Kwampirs is a custom backdoor trojan used to gain remote access to compromised computers. When executed, the trojan decrypts and extracts a copy of its main DLL payload. It then inserts a randomly generated string into the middle of the decrypted payload prior to writing the payload to disk, in order to evade hash-based detections. Kwampirs creates a service to ensure its main payload is loaded into memory upon system reboot to maintain persistence. The trojan collects basic information about the compromised system and uses this to determine if the victim is a high-value target. If so, it copies the trojan across open network shares to infect additional systems. The threat actors behind the trojan then collect additional data on the devices and network. The trojan beacons out to a list of C2 servers in order to find an active one. A group dubbed "Orangeworm" has deployed the trojan to target organizations in the healthcare sector or other entities providing services to healthcare organizations.


  • April 2018: Kwapirs trojans was used to target organizations in the healthcare sector by threat group "Orangeworm." (Symantec)

Technical Details

  • Symantec provides technical details on the Kwampirs trojan, here.