S0236: Kwampirs

Kwampirs matters because ATT&CK describes it as a Windows backdoor Trojan associated with Orangeworm and observed on machines connected to high-tech medical imaging environments such as X-Ray and MRI systems. For leaders, the decision value is not just “malware exists”; it is whether clinical, biomedical, and enterprise Windows environments are monitored well enough to detect discovery, persistence, lateral movement over SMB/admin shares, and command-and-control behaviors before they affect operational resilience.

Executive priority

Prioritize Kwampirs as a healthcare and cyber-physical risk planning use case when Windows systems support or interact with medical imaging operations. Executives should ask whether biomedical/clinical networks are inventoried, segmented, logged, and included in incident response playbooks. The ATT&CK relationships emphasize discovery-heavy behavior, Windows service persistence, SMB/admin share lateral movement, fallback command channels, and tool transfer, which are all material to containment speed, audit evidence, and business continuity during a suspected intrusion.

Technical view

SOC and IR teams should validate coverage around the ATT&CK-linked behaviors rather than relying on a single malware indicator. On Windows, focus on unusual service creation or modification, masqueraded service names, rundll32-based execution, SMB/admin share access, network/share enumeration, process/service/account/group/password-policy discovery, file and directory enumeration, ingress file transfer, and alternate or fallback command-and-control paths. Because ATT&CK provides no official detection text for this malware object, detections should be behavior-led and correlated across endpoint, Windows event, identity, and network telemetry.

Likely telemetry

Windows service creation, modification, startup, and service binary path changes
Process creation telemetry, including rundll32.exe execution and command-line context where available
Windows Security logs for logon activity, administrative share access, account/group enumeration, and lateral movement indicators
Endpoint file telemetry for new binaries, encoded/encrypted artifacts, unusually padded binaries, and tool transfer activity
Network telemetry for SMB connections, remote host discovery, share enumeration, and external command-and-control communications

Detection direction

Map existing detections to the related ATT&CK techniques: T1543.003, T1036.004, T1218.011, T1021.002, T1007, T1016, T1018, T1049, T1057, T1069.001, T1069.002, T1082, T1083, T1087.001, T1105, T1135, T1140, T1201, T1008, T1027.001, and T1027.013.
Tune for sequences: discovery across users, groups, services, processes, files, network configuration, and shares followed by SMB/admin share activity, service persistence, or external file transfer.
Reduce false positives by baselining legitimate administrative software, biomedical engineering workflows, patching tools, and imaging-device management activity before alerting on discovery or SMB behavior alone.
Validate that medical imaging support systems are included in endpoint logging and network monitoring; these environments are often operationally sensitive and may have telemetry gaps.
Do not depend only on hashes or static signatures because ATT&CK relationships include binary padding and encrypted/encoded file behavior.

Mitigation priorities

Confirm inventory ownership for Windows systems supporting imaging devices and include them in risk reviews and incident response scope.
Segment clinical/imaging support networks from general enterprise access where operationally feasible, and tightly govern SMB/admin share use.
Harden and monitor Windows services, including service creation rights, service binary paths, and unexpected service names.
Review identity and access controls for local administrators, domain groups, and accounts able to access administrative shares.
Ensure endpoint, Windows event, and network logging are retained long enough to reconstruct discovery, lateral movement, persistence, and command-and-control activity.

Analyst notes and limits

ATT&CK identifies Kwampirs as a backdoor Trojan used by Orangeworm, observed on machines with software for high-tech imaging devices, and technically overlapping with Shamoon based on reverse engineering analysis. The strongest defensive value comes from treating it as a behavior cluster affecting Windows, discovery, SMB lateral movement, service persistence, obfuscation, and command-and-control resilience.

