Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Cyber Threat Hunting in Healthcare, Part 2: File Infectors, Botnets

Amine Amri, Sai Molige, Daniel dos Santos, and Forescout Research - Vedere Labs | March 11, 2025

In our previous investigation, we uncovered a new campaign by the Chinese threat actor Silver Fox which abused Philips DICOM viewers to infect victims with a backdoor trojan. This discovery emerged from a threat hunt for malicious software on VirusTotal (VT).

In this follow-up analysis, we expand on our search methodology, showing how we searched for malware on VT. We leveraged eyeInspect’s and REM’s list of default credentials – along with a database of the most popular medical software names observed in healthcare environments – to identify malware exhibiting the following behaviors:

  • Masquerading as legitimate healthcare applications by abusing known software names.
  • Exploiting medical system credentials to gain initial access.
  • Interacting with medical devices by abusing healthcare protocols, such as DICOM and HL7.

Key Threat Hunt Findings

Our analysis revealed three significant malware clusters targeting healthcare systems:

  1. A cluster of Siemens syngo fastView DICOM viewers infected with Floxif/Pioneer.
  2. A sample of Mindray Central Monitoring Station (CMS) infected with “Panda Burning Incense”. This CMS communicates with patient monitors using an IP address recently flagged by CISA and the FDA as a potential Chinese backdoor.potential Chinese backdoor.
  3. Two botnet samples abusing credentials for GE Healthcare MUSE Cardiology Information Systems (CIS).

These findings emphasize how IT malware frequently exploits healthcare systems, either by targeting them directly or by infecting weak systems that interact with medical devices. Encouragingly, we found no malware samples directly abusing DICOM or HL7, which is good news for clinical network defenders.

Below, we analyze each of these findings in detail, explore their implications for healthcare security, linking this research with our previous findings on risky medical systems, and provide mitigation recommendations for Healthcare Delivery Organizations (HDOs).

 

Portable Executable Infectors in Medical Software

The first set of results includes two clusters of files infected with Portable Executable (PE) infectors – a type of malware that appends malicious code to legitimate Windows executables to facilitate further compromise.

During our analysis, we discovered 19 instances of Siemens syngo fastView DICOM viewers infected with Floxif/Pioneer.

Siemens syngo fastView is typically distributed to patients alongside their medical imaging results, allowing them to view DICOM images on a personal Windows workstation. This software is not intended for use on medical workstations. It is also no longer maintained by Siemens and is known to contain vulnerabilities.

Floxif/Pioneer is a backdoor that infects executable and DLL files, enabling it to download and execute further malware on the victim’s system. It was initially discovered in 2012 and gained notoriety when it was used to distribute a trojan-ized version of the CCleaner utility in 2017. In 2021, it was identified OT/ICS environments, though no confirmed targeted infections were reported.

All infected samples were submitted to VT from the US or Canada between November and December 2024.

We also identified one instance of a Mindray CMS infected with Panda Burning Incense/Fujacks. This CMS is a hospital software application that connects to multiple patient monitors and centralizes patient vitals and diagnostics.

Panda Burning Incense is a Chinese worm originally developed in 2006. It infected over 10 million devices before its creators were arrested in 2007. An updated version emerged in 2009 and the malware was last observed infecting enterprise systems in 2019.

The sample we identified was submitted in 2022 from the United States and exhibits behavior identical to the 2019 variant, specifically: downloading additional malware from 9z9t[.]com and reporting the infection to daohang08[.]com. As of this writing, the first domain no longer resolves to an IP address, but the second currently resolves to 154.85.233[.]136, a Hong Kong-based IP address.

CISA has flagged the Mindray CMS default connection behavior as a potential security risk. This CMS connects to patient monitors using the IP address 202.114.4[.]119 which was previously cited by CISA as a possible Chinese backdoor. While this behavior is not inherently malicious – the same IP address is used across multiple patient monitors and CMSs by default – CISA has warned that this configuration could expose patient monitors to remote code execution (RCE) risks.

As observed in a similar hunt in OT environments, we cannot confirm whether these infections were specifically targeted at healthcare environments. This type of malware is relatively old and can spread through multiple vectors, including other infected files downloaded from the internet, infected USB drives used for file transfers, or via networks compromised due to poor segmentation between IT and medical systems.

The infections through the DICOM viewer samples mostly likely occurred on patients’ personal computers, as that is the intended use case for the software. In contrast, the infection observed in the CMS is more likely to have originated within a healthcare facility where the software is actively used to monitor patient data.

