{
	"id": "b7a1224b-bbbd-4edc-a90c-1ca4c37471ba",
	"created_at": "2026-04-06T01:31:06.000145Z",
	"updated_at": "2026-04-10T03:31:17.848864Z",
	"deleted_at": null,
	"sha1_hash": "3d99b9ca07b23c2967de2f14c8f2fd8fb5d87954",
	"title": "Subgroup: Longhorn, The Lamberts - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33801,
	"plain_text": "Subgroup: Longhorn, The Lamberts - Threat Group Cards: A\r\nThreat Actor Encyclopedia\r\nArchived: 2026-04-06 01:02:49 UTC\r\nDescriptionA subgroup of the CIA.\r\nSome operations and tooling used by this group were exposed in the [Vault 7/8] leaks on WikiLeaks in 2017.\r\n(Symantec) Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to\r\nzero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally\r\noperating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information\r\ntechnology, education, and natural resources sectors. All of the organizations targeted would be of interest to a\r\nnation-state attacker.\r\nLonghorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one\r\noccasion a computer in the United States was compromised but, following infection, an uninstaller was launched\r\nwithin hours, which may indicate this victim was infected unintentionally.\r\nLonghorn’s malware appears to be specifically built for espionage-type operations, with detailed system\r\nfingerprinting, discovery, and exfiltration capabilities. The malware uses a high degree of operational security,\r\ncommunicating externally at only select times, with upload limits on exfiltrated data, and randomization of\r\ncommunication intervals—all attempts to stay under the radar during intrusions.\r\nFor C\u0026C servers, Longhorn typically configures a specific domain and IP address combination per target. The\r\ndomains appear to be registered by the attackers; however they use privacy services to hide their real identity. The\r\nIP addresses are typically owned by legitimate companies offering virtual private server (VPS) or webhosting\r\nservices. The malware communicates with C\u0026C servers over HTTPS using a custom underlying cryptographic\r\nprotocol to protect communications from identification.\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=aecce739-abe2-427f-8afc-78eb3b7ebd0b\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=aecce739-abe2-427f-8afc-78eb3b7ebd0b\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=aecce739-abe2-427f-8afc-78eb3b7ebd0b"
	],
	"report_names": [
		"showcard.cgi?u=aecce739-abe2-427f-8afc-78eb3b7ebd0b"
	],
	"threat_actors": [
		{
			"id": "740a85d2-4072-42a6-9dfc-c72449ccdfa5",
			"created_at": "2022-10-25T16:07:24.58714Z",
			"updated_at": "2026-04-10T02:00:05.044403Z",
			"deleted_at": null,
			"main_name": "[Vault 7/8]",
			"aliases": [],
			"source_name": "ETDA:[Vault 7/8]",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "56742211-e3f9-40b7-bafb-8a6cebf257d0",
			"created_at": "2023-01-06T13:46:39.030574Z",
			"updated_at": "2026-04-10T02:00:03.18915Z",
			"deleted_at": null,
			"main_name": "[Vault 7/8]",
			"aliases": [],
			"source_name": "MISPGALAXY:[Vault 7/8]",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e993faab-f941-4561-bd87-7c33d609a4fc",
			"created_at": "2022-10-25T16:07:23.460301Z",
			"updated_at": "2026-04-10T02:00:04.617715Z",
			"deleted_at": null,
			"main_name": "Longhorn",
			"aliases": [
				"APT-C-39",
				"Platinum Terminal",
				"The Lamberts"
			],
			"source_name": "ETDA:Longhorn",
			"tools": [
				"Black Lambert",
				"Blue Lambert",
				"Corentry",
				"Cyan Lambert",
				"Fluxwire",
				"Gray Lambert",
				"Green Lambert",
				"Magenta Lambert",
				"Pink Lambert",
				"Plexor",
				"Purple Lambert",
				"Silver Lambert",
				"Violet Lambert",
				"White Lambert"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "70db80bd-31b7-4581-accb-914cd8252913",
			"created_at": "2023-01-06T13:46:38.57727Z",
			"updated_at": "2026-04-10T02:00:03.028845Z",
			"deleted_at": null,
			"main_name": "Longhorn",
			"aliases": [
				"the Lamberts",
				"APT-C-39",
				"PLATINUM TERMINAL"
			],
			"source_name": "MISPGALAXY:Longhorn",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1",
			"created_at": "2024-05-01T02:03:08.146025Z",
			"updated_at": "2026-04-10T02:00:03.67072Z",
			"deleted_at": null,
			"main_name": "PLATINUM TERMINAL",
			"aliases": [
				"APT-C-39 ",
				"Longhorn ",
				"The Lamberts ",
				"Vault7 "
			],
			"source_name": "Secureworks:PLATINUM TERMINAL",
			"tools": [
				"AfterMidnight",
				"Assassin",
				"Marble Framework"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775439066,
	"ts_updated_at": 1775791877,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d99b9ca07b23c2967de2f14c8f2fd8fb5d87954.pdf",
		"text": "https://archive.orkl.eu/3d99b9ca07b23c2967de2f14c8f2fd8fb5d87954.txt",
		"img": "https://archive.orkl.eu/3d99b9ca07b23c2967de2f14c8f2fd8fb5d87954.jpg"
	}
}