{ "id": "1391ef5d-66a8-49bc-ba36-630065368bf8", "created_at": "2026-04-06T00:08:32.52068Z", "updated_at": "2026-04-10T03:31:17.867938Z", "deleted_at": null, "sha1_hash": "150e5ab22107852f3e42dbdce57188abe6b49255", "title": "Made In America: Green Lambert for OS X", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5189765, "plain_text": "Made In America: Green Lambert for OS X\r\nArchived: 2026-04-02 10:47:36 UTC\r\nMade In America: Green Lambert for OS X\r\nby: Runa Sandvik / October 1, 2021\r\nObjective-See's research, tools, and writing, are supported by the \"Friends of Objective-See\" such as:\r\nThis guest blog post, was written by Runa Sandvik, a noted security researcher who works on digital security for\r\njournalists and other high-risk people.\r\nMahalo for sharing Runa! 🤩\r\n📝 👾 Want to play along?\r\nI’ve uploaded an OSX.GreenLambert sample (password: infect3d).\r\n...please don’t infect yourself!\r\nBackground\r\nIn March 2017, WikiLeaks began publishing thousands of files detailing the CIA’s spying operations and hacking\r\ntools. The leak, known as Vault 7, was the largest disclosure of classified information in the agency’s history. In\r\nApril, Symantec publicly linked Vault 7 to an advanced threat actor named Longhorn. Kaspersky then announced\r\nit tracks the same actor as The Lamberts, and revealed the existence of an OS X implant called Green Lambert.\r\nKaspersky’s research showed that The Lamberts’ toolkit includes “network-driven backdoors, several generations\r\nof modular backdoors, harvesting tools, and wipers.” A timeline of actvitiy for tools used by The Lamberts shows\r\nthat “Green Lambert is the oldest and longest-running in the family.” Green Lambert is described as an “active\r\nimplant” and “the only one where non-Windows variants have been found.”\r\nThis blog post, along with the [Made in America](https://objectivebythesea.com/v4/talks.html#Made In America)\r\ntalk at Objective By The Sea v.4.0, provides a comprehensive analysis of Green Lambert for OS X. I’ll share how\r\nI approached the research, the tools I used, the things I figured out, and the things I didn’t. I’ll also look at whether\r\nthe developers followed the agency’s guidelines for development tradecraft. Some might ask why I’d look at an\r\nimplant this old? Doing so helps us better understand the capabilities of its sophisticated creator, past and present.\r\nAnd, if we’re being honest: I could, so I did.\r\nVictimology\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 1 of 15\n\nWe don’t know how this implant makes it into a target system; the type of system it’s used on; or the geographical\r\nlocation of a typical target. Symantec said that the actor has infiltrated governments, “in addition to targets in the\r\nfinancial, telecoms, energy, aerospace, information technology, education, and natural resources sectors.” QI-ANXIN said the actor has previously “targeted personnel and institutions in China.”\r\nA version of Green Lambert for OS X was first uploaded to VirusTotal, from Russia, in September 2014.\r\nKaspersky marked it as malicious in October 2016. AegisLab, a security firm based in Taiwan, followed a couple\r\nof weeks later. VirusTotal identified that the implant calls itself GrowlHelper, possibly referencing the popular\r\nGrowl notification system for OS X from 2004.\r\nTriage\r\nUsing static analysis methods, we can triage the implant without running it. For example, we can determine that\r\nGrowlHelper is a small, unsigned Mach-O executable.\r\n$ file GrowlHelper\r\nGrowlHelper: Mach-O executable i386\r\n$ codesign -dvv GrowlHelper\r\nGrowlHelper: code object is not signed at all\r\n$ du -h GrowlHelper\r\n208K\r\nWe can use otool -L to print a list of linked libraries. This can sometimes provide insight into the capabilities of\r\nthe malware, but doesn’t appear to be particularly helpful here. Note the few dependencies in the list below.