Security Experts:

Connect with us

Hi, what are you looking for?



FBI Warns of Ongoing Kwampirs Attacks Targeting Global Industries

A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns.

A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns.

Initially detailed in 2018, the malware is a custom backdoor associated with a threat actor tracked as Orangeworm, which has been active since at least 2015, mainly targeting organizations in the healthcare sector, but also launching attacks on industries somewhat related to healthcare, including IT, manufacturing, and logistics.

Attacks involving the Kwampirs Remote Access Trojan (RAT), the FBI says, have been ongoing since 2016, targeting healthcare, software supply chain, energy, and engineering organizations in the United States, Europe, Asia, and the Middle East. Financial institutions and prominent law firms were also targeted.

According to the FBI’s alert, while the backdoor does not include a wiper or destructive module components, there are code-based similarities with the data destruction malware Disttrack, which is better known as Shamoon.

The malware has been successfully employed in assaults on healthcare entities worldwide, including major transnational healthcare companies and local hospital organizations. In some cases, the infections spread across the enterprise networks, the FBI’s alert reads (PDF).

“The FBI assesses Kwampirs actors gained access to a large number of global hospitals through vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals,” the agency says.

The two-phased attacks start with the threat actor establishing broad and persistent access to the target network to ensure secondary payloads can be deployed and executed. Next, the attackers deliver additional Kwampirs components or payloads to further exploit the infected hosts.

Stealth has allowed the threat actor to maintain access to the infected networks for a long period of time, in some cases of up to 3 years. The attackers were also observed deploying a targeted module for detailed reconnaissance.

From the compromised networks, the attackers harvested information on primary and secondary domain controllers, engineer servers used to develop and test ICS products and instruments, software development servers storing source code, and file servers used as shared repositories for research and development (R&D).

Targeted supply-chain vendors provide multi-industry imaging business products and services, co-develop products with worldwide software companies and organizations in the enterprise resource planning (ERP) industry, and provide products and services supporting ICS maintenance functions.

Infections occur during mergers and acquisitions (spreading from one company to the other); during co-development processes, via shared resources; and via infected devices from supply-chain vendors that are installed on the customer LAN or cloud infrastructure.

“Kwampirs campaign actors have targeted companies in the imaging industry, to include networked scanner and copier-type devices, with domain access to customer networks. The FBI assesses these imaging vendors are targeted to gain access to customer networks, including remote or cloud management access, which could permit lateral CNE movement within victim networks,” the FBI says.

The alert also underlines the fact that the Kwampirs RAT’s modular design allows the attackers to engage in additional network exploitation activities through secondary modules. Moreover, these modules might not be remediated by endpoint protection solutions, the FBI also says.

Organizations that might have been infected are advised to contact their cybersecurity vendor and coordinate mitigation efforts with the FBI. In order to assist the agency, victims have been instructed to capture network traffic, create images of the infected hosts, capture web proxy logs and DNS and firewall logs, identify hosts communicating with C&C servers, and identify patient zero and attack vectors.

Related: ‘Orangeworm’ Cyberspies Target Healthcare Sector in US, Europe, Asia

Related: IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.