TIARAS - Orangeworm

Threat Actor Profile

High APT

Description

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018) Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.(Citation: Cylera Kwampirs 2022)

Confidence Score

90%

Known Aliases

Orangeworm

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (2)

T1071.001 - Web Protocols

Command and Control

T1021.002 - SMB/Windows Admin Shares

Lateral Movement

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel

STIX Data

{'aliases': ['Orangeworm'],
 'created': '2018-10-17T00:14:20.652Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Orangeworm](https://attack.mitre.org/groups/G0071) is a '
                'group that has targeted organizations in the healthcare '
                'sector in the United States, Europe, and Asia since at least '
                '2015, likely for the purpose of corporate '
                'espionage.(Citation: Symantec Orangeworm April 2018) Reverse '
                'engineering of '
                '[Kwampirs](https://attack.mitre.org/software/S0236), directly '
                'associated with '
                '[Orangeworm](https://attack.mitre.org/groups/G0071) activity, '
                'indicates significant functional and development overlaps '
                'with '
                '[Shamoon](https://attack.mitre.org/software/S0140).(Citation: '
                'Cylera Kwampirs 2022)',
 'external_references': [{'external_id': 'G0071',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0071'},
                         {'description': '(Citation: Symantec Orangeworm April '
                                         '2018)',
                          'source_name': 'Orangeworm'},
                         {'description': 'Pablo Rincón Crespo. (2022, '
                                         'January). The link between Kwampirs '
                                         '(Orangeworm) and Shamoon APTs. '
                                         'Retrieved February 8, 2024.',
                          'source_name': 'Cylera Kwampirs 2022',
                          'url': 'https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf'},
                         {'description': 'Symantec Security Response Attack '
                                         'Investigation Team. (2018, April '
                                         '23). New Orangeworm attack group '
                                         'targets the healthcare sector in the '
                                         'U.S., Europe, and Asia. Retrieved '
                                         'May 8, 2018.',
                          'source_name': 'Symantec Orangeworm April 2018',
                          'url': 'https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia'}],
 'id': 'intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1',
 'modified': '2024-04-10T21:33:28.444Z',
 'name': 'Orangeworm',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT '
                          'Centre'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.0'}