ATT&CK provides no official detection guidance for this malware object, no explicit malware-level tactics, no aliases, and only Windows as the supplied platform. This take does not assert current activity, customer exposure, guaranteed detection, or impact. Local asset inventory, clinical workflow context, and telemetry validation are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Kwampirs

Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.[1] Kwampirs has multiple technical overlaps with Shamoon based on reverse engineering analysis.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 22 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1069.002	Domain Groups Sub-technique	Kwampirs collects a list of domain groups with the command `net localgroup /domain`.[1]
Enterprise	T1087.001	Local Account Sub-technique	Kwampirs collects a list of accounts with the command `net users`.[1]
Enterprise	T1135	Network Share Discovery	Kwampirs collects a list of network shares with the command `net share`.[1]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Kwampirs decrypts and extracts a copy of its main DLL payload when executing.[1]
Enterprise	T1007	System Service Discovery	Kwampirs collects a list of running services with the command `tasklist /svc`.[1]
Enterprise	T1083	File and Directory Discovery	Kwampirs collects a list of files and directories in C:\ with the command `dir /s /a c:\ >> "C:\windows\TEMP\[RANDOM].tmp"`.[1]
Enterprise	T1027.013	Encrypted/Encoded File Sub-technique	Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.CitationSymantec Security Center Trojan.Kwampirs
Enterprise	T1543.003	Windows Service Sub-technique	Kwampirs creates a new service named WmiApSrvEx to establish persistence.[1]
Enterprise	T1033	System Owner/User Discovery	Kwampirs collects registered owner details by using the commands `systeminfo` and `net config workstation`.[1]
Enterprise	T1018	Remote System Discovery	Kwampirs collects a list of available servers with the command `net view`.[1]
Enterprise	T1021.002	SMB/Windows Admin Shares Sub-technique	Kwampirs copies itself over network shares to move laterally on a victim network.[1]
Enterprise	T1027.001	Binary Padding Sub-technique	Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.[1]
Enterprise	T1105	Ingress Tool Transfer	Kwampirs downloads additional files from C2 servers.CitationSymantec Security Center Trojan.Kwampirs
Enterprise	T1082	System Information Discovery	Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands `systeminfo`, `net config workstation`, `hostname`, `ver`, `set`, and `date /t`.[1]
Enterprise	T1036.004	Masquerade Task or Service Sub-technique	Kwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service.[1]
Enterprise	T1218.011	Rundll32 Sub-technique	Kwampirs uses rundll32.exe in a Registry value added to establish persistence.[1]
Enterprise	T1057	Process Discovery	Kwampirs collects a list of running services with the command `tasklist /v`.[1]
Enterprise	T1049	System Network Connections Discovery	Kwampirs collects a list of active and listening connections by using the command `netstat -nao` as well as a list of available network mappings with `net use`.[1]
Enterprise	T1016	System Network Configuration Discovery	Kwampirs collects network adapter and interface information by using the commands `ipconfig /all`, `arp -a` and `route print`. It also collects the system's MAC address with `getmac` and domain configuration with `net config workstation`.[1]
Enterprise	T1201	Password Policy Discovery	Kwampirs collects password policy information with the command `net accounts`.[1]
Enterprise	T1008	Fallback Channels	Kwampirs uses a large list of C2 servers that it cycles through until a successful connection is established.[1]
Enterprise	T1069.001	Local Groups Sub-technique	Kwampirs collects a list of users belonging to the local users and administrators groups with the commands `net localgroup administrators` and `net localgroup users`.[1]

Associated objects

Groups, software, and campaigns

G0071: Orangeworm

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.[1] Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.[2]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Oct 17, 2018, 00:14 UTC (UTC+00:00)
Modified: Apr 11, 2024, 01:44 UTC (UTC+00:00)
Raw hash: 7621a6f0dbb97861...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.2	Apr 11, 2024, 01:44 UTC (UTC+00:00)	Current bundle	`7621a6f0dbb9…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Symantec Orangeworm April 2018

Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
Open source URL
[2]
Cylera Kwampirs 2022

Pablo Rincón Crespo. (2022, January). The link between Kwampirs (Orangeworm) and Shamoon APTs. Retrieved February 8, 2024.
Open source URL
[3]
Kwampirs

(Citation: Symantec Orangeworm April 2018)
[4]
mitre-attack S0236
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams