G0071: Orangeworm
Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.[1] Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.[2]
Analyst context for executives and security teams
Orangeworm matters because ATT&CK describes it as a group targeting healthcare organizations across the U.S., Europe, and Asia, likely for corporate espionage. For security leaders, the practical issue is not just malware: the related ATT&CK context points to Windows-native administration tools, SMB-based lateral movement, web-protocol command and control, and Kwampirs activity found on systems associated with high-tech imaging device software such as X-Ray and MRI environments.
Executive priority
Prioritize this as a healthcare resilience and evidence-readiness concern where enterprise Windows networks intersect with clinical or diagnostic technology. Leaders should ask whether SMB/admin-share exposure, native Windows utility monitoring, web egress visibility, and asset ownership for imaging-support systems are actually documented and tested. The business decision value is validating whether SOC and IR teams can distinguish legitimate administration from suspicious discovery, lateral movement, and command-and-control behavior before an investigation depends on missing logs.
Technical view
ATT&CK provides no official detection text for Orangeworm itself, so defenders should build validation around the supplied relationships: Kwampirs on Windows, Windows command execution via cmd, discovery utilities such as net, systeminfo, ipconfig, arp, route, and netstat, SMB/Windows Admin Shares for lateral movement, and Web Protocols for command and control. SOC teams should confirm they can correlate process execution, account usage, SMB share access, and outbound web traffic from sensitive healthcare and imaging-support assets.
Likely telemetry
- Endpoint process creation and command-line logging for cmd, net, systeminfo, ipconfig, arp, route, and netstat
- Windows authentication, logon, and account-use events tied to remote access and administrative activity
- SMB file share and Windows Admin Share access logs, including source host, destination host, user, and share path
- Endpoint security or malware telemetry relevant to Kwampirs detections or suspicious backdoor behavior
- Network proxy, firewall, DNS, and HTTP/S metadata for outbound web-protocol command-and-control analysis
Detection direction
- Baseline legitimate administrative use of Windows discovery utilities so unusual combinations, timing, users, or execution from sensitive assets can be reviewed without excessive false positives.
- Validate visibility into SMB/Windows Admin Shares, especially lateral connections between workstations, servers, and healthcare technology support segments.
- Tune detections to correlate native-tool discovery followed by SMB access and outbound web traffic rather than relying on a single utility execution event.
- Review web-protocol monitoring for unusual destinations, rare user agents, abnormal beacon-like patterns, or unexpected outbound traffic from imaging-support or clinical-adjacent Windows systems.
- Treat Kwampirs-related findings as high-investigation-value in healthcare environments, while avoiding assumptions about actor attribution without corroborating evidence.
Mitigation priorities
- Start with asset inventory and ownership for Windows systems supporting clinical imaging or adjacent healthcare operations.
- Limit and monitor SMB/Windows Admin Share access using least privilege and administrative account controls.
- Segment sensitive healthcare technology support systems from general enterprise workstations where operationally feasible.
- Ensure endpoint logging captures process creation and command-line details for native Windows utilities used in discovery and administration.
- Maintain egress controls and logging for HTTP/S and related web protocols, especially from systems that should have limited internet access.
Analyst notes and limits
The strongest decision context comes from the official healthcare targeting description and the relationships to Kwampirs, Windows utilities, SMB/Windows Admin Shares, and Web Protocols. The Shamoon reference should be treated only as reported functional and development overlap with Kwampirs, not as proof of shared operators or destructive intent.
ATT&CK does not provide official detection guidance, tactics, or platforms directly on the Orangeworm intrusion-set object. Platform and behavior assumptions should therefore be constrained to the supplied related software and technique context and validated against the local environment.
Orangeworm
Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.[1] Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Orangeworm has used HTTP for C2.CitationSymantec Orangeworm IOCs April 2018 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.CitationSymantec Orangeworm April 2018 |
Groups, software, and campaigns
S0236: Kwampirs
S0104: netstat
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0100: ipconfig
S0106: cmd
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [1]
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [2]), deleting files (e.g., del [3]), and copying files (e.g., copy [4]).
S0103: route
S0099: Arp
S0096: Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 41897e3f6ae1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Orangeworm April 2018
Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
Open source URL -
[2]
Cylera Kwampirs 2022
Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.
Open source URL -
[3]
Orangeworm
(Citation: Symantec Orangeworm April 2018)
-
[4]
mitre-attack G0071Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.