\r\n$ otool -L GrowlHelper\r\n/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation\r\n/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices\r\n/System/Library/Frameworks/Security.framework/Versions/A/Security\r\n/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration\r\n/usr/lib/libSystem.B.dylib\r\n/usr/lib/libgcc_s.1.dylib\r\nWhat’s more interesting is the output of strings - . This tool can also provide insight into the capabilities of the\r\nmalware.\r\n$ strings - GrowlHelper\r\nLoginItem\r\nLaunchAgent\r\n/Library/LaunchDaemons\r\nwww.google.com\r\nError from libevent when adding event for DNS server\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 2 of 15\n\n1.3a\r\n_SecKeychainFindInternetPassword\r\n_SecKeychainItemCopyAttributesAndData\r\n_kSCPropNetProxiesHTTPProxy\r\n_kSCPropNetProxiesProxyAutoConfigEnable\r\n_kSCPropNetProxiesProxyAutoConfigURLString\r\nThe references to LoginItem , LaunchAgent and LaunchDaemons suggest this implant has different options for\r\ngaining persistence on a system. In other words: how the implant ensures it’s executed again if the system is\r\nrebooted. Check out this post by Phil Stokes at SentinelOne for an overview of malware persistence techniques\r\nseen in the wild.\r\nThe following three lines appear to be related to libevent, the same event notification library that is used by Tor.\r\nThe open-source library is very popular now, but was perhaps less known back when this implant was created.\r\nThe reference to 1.3a may shed some light on the development timeline for this implant: version 1.3a of\r\nlibevent was released in February 2007.\r\nThe references to Keychain , Proxies and AutoConfig suggest this implant determines proxy settings on the\r\ntarget system. According to this post, kSCPropNetProxiesProxyAutoConfigEnable and\r\nkSCPropNetProxiesProxyAutoConfigURLString were added in Xcode version 2.2. This version was released in\r\nNovember 2005. Could be another clue about the development timeline.\r\nOS X Version\r\nThe static analysis methods we used were helpful, but we’re going to want to see how the implant behaves on a\r\nsystem. For that, we’ll turn to dynamic analysis in a virtual machine. But which version of OS X does the implant\r\nneed? We know that it’s a 32-bit executable, and the latest macOS is 64-bit only. We can narrow this down further\r\nby looking at symbols using nm .\r\n$ nm GrowlHelper\r\n U _CFArrayAppendValue\r\n U _CFArrayCreateMutable\r\n U _CFArrayCreateMutableCopy\r\n U _CFArrayGetCount\r\n U _CFArrayGetValueAtIndex\r\n U _CFArrayRemoveValueAtIndex\r\n U _CFDictionaryCreate\r\n U _CFDictionaryGetValue\r\n U _CFGetTypeID\r\n U _CFNumberGetTypeID\r\n ...\r\nThe next step is a bit tedious, but does provide helpful information. To better understand what these symbols\r\nrepresent, we can look them up in Apple’s Developer Documentation. Not only will we be able to learn how and\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 3 of 15\n\nwhere a given symbol is used, but we can also see when it was deprecated. With that information, we can\r\ndetermine which version of OS X the implant will run on.\r\nFSGetCatalogInfo is available in macOS 10.0 - 10.8\r\nFSPathMakeRef is available in macOS 10.0 - 10.8\r\nFSSetCatalogInfo is available in macOS 10.0 - 10.8\r\nSecKeychainSearchCopyNext is available in macOS 10.0 - 10.7\r\nSecKeychainSearchCreateFromAttributes is available in macOS 10.0 - 10.7\r\nSecKeychainSetUserInteractionAllowed is available in macOS 10.2 - 12.0\r\nThis means that the implant will run on (at least) 10.7: OS X Lion.\r\nNote: I confirmed the implant runs on 10.8. It probably runs on any OS X that supports 32-bit executables.\r\nDevelopment / Use Timeline\r\nLet’s look at a potential timeline for the development and use of this implant.