{
	"id": "9a051f1e-965e-4604-a3a7-e8899f826375",
	"created_at": "2026-04-06T00:13:39.382887Z",
	"updated_at": "2026-04-10T03:31:17.785693Z",
	"deleted_at": null,
	"sha1_hash": "590e32a1e3a39cea1e8db6b0bda3d166da716dfb",
	"title": "Green Lambert - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59690,
	"plain_text": "Green Lambert - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 14:51:48 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Green Lambert\n Tool: Green Lambert\nNames Green Lambert\nCategory Malware\nType Loader\nDescription\n(Kaspersky) Looking further for malware similar to Blue Lambert, we came by another\nfamily of malware we called Green Lambert. Green Lambert is a lighter, more reliable,\nbut older version of Blue Lambert. Interestingly, while most Blue Lambert variants have\nversion numbers in the range of 2.x, Green Lambert is mostly in 3.x versions. This\nstands in opposition to the data gathered from export timestamps and C\u0026C domain\nactivity that points to Green Lambert being considerably older than the Blue variant.\nPerhaps both Blue and Green Lamberts have been developed in parallel by two different\nteams working under the same umbrella, as normal software version iterations, with one\nseeing earlier deployment than the other.\nSignatures created for Green Lambert (Windows) have also triggered on an OS X\nvariant of Green Lambert, with a very low version number: 1.2.0. This was uploaded to\na multiscanner service in September 2014. The OS X variant of Green Lambert is in\nmany regards functionally identical to the Windows version, however it misses certain\nfunctionality such as running plugins directly in memory.\nInformation MITRE ATT\u0026CK Last change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Green Lambert\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ca7ec4d8-ddd5-4a6a-a1ef-891f53ce52be\nPage 1 of 2\n\nAPT groups\r\n      ↳ Subgroup: Longhorn, The Lamberts 2009  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ca7ec4d8-ddd5-4a6a-a1ef-891f53ce52be\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ca7ec4d8-ddd5-4a6a-a1ef-891f53ce52be\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ca7ec4d8-ddd5-4a6a-a1ef-891f53ce52be"
	],
	"report_names": [
		"listgroups.cgi?u=ca7ec4d8-ddd5-4a6a-a1ef-891f53ce52be"
	],
	"threat_actors": [
		{
			"id": "e993faab-f941-4561-bd87-7c33d609a4fc",
			"created_at": "2022-10-25T16:07:23.460301Z",
			"updated_at": "2026-04-10T02:00:04.617715Z",
			"deleted_at": null,
			"main_name": "Longhorn",
			"aliases": [
				"APT-C-39",
				"Platinum Terminal",
				"The Lamberts"
			],
			"source_name": "ETDA:Longhorn",
			"tools": [
				"Black Lambert",
				"Blue Lambert",
				"Corentry",
				"Cyan Lambert",
				"Fluxwire",
				"Gray Lambert",
				"Green Lambert",
				"Magenta Lambert",
				"Pink Lambert",
				"Plexor",
				"Purple Lambert",
				"Silver Lambert",
				"Violet Lambert",
				"White Lambert"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "70db80bd-31b7-4581-accb-914cd8252913",
			"created_at": "2023-01-06T13:46:38.57727Z",
			"updated_at": "2026-04-10T02:00:03.028845Z",
			"deleted_at": null,
			"main_name": "Longhorn",
			"aliases": [
				"the Lamberts",
				"APT-C-39",
				"PLATINUM TERMINAL"
			],
			"source_name": "MISPGALAXY:Longhorn",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1",
			"created_at": "2024-05-01T02:03:08.146025Z",
			"updated_at": "2026-04-10T02:00:03.67072Z",
			"deleted_at": null,
			"main_name": "PLATINUM TERMINAL",
			"aliases": [
				"APT-C-39 ",
				"Longhorn ",
				"The Lamberts ",
				"Vault7 "
			],
			"source_name": "Secureworks:PLATINUM TERMINAL",
			"tools": [
				"AfterMidnight",
				"Assassin",
				"Marble Framework"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434419,
	"ts_updated_at": 1775791877,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/590e32a1e3a39cea1e8db6b0bda3d166da716dfb.pdf",
		"text": "https://archive.orkl.eu/590e32a1e3a39cea1e8db6b0bda3d166da716dfb.txt",
		"img": "https://archive.orkl.eu/590e32a1e3a39cea1e8db6b0bda3d166da716dfb.jpg"
	}
}