_at": null, "main_name": "Orangeworm", "aliases": [ "Orangeworm" ], "source_name": "MITRE:Orangeworm", "tools": [ "Kwampirs", "netstat", "ipconfig", "cmd", "Arp", "Systeminfo" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a60b1ba-609f-4bed-b15b-3ffc050d2ac6", "created_at": "2022-10-25T16:07:24.033083Z", "updated_at": "2026-04-10T02:00:04.846068Z", "deleted_at": null, "main_name": "Orangeworm", "aliases": [ "G0071" ], "source_name": "ETDA:Orangeworm", "tools": [ "Kwampirs", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434625, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/abcbde3a4ecaf320cc2c48783821d34ad139a452.pdf", "text": "https://archive.orkl.eu/abcbde3a4ecaf320cc2c48783821d34ad139a452.txt", "img": "https://archive.orkl.eu/abcbde3a4ecaf320cc2c48783821d34ad139a452.jpg" } }