\r\nGrowl was released in 2004 and retired in 2020. Xcode version 2.2 was released in November 2005, while\r\nlibevent 1.3a was released in February 2007. OS X 10.7 was released in 2011, and 10.8 in 2012. The implant first\r\nappeared on VirusTotal in late 2014. Court records show Vault 7 was stolen sometime in early 2016 and published\r\nby WikiLeaks a year later. Based on these datapoints, it’s likely the implant was created and used between 2007\r\nand (at least) 2013.\r\nSetting Up a Virtual Machine\r\nAs of June 2021, OS X 10.7 is available for free from Apple. You can also do what I did: buy an old MacBook on\r\neBay for $95.\r\nYou may have to unpack the .dmg you get from Apple to get a file that’ll work with your virtual machine\r\nsoftware. If so, try:\r\n$ hdiutil attach InstallMacOSX.dmg\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 4 of 15\n\nClick on Install Mac OS X on the Desktop and use The Unarchiver (or another tool) to extract\nInstallMacOSX.pkg to a temporary folder. Go into this folder, click on the new copy of InstallMacOSX.pkg and\nselect Show Package Contents. Copy InstallESD.dmg to where you keep your virtual machine images, and use\nthat instead.\nWe’re going to use lldb, the default debugger, to execute the implant, modify registers, and examine memory\ncontents. OS X 10.7 doesn’t include Xcode by default, but a quick Google search suggests we need version 4.6.3\nand can get it from Apple’s Developer Downloads page. After installing Xcode and confirming that lldb is\nworking, we isolate the machine and create a clean snapshot.\nPersistence\nPhil Stokes at SentinelOne wrote that “the most common way malware persists on macOS is via a LaunchAgent.\nEach user on a Mac can have a LaunchAgents folder in their own Library folder to specify code that should be\nrun every time that user logs in.” We can confirm this is the case with Green Lambert by running the implant, then\nchecking the user’s LaunchAgents folder.\n$ ls ~/Library/LaunchAgents\ncom.apple.GrowlHelper.plist\nOnce installed, it’ll delete the original GrowlHelper file from the system. This is where our VM snapshot comes\nin handy.\nFrom Phil’s post, we know that “LaunchAgents take the form of property list files, which can either specify a file\nto execute or can contain their own commands to execute directly.” We can confirm this by looking at\ncom.apple.GrowlHelper.plist .\n$ cat ~/Library/LaunchAgents/com.apple.GrowlHelper.plist\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\nLabelcom.apple.GrowlHelperProgramArguments/Users/user/Library/Caches/com.apple.Growl.GrowlHelper/5d0d/GrowlHelper-fRunAtLoadOnDemand https://objective-see.com/blog/blog_0x68.html\nPage 5 of 15\n\nThe ProgramArguments tell us where GrowlHelper is installed and that it takes at least one command line\r\nargument ( -f ). The RunAtLoad key confirms the implant will run every time the user logs in. To get an\r\noverview of the installation process, we can monitor file system activity for GrowlHelper events.\r\n$ sudo fs_usage -w -f filesys \u003e filesys.out\r\n$ sudo grep GrowlHelper filesys.out\r\nexecve /Users/user/GrowlHelper 0.015273 W bash.2848\r\nexecve /Users/user/GrowlHelper 0.000383 GrowlHelper.2851\r\nopen /Users/user/.profile 0.000018 GrowlHelper.2851\r\nopen /Users/user/.bash_profile 0.000015 GrowlHelper.2851\r\nopen /Users/user/.bash_login 0.000015 GrowlHelper.2851\r\nopen /Users/user/.bashrc 0.000014 GrowlHelper.2851\r\nopen /Users/user/.cshrc 0.000014 GrowlHelper.2851\r\nopen /Users/user/.login 0.000014 GrowlHelper.2851\r\nopen /Users/user/.tcshrc 0.000014 GrowlHelper.2851\r\nopen /Users/user/.xsession 0.000007 GrowlHelper.2851\r\nopen /Users/user/.xinitrc 0.000006 GrowlHelper.2851\r\nWe see that GrowlHelper has a handful of options for maintaining persistence, in case the LaunchAgent is\r\nremoved. In one case, the implant uses a .profile file to ensure it’s launched whenever the user opens the\r\nTerminal. (Path to GrowlHelper was lightly edited due to space constraints.)