Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Orangeworm

🌐Orangeworm

🌐 Orangeworm is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 12 detection use cases to this actor across 2 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0071) ↗
12Use cases
0Articles
2Techniques
0IOCs

About this actor (MITRE)

[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018) Reverse engineering of [Kwampirs](https://attack.mitre.org/software/S0236), directly associated with [Orangeworm](https://attack.mitre.org/groups/G0071) activity, indicates significant functional and development overlaps with [Shamoon](https://attack.mitre.org/software/S0140).(Citation: Cylera Kwampirs 2022)

Known aliases

Orangeworm

Top techniques

T1021.002 · SMB/Windows Admin SharesT1071.001 · Web Protocols

Detection use cases (12)

Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Beaconing — periodic outbound to small set of destinations MITRE match Remote service execution — PsExec / SMB lateral movement MITRE match Detect PsExec With accepteula Flag MITRE match Executable File Written in Administrative SMB Share MITRE match Impacket Lateral Movement Commandline Parameters MITRE match Impacket Lateral Movement smbexec CommandLine Parameters MITRE match Impacket Lateral Movement WMIExec Commandline Parameters MITRE match