To understand the full context of today’s IoMT risks in healthcare, watch this webinar:

Watch the Full Webinar

 

Botnets Targeting GE Healthcare MUSE

Our second key finding involves botnet samples that exploit the default password for the GE Healthcare MUSE Cardiology Information System.

However, these botnet samples are ELF binaries, meaning they cannot execute on the Windows-based systems that host the MUSE application. Instead, these samples likely function as “vulnerability collectors”, scanning for exposed or misconfigured systems and reporting findings to a command and control (C2) server or human operator. Once identified, and attacker could then deploy additional tools to compromise the vulnerable system further.

MUSE is widely used in healthcare organizations to streamline cardiac data management by facilitating the delivery, distribution and analysis of critical electrocardiogram (ECG) data. It aggregates cardiac measurements, diagnostic text interpretations and digitized ECG.

Given its role in storing and analyzing patient cardiac data, unauthorized access to MUSE systems could pose significant security and privacy risks for healthcare organizations.

The two samples found exploiting credentials for this system are listed below:

Sample Downloader IP Submissions
d6155a83e85dad5f8e66267c99bc6152dff5a5f53ec67ccd3b8cf1f1a0193b73 141.98.11[.]96 – US, Turkey & Germany
– Six times between March and July 2024
97f71348c5ebc187091ec61860110473ab4f2ca78dcae9890e5fbec5c45ad4be 91.234.99[.]177 – South Korea twice in 2019
– US twice in 2024, between April and July

The two botnet samples identified in our analysis are classified on VT as Mirai/Gafgyt variants. However, the second sample exhibits characteristics consistent with  AirDropBot (also known as CloudBot), based on its original filename (“sh4.cloudbot”) and strings present in the sample, such as “airdropmalware” and “cloudbot storing your data in the clouds”.

Beyond the IP addresses hosting these samples (previously reported on the table above) the second sample also contained an embedded domain name stresser[.]pw, and two embedded IP addresses 185.244.25[.]200 and 185.244.25[.]202.

These indicators suggest that the second botnet sample may be linked to DDoS-for-hire services (a.k.a. booters/stressers) commonly associated with AirDropBot-based malware campaigns.

 

Mitigation Recommendations

Our previous and current threat hunts have identified multiple threat types relevant to healthcare organizations, including:

  • Infected DICOM viewers are likely targeting patients rather than hospitals directly.
    Beyond our findings in this blog and the previous threat hunt, DICOM viewers have been abused in at least one campaign in 2024. These applications are either compromised by common IT malware or used as lures for sophisticated APT attacks. While an infected DICOM viewer may seem like a greater risk to patients, real-world scenarios – such as patients bringing their own devices into hospitals for diagnosis, or emerging hospital-at-home programs – demonstrate how these infections could spread beyond a personal workstation and serve as an initial access vector for healthcare organizations.
  • Malware targeting hospital systems, such as CMS and CIS.
    The infected CMS sample  and botnets targeting CIS highlight that healthcare-specific systems are also vulnerable, not just patient devices. The infected CMS sample was likely from a real hospital and contained a decades-old worm, suggesting it probably runs a decades-old operating system, is connected to the internet, and is highly susceptible to many other more modern attacks – a major risk considering it controls multiple patient monitors.

Beyond these individual findings, our research reinforces key healthcare cybersecurity challenges. Threats originate both inside and outside HDOs. DICOM remains a high-risk protocol, as discussed in our recent report, due to its extensive use across interconnected hospital systems within hospitals, including regular workstations and medical devices.

To minimize cybersecurity risks and enhance resilience, we recommend the following risk mitigation actions for HDOs:

  • Identify and classify every asset
    HDOs must often contend with medical devices running legacy operating systems, making them inherently vulnerable to attacks. HDOs must first identify and classify all connected devices to assess their risk exposure. Devices that cannot be retired or patched should be segmented appropriately to restrict access to only critical information and services.
  • Limit external communications and implement effective segmentation
    Network flow mapping is essential for designing effective segmentation zones separating IT, IoT, OT and IoMT devices. Mapping communications not only helps create segmentation zones but also provides insight into external and internet-facing connections. This approach can identify unintended external communications, helping to prevent unauthorized access and lateral movement within the network.
  • Monitor all network traffic and endpoint telemetry for threat detection
    Network packets may contain malicious payloads, including attempts to exploit vulnerabilities or drop malware on healthcare systems. Endpoint telemetry can reveal the presence of malicious files or anomalous system behavior. Correlating network and endpoint signals allows defenders to detect and respond to threats faster and more effectively.