\r\n$ cat ~/.profile\r\nGrowlHelper=`/path/to/com.apple.Growl.GrowlHelper/5d0d/GrowlHelper 2\u003e\u00261` # Automatic GrowlHelper. Do not remove\r\nSelf-Update\r\nWe can compare how GrowlHelper behaves when the system is offline v. online. Here are the files it created in\r\nan isolated VM.\r\n$ file /Users/offline/Library/Caches/com.apple.Growl.GrowlHelper/5d0d/*\r\nGrowlHelper: Mach-O executable i386\r\ndb: Berkeley DB 1.85 (Hash, version 2, native byte-order)\r\nfifo: socket\r\nqueue: directory\r\nAnd here are the files GrowlHelper created on that old MacBook I got from eBay.\r\n$ file /Users/online/Library/Caches/com.apple.Growl.GrowlHelper/5d0d/*\r\nGrowlHelper: Mach-O executable i386\r\nSoftware Update Check: Mach-O executable i386\r\ndb: Berkeley DB 1.\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 6 of 15\n\nfifo: socket\r\nqueue: directory\r\nIt looks like GrowlHelper creates an executable named Software Update Check when it thinks it’s online. I was\r\npretty excited when I first found this, but quickly realized it just drops a copy of itself with a different name.\r\n3fcdbd3c5fa34fb8e8d58038fa1d1f13d37e8a4b GrowlHelper\r\n3fcdbd3c5fa34fb8e8d58038fa1d1f13d37e8a4b Software Update Check\r\nIt’s possible that Software Update Check is used to update GrowlHelper .\r\nCommand Line Arguments\r\nWe know where GrowlHelper is installed and that it takes at least one command line argument ( -f ). With this\r\ninformation, we can identify other arguments by manually looping through options a - z and A - Z on the\r\ncommand line. The output below is the result of doing this try/fail experiment in a VM.\r\nArgs Meaning Action\r\nc ?? Prints: ** Commands will be processed immediately **\r\nd ?? If GrowlHelper is installed, drops Software Update Check\r\nf Default Persists as LaunchAgent, creates: GrowlHelper, db, fifo, queue\r\np: ?? Prints: GrowlHelper: option requires an argument – p\r\ns ?? Runs without persisting, creates: db, fifo, queue\r\nL ?? Runs without persisting, does not create files\r\nN ?? Persists as LaunchAgent, creates: GrowlHelper, Software Update Check, db\r\nHopper Disassembler is a tool that helps you disassemble, decompile and debug malware. There’s a free version,\r\nand you can get a personal license for $99. Using Hopper, we can confirm the arguments we found by looking for\r\nargc , argv , and getopt .\r\nBy using Hopper’s pseudo-code mode, we can see the full set of possible command line arguments.\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 7 of 15\n\nEntry Points\r\nWhen you open GrowlHelper in Hopper, you’ll see that it has multiple entry points: EntryPoint_1 through\r\nEntryPoint_21 . These entry points are called when GrowlHelper starts executing, before the main entry point\r\nat 0x2cd8. GrowlHelper will use these entry points to initialize certain functionality. QI-ANXIN detailed these\r\nentry points in this post / this screenshot below.\r\nIt appears GrowlHelper has a preflight checklist of sorts: it initializes functionality, figures out what it needs,\r\ndeletes the rest.\r\n$ sudo grep GrowlHelper filesys.out\r\nmkdir /Users/user/.DS_Info\r\nmkdir /Users/user/.DS_Info/5d0d\r\nmkdir /Users/User/Library/Caches/com.apple.advanced 0.000066 Gro\r\nrmdir /Users/user/.DS_Info/5d0d\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 8 of 15\n\nrmdir /Users/user/.DS_Info\r\nrmdir /Users/User/Library/Caches/com.apple.advanced 0.000068 Gro\r\nDecrypting a String\r\nGiven the author, it’s no surprise that most strings in this implant are encrypted. The implant appears to handle\r\nencrypted strings in a bunch of different ways, which makes it challenging to automate decryption. Hopper has\r\ndone some of the analysis work for us, allowing us to at least manually decrypt strings with lldb . Here’s one\r\nexample.