• The attack campaign uses the Kwampirs RAT to infect companies.
  • The Kwampirs malware was first reported by Symantec in April 2018.

The Federal Bureau of Investigation (FBI) has released a new security alert about an ongoing hacking campaign that targets companies in the Industrial Control System (ICS) sector.

What’s the matter?

As reported by ZDNet, the FBI has disclosed that threat actors behind the campaign are attempting to infect companies, especially those in the energy sector with Kwampirs RAT.

The Kwampirs malware was first reported by Symantec in April 2018. At that time, Symantec had said a group named Orangeworm had used the malware to target supply chain companies that provided software for the healthcare sector.

The threat actor group had been in operation since 2015 and was focused on the healthcare industry primarily.

What is new about the ongoing attacks?

The alert sent out by the FBI warns that the ongoing attacks are similar to the one carried out in 2018. However, the attacks have now evolved to target companies in the ICS sector.

Furthermore, the FBI claims that new evidence from code analysis suggests that Kwampirs contains numerous similarities with Shamoon, an infamous data-wiping malware developed by APT33, an Iranian-linked hacking group.

"While the Kwampirs RAT has not been observed incorporating a wiper component, comparative forensic analysis has revealed the Kwampirs RAT as having numerous similarities with the data destruction malware Disttrack (commonly known as Shamoon)," the FBI said, ZDNet reported.


The alert does not identify the targeted companies, nor any other victims. Instead, the FBI has shared IOCs (Indicators of Compromise) and YARA rules to detect Kwampirs RAT infection. The FBI has urged companies to scan networks for any sign of Kwampirs and stay safe from the ongoing attacks.

Cyware Publisher