Following last month’s research on a new campaign by the Chinese threat actor Silver Fox, which exploited Philips DICOM viewers to infect victims with a backdoor trojan, Forescout Technologies reported that this discovery emerged from a threat hunt for malicious software on VirusTotal (VT). In its latest follow-up analysis, the search methodology is expanded upon, detailing the process of searching for malware on VT.
The approach involved leveraging eyeInspect’s and REM’s list of default credentials, along with a database of the most popular medical software names observed in healthcare environments, to identify malware exhibiting specific behaviors: masquerading as legitimate healthcare applications by abusing known software names, exploiting medical system credentials to gain initial access, and interacting with medical devices by abusing healthcare protocols such as DICOM and HL7.
The research detected three significant malware clusters targeting healthcare systems, including a cluster of Siemens syngo fastView DICOM viewers infected with Floxif/Pioneer; a sample of Mindray Central Monitoring Station (CMS) infected with ‘Panda Burning Incense.’ This CMS communicates with patient monitors using an IP address recently flagged by CISA and the FDA as a potential Chinese backdoor[dot]potential Chinese backdoor; and two botnet samples abusing credentials for GE Healthcare MUSE Cardiology Information Systems (CIS).
“These findings emphasize how IT malware frequently exploits healthcare systems, either by targeting them directly or by infecting weak systems that interact with medical devices,” Amine Amri, Sai Molige, Daniel dos Santos, and Forescout Research – Vedere Labs, wrote in a Tuesday blog post. “Encouragingly, we found no malware samples directly abusing DICOM or HL7, which is good news for clinical network defenders.”
The initial results reveal two groups of files that have been compromised by Portable Executable (PE) infectors. This type of malware attaches harmful code to legitimate Windows executable files to enable further system breaches.
“During our analysis, we discovered 19 instances of Siemens syngo fastView DICOM viewers infected with Floxif/Pioneer,” the researchers detailed. “Siemens syngo fastView is typically distributed to patients alongside their medical imaging results, allowing them to view DICOM images on a personal Windows workstation. This software is not intended for use on medical workstations. It is also no longer maintained by Siemens and is known to contain vulnerabilities.”
Furthermore, the Floxif/Pioneer is a backdoor that infects executable and DLL files, enabling it to download and execute further malware on the victim’s system. “It was initially discovered in 2012 and gained notoriety when it was used to distribute a trojan-ized version of the CCleaner utility in 2017. In 2021, it was identified OT/ICS environments, though no confirmed targeted infections were reported. All infected samples were submitted to VT from the US or Canada between November and December 2024.”
They also identified one instance of a Mindray CMS infected with Panda Burning Incense/Fujacks. “This CMS is a hospital software application that connects to multiple patient monitors and centralizes patient vitals and diagnostics.”
Panda Burning Incense is a Chinese worm originally developed in 2006. It infected over 10 million devices before its creators were arrested in 2007. An updated version emerged in 2009, and the malware was last observed infecting enterprise systems in 2019.
“The sample we identified was submitted in 2022 from the United States and exhibits behavior identical to the 2019 variant, specifically: downloading additional malware from 9z9t[.]com and reporting the infection to daohang08[dot]com,” the researchers added. “As of this writing, the first domain no longer resolves to an IP address, but the second currently resolves to 154.85.233[.]136, a Hong Kong-based IP address.”
CISA has flagged the Mindray CMS default connection behavior as a potential security risk. This CMS connects to patient monitors using the IP address 202.114.4[dot]119, which was previously cited by CISA as a possible Chinese backdoor. While this behavior is not inherently malicious – the same IP address is used across multiple patient monitors and CMSs by default – CISA has warned that this configuration could expose patient monitors to remote code execution (RCE) risks.
As observed in a similar hunt in OT (operational technology) environments, confirmation cannot be made whether these infections were specifically targeted at healthcare environments. This type of malware is relatively old and can spread through multiple vectors, including other infected files downloaded from the internet, infected USB drives used for file transfers, or via networks compromised due to poor segmentation between IT and medical systems.
They added that the infections through the DICOM viewer samples mostly likely occurred on patients’ personal computers, as that is the intended use case for the software. In contrast, the infection observed in the CMS is more likely to have originated within a healthcare facility where the software is actively used to monitor patient data.
Moving on to the second key finding, the researchers noted that it involved botnet samples exploiting the default password for the GE Healthcare MUSE Cardiology Information System. However, these botnet samples are ELF binaries, meaning they cannot execute on the Windows-based systems that host the MUSE application. Instead, these samples likely function as ‘vulnerability collectors,’ scanning for exposed or misconfigured systems and reporting findings to a command and control (C2) server or human operator. Once identified, an attacker could then deploy additional tools to compromise the vulnerable system further.
MUSE is deployed in healthcare organizations to streamline cardiac data management by facilitating the delivery, distribution, and analysis of critical electrocardiogram (ECG) data. It aggregates cardiac measurements, diagnostic text interpretations, and digitized ECG. Given its role in storing and analyzing patient cardiac data, unauthorized access to MUSE systems could pose significant security and privacy risks for healthcare organizations.
Forescout said that its previous and current threat hunts have identified multiple threat types relevant to healthcare organizations, including infected DICOM viewers that are likely targeting patients rather than hospitals directly.
“Beyond our findings in this blog and the previous threat hunt, DICOM viewers have been abused in at least one campaign in 2024,” according to the researchers. “These applications are either compromised by common IT malware or used as lures for sophisticated APT attacks. While an infected DICOM viewer may seem like a greater risk to patients, real-world scenarios – such as patients bringing their own devices into hospitals for diagnosis, or emerging hospital-at-home programs – demonstrate how these infections could spread beyond a personal workstation and serve as an initial access vector for healthcare organizations.”
Additionally, the infected CMS sample and botnets targeting CIS highlight that healthcare-specific systems are also vulnerable, not just patient devices. “The infected CMS sample was likely from a real hospital and contained a decades-old worm, suggesting it probably runs a decades-old operating system, is connected to the internet, and is highly susceptible to many other more modern attacks – a major risk considering it controls multiple patient monitors.”
Apart from these individual findings, the Forescout research reinforces key healthcare cybersecurity challenges. “Threats originate both inside and outside HDOs. DICOM remains a high-risk protocol, as discussed in our recent report, due to its extensive use across interconnected hospital systems within hospitals, including regular workstations and medical devices.”
To reduce cybersecurity risks and improve resilience, the Forescout post called upon healthcare delivery organizations (HDOs) to take several actions. First, they need to identify and classify all connected devices, especially those with legacy operating systems, to assess risk exposure.
Secondly, they must limit external communications and implement effective segmentation. Network flow mapping is essential for designing effective segmentation zones that separate IT, IoT, OT, and Internet of Medical Things (IoMT) devices. Mapping communications helps create segmentation zones and provides insight into external and internet-facing connections. The approach can identify unintended external communications, helping to prevent unauthorized access and lateral movement within the network.
Lastly, HDOs must monitor network traffic and endpoint telemetry for threat detection. Correlating network and endpoint signals allows defenders to detect and respond to threats faster and more effectively.
Last month, the Health-ISAC released its 2025 Health Sector Cyber Threat Landscape, highlighting the severe cybersecurity challenges faced by the healthcare sector in 2024 and predicting an even tougher environment in 2025. Key issues included a rise in ransomware attacks, nation-state espionage, and vulnerabilities in the IoMT, with cybercriminals employing advanced tactics to disrupt operations and demand ransoms.