\r\nIn the screenshot above, we have:\r\nThe address for the program counter / call to the decryption routine (0x1549b)\r\nThe values for ecx (0x01), edx (0x31e80), eax (0x2d487)\r\nThe address after the decryption routine, which we’ll use as a breakpoint for lldb (0x154a0)\r\nWe load the implant into the debugger using lldb GrowlHelper , and decrypt the string:\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 9 of 15\n\nDecrypting More Strings\r\nManually decrypting strings turned into a rabbit hole for me, but that’s OK. I’m sure there are ways to do this\r\nfaster, but I have to admit I really enjoyed the process of learning to do this manually. Here are the strings I’ve\r\ndecrypted so far, minus duplicates.\r\npc String\r\n0xe8a0 /tmp\r\n0xe9ba upload_dir\r\n0xe9e2 upload_key\r\n0xea23 upload_header\r\n0xed50 52\r\n0x185ef download\r\n0x187d7 ?\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 10 of 15\n\npc String\r\n0x18eae InternetOpen\r\n0x19121 ** Commands will be processed immediately **\r\n0x191f6 login.php\r\n0x19216 getconf.php\r\n0x19236 s|%s|%s|%s upload.gethostname\r\n0x195be show.php\r\n0xa2f6 ConfigInitdFile\r\n0x2ce6f /etc/init.d\r\n0xa762 /etc/rc.d.File\r\n0xaccc .xinitrc\r\n0xae0b ConfigPersistXsessionFile\r\n0xae23 ConfigPersistXSession\r\n0xaec9 .xsession\r\n0xaf39 ConfigPersistXinitRCFile\r\n0xaf51 ConfigPersistXInitRC\r\n0xc8f0 proxy_type\r\n0xc916 proxy_url\r\n0xc948 Could not set proxy\r\n0xca62 http://www.google.com\r\n0xce05 no proxy_url\r\n0x11309 index.html\r\n0x11816 hps.txt\r\n0x11d35 NODELETE\r\n0x11d64 DELETE\r\n0x11d93 SECDELETE\r\n0x1218d NOWAIT\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 11 of 15\n\npc String\r\n0x121c0 WAIT\r\n0x121f1 WAIT_FOREVER\r\n0x1225a /bin/sh -c\r\n0x132b1 Version\r\n0x13c1e Service\r\n0x147f8 Proxy\r\n0x14b1e ProxyUser\r\n0x1549b hversion.txt\r\n0x15c12 HHLogEntry\r\n0x15c5b HHLogHead\r\n0x15e2d HHLogTail\r\n0x1a427 hh_last_attempt\r\n0x1a530 localhost_sock_create(pipe)\r\n0x1a8ab hh_last_attempt\r\n0x649e No LP configured\r\n0x6a66 16\r\nListening Post\r\nOne of the decrypted strings is No LP configured . LP likely stands for Listening Post, a military term used in the\r\ncontext of signals intelligence and reconnaissance. Where other types of malware would likely use the terms C2 or\r\nCommand \u0026 Control, the CIA and the NSA use LP. One Vault 7 document is titled Listening Post (LP) Creation,\r\nand another details requirements for a Listening Post.\r\nConfiguration Files\r\nSome of the decrypted strings refer to .html , .php , and .txt files, but I’m unable to access them. But we\r\nknow that Kaspersky found “a hostname and an IP address” hardcoded in the implant. And researchers at QI-ANXIN determined the implant talks to the Listening Post through login.php and getconf.php , and\r\ndownloads follow-up code through getfile.php .\r\nConfiguration? Survey?\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 12 of 15\n\nIf you dig around in Hopper and use pseudo-code mode from time to time, you’ll likely find some interesting bits\r\nof information. When I stumbled upon the string Version=1.2.0 , I decided to see where else = was referenced.\r\nTo do that, highlight 0x132b8 as shown below and hit x .\r\nThe list of references looks like this, with the current one selected.\r\nWe can then go through all these references, decrypt the strings, and get an output that looks like this.\r\nuname=\r\nTime=%Y\\%m\\%d %H:%M:%S Z\r\nUptime=\r\nVersion=1.2.0\r\nPID=\r\nThe output lists information from the target system (e.g. uname ) and information from the implant (e.g.\r\nVersion ). This could be a combination of a configuration file and system survey.\r\nNetwork Traffic\r\nWe can monitor the network traffic on our OS X 10.7 system using tcpdump and then view the output in\r\nWireshark.