{
	"id": "3e8eeeb6-fdf8-49cd-b0f2-d7a8a1aa1560",
	"created_at": "2026-04-06T01:30:16.624673Z",
	"updated_at": "2026-04-10T03:32:43.666537Z",
	"deleted_at": null,
	"sha1_hash": "b5fef4cb068baf09acfce01d418b47f34d2ca4fe",
	"title": "FBI warns about ongoing attacks against software supply chain companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 847449,
	"plain_text": "FBI warns about ongoing attacks against software supply chain\r\ncompanies\r\nBy Catalin Cimpanu\r\nPublished: 2020-02-10 · Archived: 2026-04-06 00:24:39 UTC\r\nImage: FBI, ZDNet, Florian Krumm\r\nThe FBI has sent a security alert to the US private sector about an ongoing hacking campaign that's targeting\r\nsupply chain software providers, ZDNet has learned.\r\nThe FBI says hackers are attempting to infect companies with the Kwampirs malware, a remote access trojan\r\n(RAT).\r\n\"Software supply chain companies are believed to be targeted in order to gain access to the victim's strategic\r\npartners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy\r\ngeneration, transmission, and distribution,\" the FBI said in a private industry notification sent out last week.\r\nBesides attacks against supply chain software providers, the FBI said the same malware was also deployed in\r\nattacks against companies in the healthcare, energy, and financial sectors.\r\nThe alert did not identify the targeted software providers, nor any other victims.\r\nInstead, the FBI shared IOCs (indicators of compromise) and YARA rules so organizations can scan internal\r\nnetworks for signs of the Kwampirs RAT used in the recent attacks.\r\nKwampirs malware\r\nThe Kwampirs malware was first described in a report published by US cyber-security firm Symantec in April\r\n2018.\r\nhttps://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/\r\nPage 1 of 2\n\nAt the time, Symantec said a group codenamed Orangeworm had used the Kwampirs malware to similarly target\r\nsupply chain companies that provided software for the healthcare sector.\r\nSymantec said Orangeworm had been in operation since 2015 and was focused on the healthcare industry\r\nprimarily.\r\n\"Orangeworm's secondary targets include Manufacturing, Information Technology, Agriculture, and Logistics,\"\r\nSymantec said at the time. \"While these industries may appear to be unrelated, we found them to have multiple\r\nlinks to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare\r\nfirms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver\r\nhealthcare products.\"\r\nA Lab52 report released a year later, in April 2019, confirmed the Symantec findings and the group's focus on the\r\nhealthcare industry.\r\nNew attacks appear to be targeting the ICS energy sector\r\nHowever, the FBI alert sent out last week specifically warns that attacks employing Kwampirs have now evolved\r\nto targeting companies in the ICS (Industrial Control Systems) sector, and especially the energy sector.\r\nIn 2018 and 2019, neither Symantec nor Lab52 made any attribution on the group's country of origin.\r\nThe FBI, however, claims that new evidence from code analysis suggests that Kwampirs contains \"numerous\r\nsimilarities\" with Shamoon, an infamous data-wiping malware developed by APT33, an Iranian-linked hacking\r\ngroup.\r\n\"While the Kwampirs RAT has not been observed incorporating a wiper component, comparative forensic analysis\r\nhas revealed the Kwampirs RAT as having numerous similarities with the data destruction malware Disttrack\r\n(commonly known as Shamoon),\" the FBI said.\r\nThe Shamoon malware has been used in multiple data-wiping attacks against companies in the energy sector, and\r\nmore specifically, in the oil \u0026 gas fields [1, 2, 3].\r\nThe FBI urged companies to scan networks for any signs of Kwampirs and report any infections.\r\nSource: https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/\r\nhttps://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/"
	],
	"report_names": [
		"fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies"
	],
	"threat_actors": [
		{
			"id": "a63c994f-d7d6-4850-a881-730635798b90",
			"created_at": "2025-08-07T02:03:24.788883Z",
			"updated_at": "2026-04-10T02:00:03.785146Z",
			"deleted_at": null,
			"main_name": "COBALT TRINITY",
			"aliases": [
				"APT33 ",
				"Elfin ",
				"HOLMIUM ",
				"MAGNALIUM ",
				"Peach Sandstorm ",
				"Refined Kitten ",
				"TA451 "
			],
			"source_name": "Secureworks:COBALT TRINITY",
			"tools": [
				"AutoCore",
				"Cadlotcorg",
				"Dello RAT",
				"FalseFont",
				"Imminent Monitor",
				"KDALogger",
				"Koadic",
				"NanoCore",
				"NetWire",
				"POWERTON",
				"PoshC2",
				"Poylog",
				"PupyRAT",
				"Schoolbag"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "c4acd072-595e-4d33-9ce9-bbf41010bb1a",
			"created_at": "2023-01-06T13:46:38.751893Z",
			"updated_at": "2026-04-10T02:00:03.088252Z",
			"deleted_at": null,
			"main_name": "Orangeworm",
			"aliases": [],
			"source_name": "MISPGALAXY:Orangeworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3e0bc1b7-0dd7-444a-964b-64dfb5145c8f",
			"created_at": "2022-10-25T15:50:23.413202Z",
			"updated_at": "2026-04-10T02:00:05.388465Z",
			"deleted_at": null,
			"main_name": "Orangeworm",
			"aliases": [
				"Orangeworm"
			],
			"source_name": "MITRE:Orangeworm",
			"tools": [
				"Kwampirs",
				"netstat",
				"ipconfig",
				"cmd",
				"Arp",
				"Systeminfo"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6a60b1ba-609f-4bed-b15b-3ffc050d2ac6",
			"created_at": "2022-10-25T16:07:24.033083Z",
			"updated_at": "2026-04-10T02:00:04.846068Z",
			"deleted_at": null,
			"main_name": "Orangeworm",
			"aliases": [
				"G0071"
			],
			"source_name": "ETDA:Orangeworm",
			"tools": [
				"Kwampirs",
				"LOLBAS",
				"LOLBins",
				"Living off the Land"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e5ff825b-0456-4013-b90a-971b93def74a",
			"created_at": "2022-10-25T15:50:23.824058Z",
			"updated_at": "2026-04-10T02:00:05.377261Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"APT33",
				"HOLMIUM",
				"Elfin",
				"Peach Sandstorm"
			],
			"source_name": "MITRE:APT33",
			"tools": [
				"PowerSploit",
				"AutoIt backdoor",
				"PoshC2",
				"Mimikatz",
				"NanoCore",
				"DEADWOOD",
				"StoneDrill",
				"POWERTON",
				"LaZagne",
				"TURNEDUP",
				"NETWIRE",
				"Pupy",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f",
			"created_at": "2023-01-06T13:46:38.367369Z",
			"updated_at": "2026-04-10T02:00:02.945356Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"Elfin",
				"MAGNALLIUM",
				"HOLMIUM",
				"COBALT TRINITY",
				"G0064",
				"ATK35",
				"Peach Sandstorm",
				"TA451",
				"APT 33",
				"Refined Kitten"
			],
			"source_name": "MISPGALAXY:APT33",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439016,
	"ts_updated_at": 1775791963,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5fef4cb068baf09acfce01d418b47f34d2ca4fe.pdf",
		"text": "https://archive.orkl.eu/b5fef4cb068baf09acfce01d418b47f34d2ca4fe.txt",
		"img": "https://archive.orkl.eu/b5fef4cb068baf09acfce01d418b47f34d2ca4fe.jpg"
	}
}