S0236: Kwampirs
Analyst context for executives and security teams
Kwampirs matters because ATT&CK describes it as a Windows backdoor Trojan associated with Orangeworm and observed on machines connected to high-tech medical imaging environments such as X-Ray and MRI systems. For leaders, the decision value is not just “malware exists”; it is whether clinical, biomedical, and enterprise Windows environments are monitored well enough to detect discovery, persistence, lateral movement over SMB/admin shares, and command-and-control behaviors before they affect operational resilience.
Executive priority
Prioritize Kwampirs as a healthcare and cyber-physical risk planning use case when Windows systems support or interact with medical imaging operations. Executives should ask whether biomedical/clinical networks are inventoried, segmented, logged, and included in incident response playbooks. The ATT&CK relationships emphasize discovery-heavy behavior, Windows service persistence, SMB/admin share lateral movement, fallback command channels, and tool transfer, which are all material to containment speed, audit evidence, and business continuity during a suspected intrusion.
Technical view
SOC and IR teams should validate coverage around the ATT&CK-linked behaviors rather than relying on a single malware indicator. On Windows, focus on unusual service creation or modification, masqueraded service names, rundll32-based execution, SMB/admin share access, network/share enumeration, process/service/account/group/password-policy discovery, file and directory enumeration, ingress file transfer, and alternate or fallback command-and-control paths. Because ATT&CK provides no official detection text for this malware object, detections should be behavior-led and correlated across endpoint, Windows event, identity, and network telemetry.
Likely telemetry
- Windows service creation, modification, startup, and service binary path changes
- Process creation telemetry, including rundll32.exe execution and command-line context where available
- Windows Security logs for logon activity, administrative share access, account/group enumeration, and lateral movement indicators
- Endpoint file telemetry for new binaries, encoded/encrypted artifacts, unusually padded binaries, and tool transfer activity
- Network telemetry for SMB connections, remote host discovery, share enumeration, and external command-and-control communications
Detection direction
- Map existing detections to the related ATT&CK techniques: T1543.003, T1036.004, T1218.011, T1021.002, T1007, T1016, T1018, T1049, T1057, T1069.001, T1069.002, T1082, T1083, T1087.001, T1105, T1135, T1140, T1201, T1008, T1027.001, and T1027.013.
- Tune for sequences: discovery across users, groups, services, processes, files, network configuration, and shares followed by SMB/admin share activity, service persistence, or external file transfer.
- Reduce false positives by baselining legitimate administrative software, biomedical engineering workflows, patching tools, and imaging-device management activity before alerting on discovery or SMB behavior alone.
- Validate that medical imaging support systems are included in endpoint logging and network monitoring; these environments are often operationally sensitive and may have telemetry gaps.
- Do not depend only on hashes or static signatures because ATT&CK relationships include binary padding and encrypted/encoded file behavior.
Mitigation priorities
- Confirm inventory ownership for Windows systems supporting imaging devices and include them in risk reviews and incident response scope.
- Segment clinical/imaging support networks from general enterprise access where operationally feasible, and tightly govern SMB/admin share use.
- Harden and monitor Windows services, including service creation rights, service binary paths, and unexpected service names.
- Review identity and access controls for local administrators, domain groups, and accounts able to access administrative shares.
- Ensure endpoint, Windows event, and network logging are retained long enough to reconstruct discovery, lateral movement, persistence, and command-and-control activity.
Analyst notes and limits
ATT&CK identifies Kwampirs as a backdoor Trojan used by Orangeworm, observed on machines with software for high-tech imaging devices, and technically overlapping with Shamoon based on reverse engineering analysis. The strongest defensive value comes from treating it as a behavior cluster affecting Windows, discovery, SMB lateral movement, service persistence, obfuscation, and command-and-control resilience.
ATT&CK provides no official detection guidance for this malware object, no explicit malware-level tactics, no aliases, and only Windows as the supplied platform. This take does not assert current activity, customer exposure, guaranteed detection, or impact. Local asset inventory, clinical workflow context, and telemetry validation are required to determine actual risk and coverage.
Kwampirs
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1069.002 | Domain Groups Sub-technique | Kwampirs collects a list of domain groups with the command |
| Enterprise | T1087.001 | Local Account Sub-technique | Kwampirs collects a list of accounts with the command |
| Enterprise | T1135 | Network Share Discovery | Kwampirs collects a list of network shares with the command |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Kwampirs decrypts and extracts a copy of its main DLL payload when executing.CitationSymantec Orangeworm April 2018 |
| Enterprise | T1007 | System Service Discovery | Kwampirs collects a list of running services with the command |
| Enterprise | T1083 | File and Directory Discovery | Kwampirs collects a list of files and directories in C:\ with the command |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.CitationSymantec Security Center Trojan.Kwampirs |
| Enterprise | T1543.003 | Windows Service Sub-technique | Kwampirs creates a new service named WmiApSrvEx to establish persistence.CitationSymantec Orangeworm April 2018 |
| Enterprise | T1033 | System Owner/User Discovery | Kwampirs collects registered owner details by using the commands |
| Enterprise | T1018 | Remote System Discovery | Kwampirs collects a list of available servers with the command |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Kwampirs copies itself over network shares to move laterally on a victim network.CitationSymantec Orangeworm April 2018 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.CitationSymantec Orangeworm April 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Kwampirs downloads additional files from C2 servers.CitationSymantec Security Center Trojan.Kwampirs |
| Enterprise | T1082 | System Information Discovery | Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Kwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service.CitationSymantec Orangeworm April 2018 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Kwampirs uses rundll32.exe in a Registry value added to establish persistence.CitationSymantec Orangeworm April 2018 |
| Enterprise | T1057 | Process Discovery | Kwampirs collects a list of running services with the command |
| Enterprise | T1049 | System Network Connections Discovery | Kwampirs collects a list of active and listening connections by using the command |
| Enterprise | T1016 | System Network Configuration Discovery | Kwampirs collects network adapter and interface information by using the commands |
| Enterprise | T1201 | Password Policy Discovery | Kwampirs collects password policy information with the command |
| Enterprise | T1008 | Fallback Channels | Kwampirs uses a large list of C2 servers that it cycles through until a successful connection is established.CitationSymantec Orangeworm April 2018 |
| Enterprise | T1069.001 | Local Groups Sub-technique | Kwampirs collects a list of users belonging to the local users and administrators groups with the commands |
Groups, software, and campaigns
G0071: Orangeworm
Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.[1] Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.[2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 7621a6f0dbb9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Orangeworm April 2018
Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
Open source URL -
[2]
Cylera Kwampirs 2022
Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.
Open source URL -
[3]
Kwampirs
(Citation: Symantec Orangeworm April 2018)
-
[4]
mitre-attack S0236Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.