 

IoCs

IoC Description
d7a79484965a3425c2ab4750d1283e80f9903b023f65aed347f0329818189d2d Floxif infected Siemens syngo fastView
3bb1a8ef950e79184585eff7c44f15b6cbef66d90c128a69070e2ca0b2db50f6 Floxif infected Siemens syngo fastView
b2fc6d4e65e42174c09fb2d3ff902e7e31408fe36617e3e53c543418f3a9fc21 Floxif infected Siemens syngo fastView
975b9b27760f8b6db9874c6c74e7eee9122e7c8cd663f7212acc4a9edaf8222b Floxif infected Siemens syngo fastView
178a0b90512f4013a7c6577e4595a89e5d8d6f8c8a85f672424dffa6c79d776f Floxif infected Siemens syngo fastView
94951a1f9830d7a97286b5cc5a9b01b12c143e5c6d7aa9226642ed6507ab9d12 Floxif infected Siemens syngo fastView
a545d8993f069a237627c8fbcad60629404d61460efcdf084a8d276a90c57258 Floxif infected Siemens syngo fastView
d953b7cd781a0a3c31b8770b3179bdd1612f4ac058f8f78f2934c914457def92 Floxif infected Siemens syngo fastView
7fb44d3a60fedc6c9eb00bf51316d07aadf7e4062495ec917605b04c0b966db5 Floxif infected Siemens syngo fastView
a614796e796b3691a6c4175082d4d42246ebb0d36ac7bab311b3964f54749e4e Floxif infected Siemens syngo fastView
38b61236407f4f28ee4d5b7798d1d6f5f3fc8cf937b9fc54c07d75464810ebc3 Floxif infected Siemens syngo fastView
8c570534b77d41bcacf1d2ecc7aec75c4ece59a80f0241f450a72e7de89c35c1 Floxif infected Siemens syngo fastView
6f91a07e48d01858ee308ef430c6dae3694d540687c2341e427b340dbfd31c32 Floxif infected Siemens syngo fastView
9363f5e74acfccc83762e17076ce18e4079430dca2352a4d37a210303380e23c Floxif infected Siemens syngo fastView
975ab3b9b306cada378bed98b68368cbf389c718767b91fde67df154c1e6417c Floxif infected Siemens syngo fastView
61f640364ab398db7d32c87585481d3b34578324491c6070cc45d2ddd2faea1d Floxif infected Siemens syngo fastView
29b30fd8e8dfe1308df164298b6dee16960c7f5b8cd70098ef542a8506c91ece Floxif infected Siemens syngo fastView
e375646b471b137a9c65a444acc4d50153600e6d6cd0e995d7d569b05791bfce Floxif infected Siemens syngo fastView
3d6a6cfb19e1e1a9cf8c9cd56b7477ecfed2de3acacd7b90345b3eba6c324ac8 Floxif infected Siemens syngo fastView
447a3b7a4b549fd237e31b4a833466690dfa75c12104e6d5bdac80d6c321336a Fujacks infected Mindray CMS
9z9t[.]com Domain name used by Fujacks
daohang08[.]com Domain name used by Fujacks
d6155a83e85dad5f8e66267c99bc6152dff5a5f53ec67ccd3b8cf1f1a0193b73 Botnet abusing GE Healthcare MUSE credentials
97f71348c5ebc187091ec61860110473ab4f2ca78dcae9890e5fbec5c45ad4be Botnet abusing GE Healthcare MUSE credentials
141.98.11[.]96 Downloader IP address for botnet abusing GE Healthcare MUSE credentials
91.234.99[.]177 Downloader IP address for botnet abusing GE Healthcare MUSE credentials
185.244.25[.]200 C2 IP address for botnet abusing GE Healthcare MUSE credentials
185.244.25[.]202 C2 IP address for botnet abusing GE Healthcare MUSE credentials
stresser[.]pw Domain name used by botnet abusing GE Healthcare MUSE credentials

Go deeper: Read “Healthcare Malware Hunt, Part 1: Silver Fox APT Targets Philips DICOM Viewers

Demo RequestForescout PlatformTop of Page