\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 13 of 15\n\nThis gives us the hardcoded hostname notify[.]growlupdate[.]com . Very clever given the name of the\r\nexecutable.\r\nAnd the hardcoded IP address: 94[.]242[.]252[.]68 .\r\nHostname\r\nGoogle and the Wayback Machine don’t have any results for the domain name. If we look it up on VirusTotal, we\r\nsee that it was first submitted in October 2016. But if we look up the domain on crt.sh, we see that an SSL\r\ncertificate was created on October 29, 2013. The domain may have been purchased earlier, but this at least\r\nsuggests the domain was active in late 2013. This matches the timeline we created earlier, as well as Kaspersky’s\r\ntimeline of activity by The Lamberts.\r\nNote: Kaspersky sinkholed the domain to 95[.]211[.]172[.]143 between October 1, 2016 and October 2, 2017.\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 14 of 15\n\nDevelopment Tradecraft DOs and DON’Ts\r\nAs part of Vault 7, WikiLeaks published 52 revisions of the CIA’s development tradecraft guidelines. I mapped the\r\nrevisions in a public spreadsheet to see how the guidance changed over time. Studying the development choices\r\nmade by sophisticated actors may help us track them over time. For example, when Kaspersky identified a code\r\noverlap between Sunburst and Kazuar, it was because of “unusual, shared features” such as the UID generation\r\nalgorithm, the sleeping algorithm, and use of the FNV-1a hash.\r\nAs Costin Raiu of Kaspersky pointed out on Twitter, “C2 jitter, secure erase / uninstall, SSL/TLS+extra crypto,\r\nsize below 150K, encrypt logs and local collection, decrypt strings on the fly in mem… simply following these\r\nguidelines immediately makes the malware (“tools”) more interesting and, recognizable by a skilled analyst.”\r\nWhile most of these are true here as well, there are a few things that stand out.\r\nFile size is a bit over the “ideal binary file size” for a fully featured tool (208K v. 150K)\r\nThe references to Listening Post / LP may be CIA and USG specific terminology\r\nUse of English abbreviations for days of the week (mtwhfsu / MTWHFSU)\r\nUse of the libevent library back when it was perhaps less well-known\r\nConclusion\r\nI’ve really enjoyed working on this project and certainly learned a lot along the way. I’m confident there’s more to\r\nfind here, and I’d love to collaborate with anyone interested in taking a closer look. As for The Lamberts?\r\nMalware from this actor keeps turning up, along with new insights. In fact, Kaspersky’s APT trends report for Q1\r\n2021 mentions Purple Lambert, a malware “capable of providing an attacker with basic information about the\r\ninfected system and executing a received payload.”\r\nIndicators of Compromise\r\nnotify[.]growlupdate[.]com\r\n94[.]242[.]252[.]68\r\n3fcdbd3c5fa34fb8e8d58038fa1d1f13d37e8a4b\r\nReferences\r\nPatrick’s free and open-source book on Mac malware analysis was incredibly helpful during this project. If you\r\nhaven’t already done so, I highly recommend checking out The Art of Mac Malware.\r\nSource: https://objective-see.com/blog/blog_0x68.html\r\nhttps://objective-see.com/blog/blog_0x68.html\r\nPage 15 of 15\n\nsuggests the timeline of activity domain was active by The in late Lamberts. 2013. This matches the timeline we created earlier, as well as Kaspersky’s\nNote: Kaspersky sinkholed the domain to 95[.]211[.]172[.]143 between October 1, 2016 and October 2, 2017.\n Page 14 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://objective-see.com/blog/blog_0x68.html" ], "report_names": [ "blog_0x68.html" ], "threat_actors": [ { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434112, "ts_updated_at": 1775791877, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/150e5ab22107852f3e42dbdce57188abe6b49255.pdf", "text": "https://archive.orkl.eu/150e5ab22107852f3e42dbdce57188abe6b49255.txt", "img": "https://archive.orkl.eu/150e5ab22107852f3e42dbdce57188abe6b49255.jpg" } }