Skip to main content
Mallory
Back to threat actors
3 malware families

Orangeworm

Also known asOrangeworm

Orangeworm is a threat actor that has frequently targeted the healthcare sector. According to the provided content, awareness of the group first surfaced in January 2015, and in May 2018 it was implicated in deploying the custom backdoor Trojan.Kwampirs inside large international healthcare organizations in the United States, Europe, and Asia. The group has also conducted targeted attacks against pharmaceuticals and healthcare IT solution providers. The content states that Kwampirs provides remote access to target systems, decrypts and extracts its main DLL payload from its resource section, and inserts a randomly generated string into the decrypted payload before writing it to disk in order to evade hash-based detection. The malware reportedly spread quickly within victim networks and infected systems used to control medical devices, including MRI and X-ray machines. The provided content also associates Orangeworm with use of HTTP for command and control, SMB/Windows Admin Shares for lateral movement, account discovery, network share discovery, and Windows service abuse including sc.exe-based service manipulation. No additional aliases or sub-groups are provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics32 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0042
Resource Development
2 techniques
T1587
Develop Capabilities
T1587.002
Code Signing Certificates
T1588
Obtain Capabilities
T1588.004
Digital Certificates
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0002
Execution
3 techniques
T1047×2
Windows Management Instrumentation
T1059
Command and Scripting Interpreter
T1059.003
Windows Command Shell
T1559×2
Inter-Process Communication
TA0003
Persistence
1 technique
T1543
Create or Modify System Process
T1543.003×4
Windows Service
TA0004
Privilege Escalation
2 techniques
T1055×2
Process Injection
T1543
Create or Modify System Process
T1543.003×4
Windows Service
TA0005
Stealth
2 techniques
T1027
Obfuscated Files or Information
T1055×2
Process Injection
TA0006
Credential Access
2 techniques
T1187
Forced Authentication
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.002×9
SMB/Windows Admin Shares
T1021.003×2
Distributed Component Object Model
TA0009
Collection
1 technique
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001×11
Web Protocols
T1105
Ingress Tool Transfer
T1219×2
Remote Access Tools
T1573
Encrypted Channel
T1573.002×2
Asymmetric Cryptography
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ImpacketThe following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.2Mar 17, 2026
KwampirsIn May of 2018, the attack group Orangeworm was implicated for installing a custom backdoor called Trojan.Kwampirs within large international healthcare corporations in the United States, Europe, and Asia.2Mar 17, 2026
PsExecThe following analytic identifies the execution of PsExec.exe with the accepteula flag in the command line... PsExec is commonly used by threat actors to execute code on remote systems... potentially leading to further system compromise and lateral movement within the network.1Mar 17, 2026
ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Apr 13, 2026
Detection: Windows Theme File Creation in Unusual Location | Splunk Security Content

Listed in the detection annotations as a threat actor associated with techniques involving Windows theme files, forced authentication, name resolution poisoning/SMB relay, and SMB/Windows admin shares.

Read more
splunk researchNews
Mar 26, 2026
Detection: Sc exe Manipulating Windows Services | Splunk Security Content

Referenced in associated analytic stories related to Windows persistence and service abuse detections.

Read more
splunk researchNews
Feb 25, 2026
Detection: Detect PsExec With accepteula Flag | Splunk Security Content

Referenced as a threat actor associated with SMB/Windows Admin Shares lateral movement via PsExec usage.

Read more
splunk researchNews
Feb 25, 2026
Detection: HTTP Request to Reserved Name on IIS Server | Splunk Security Content

Listed as an associated threat actor in the detection annotation.

Read more
+27 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping19

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.