{ "id": "b59d1028-b4e9-4554-9ec9-0d99b3ae2737", "created_at": "2026-04-06T00:09:10.510166Z", "updated_at": "2026-04-10T03:31:17.834949Z", "deleted_at": null, "sha1_hash": "01e1ec4384c4e047d6c378cd3fae6014cea25e17", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60349, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:57:46 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Lambert\n Tool: Lambert\nNames\nLambert\nPlexor\nCategory Malware\nType Info stealer\nDescription\nFrom the start, Symantec suspected Longhorn was an outlier, saying it appeared to be different\nfrom other potential cybercrime groups. That assessment was based in part on Longhorn using\na zero-day software exploit, which Symantec found embedded within a Microsoft Word\ndocument. The exploit delivered a data-stealing tool called Plexor.\n'The malware had all the hallmarks of a sophisticated cyberespionage group,' Symantec writes.\n'Aside from access to zero-day exploits, the group had preconfigured Plexor with elements that\nindicated prior knowledge of the target environment.'\nInformation\nMalpedia Last change to this tool card: 14 May 2020\nDownload this tool card in JSON format\nAll groups using tool Lambert\nChanged Name Country Observed\nAPT groups\n ↳ Subgroup: Longhorn, The Lamberts 2009\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ddeb02e1-da34-4b8f-aaa6-ee9cf855ddab\nPage 1 of 2\n\nEquation Group 2001-Aug 2016\r\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ddeb02e1-da34-4b8f-aaa6-ee9cf855ddab\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ddeb02e1-da34-4b8f-aaa6-ee9cf855ddab\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ddeb02e1-da34-4b8f-aaa6-ee9cf855ddab" ], "report_names": [ "listgroups.cgi?u=ddeb02e1-da34-4b8f-aaa6-ee9cf855ddab" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434150, "ts_updated_at": 1775791877, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/01e1ec4384c4e047d6c378cd3fae6014cea25e17.pdf", "text": "https://archive.orkl.eu/01e1ec4384c4e047d6c378cd3fae6014cea25e17.txt", "img": "https://archive.orkl.eu/01e1ec4384c4e047d6c378cd3fae6014cea25e17.jpg" } }