{ "id": "c734bf35-8d5c-42fd-aacc-1aecc98ab066", "created_at": "2026-04-06T00:15:53.818059Z", "updated_at": "2026-04-10T13:12:56.272327Z", "deleted_at": null, "sha1_hash": "5b8fc970a90f09d92c4b13a1bb810895a3885413", "title": "Endpoint Protection - Symantec Enterprise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70087, "plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 18:35:00 UTC\r\nSpying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at\r\nleast 40 targets in 16 different countries by a group Symantec calls Longhorn. Symantec has been protecting its\r\ncustomers from Longhorn’s tools for the past three years and has continued to track the group in order to learn\r\nmore about its tools, tactics, and procedures.\r\nThe tools used by Longhorn closely follow development timelines and technical specifications laid out in\r\ndocuments disclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols\r\nspecified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given\r\nthe close similarities between the tools and techniques, there can be little doubt that Longhorn's activities and the\r\nVault 7 documents are the work of the same group.\r\nWho is Longhorn?\r\nLonghorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day\r\nvulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating\r\norganizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology,\r\neducation, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state\r\nattacker.\r\nLonghorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one\r\noccasion a computer in the United States was compromised but, following infection, an uninstaller was launched\r\nwithin hours, which may indicate this victim was infected unintentionally.\r\n[click_to_tweet:1]\r\nThe link to Vault 7\r\nA number of documents disclosed by WikiLeaks outline specifications and requirements for malware tools. One\r\ndocument is a development timeline for a piece of malware called Fluxwire, containing a changelog of dates for\r\nwhen new features were incorporated. These dates align closely with the development of one Longhorn tool\r\n(Trojan.Corentry) tracked by Symantec. New features in Corentry consistently appeared in samples obtained by\r\nSymantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that\r\nCorentry is the malware described in the leaked document.\r\nEarly versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program\r\ndatabase (PDB) file. The Vault 7 document lists removal of the full path for the PDB as one of the changes\r\nimplemented in Version 3.5.0.\r\nUp until 2014, versions of Corentry were compiled using GCC. According to the Vault 7 document, Fluxwire\r\nswitched to a MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry,\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-\r\n4cb83f9602de\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 4\n\nwhere a version compiled on February 25, 2015 had used MSVC as a compiler.\r\nCorentry sample (MD5 hash)\r\nDate/time\r\nof sample\r\ncompilation\r\nEmbedded\r\nCorentry\r\nversion\r\nnumber\r\nCorentry\r\ncompiler\r\nVault 7\r\nchangelog\r\nnumber\r\nVault 7\r\nchangelog\r\ndate\r\nN/A N/A N/A N/A\r\n2.1.0 -\r\n2.4.1\r\nJan 12,\r\n2011 -\r\nFeb 28,\r\n2013\r\ne20d5255d8ab1ff5f157847d2f3ffb25\r\n23/08/2013\r\n10:20\r\n3.0.0 GCC 3.0.0\r\nAug 23,\r\n2013\r\n5df76f1ad59e019e52862585d27f1de2\r\n21/02/2014\r\n11:07\r\n3.1.0 GCC 3.1.0\r\nFeb 20,\r\n2014\r\n318d8b61d642274dd0513c293e535b38\r\n15/05/2014\r\n09:01\r\n3.1.1 GCC 3.1.1\r\nMay 14,\r\n2014\r\nN/A N/A N/A N/A 3.2.0\r\nJul 15,\r\n2014\r\n511a473e26e7f10947561ded8f73ffd0\r\n03/09/2014\r\n00:12\r\n3.2.1 GCC 3.2.1\r\nAug 18,\r\n2014\r\nc06d422656ca69827f63802667723932\r\n25/02/2015\r\n16:50\r\nN/A MSVC 3.3.0\r\nFeb 25,\r\n2015\r\nN/A N/A N/A N/A\r\n3.3.1 -\u003e\r\n3.5.0\r\nMay 17,\r\n2015 -\u003e\r\nNov 13,\r\n2015\r\nTable. Corentry version numbers and compilation dates compared to Fluxwire version numbers and changelog\r\ndates disclosed in Vault 7\r\nA second Vault 7 document details Fire and Forget, a specification for user-mode injection of a payload by a tool\r\ncalled Archangel. The specification of the payload and the interface used to load it was closely matched in another\r\nLonghorn tool called Backdoor.Plexor.\r\nA third document outlines cryptographic protocols that malware tools should follow. These include the use of\r\ninner cryptography within SSL to prevent man-in-the-middle (MITM) attacks, key exchange once per connection,\r\nand use of AES with a 32-byte key. These requirements align with the cryptographic practices observed by\r\nSymantec in all of the Longhorn tools.\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-\r\n4cb83f9602de\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 4\n\nOther Vault 7 documents outline tradecraft practices to be used, such as use of the Real-time Transport Protocol\r\n(RTP) as a means of command and control (C\u0026C) communications, employing wipe-on-use as standard practice,\r\nin-memory string de-obfuscation, using a unique deployment-time key for string obfuscation, and the use of\r\nsecure erase protocols involving renaming and overwriting. Symantec has observed Longhorn tools following all\r\nof these practices. While other malware families are known to use some of these practices, the fact that so many of\r\nthem are followed by Longhorn makes it noteworthy.\r\nGlobal reach: Longhorn’s operations\r\nWhile active since at least 2011, with some evidence of activity dating back as far as 2007, Longhorn first came to\r\nSymantec’s attention in 2014 with the use of a zero-day exploit (CVE-2014-4148) embedded in a Word document\r\nto infect a target with Plexor.\r\nThe malware had all the hallmarks of a sophisticated cyberespionage group. Aside from access to zero-day\r\nexploits, the group had preconfigured Plexor with elements that indicated prior knowledge of the target\r\nenvironment.\r\nTo date, Symantec has found evidence of Longhorn activities against 40 targets spread across 16 different\r\ncountries. Symantec has seen Longhorn use four different malware tools against its targets: Corentry, Plexor,\r\nBackdoor.Trojan.LH1, and Backdoor.Trojan.LH2.\r\nBefore deploying malware to a target, the Longhorn group will preconfigure it with what appears to be target-specific code words and distinct C\u0026C domains and IP addresses for communications back to the attackers.\r\nLonghorn tools have embedded capitalized code words, internally referenced as “groupid” and “siteid”, which\r\nmay be used to identify campaigns and victims. Over 40 of these identifiers have been observed, and typically\r\nfollow the theme of movies, characters, food, or music. One example was a nod to the band The Police, with the\r\ncode words REDLIGHT and ROXANNE used.\r\nLonghorn’s malware has an extensive list of commands for remote control of the infected computer. Most of the\r\nmalware can also be customized with additional plugins and modules, some of which have been observed by\r\nSymantec.\r\nLonghorn’s malware appears to be specifically built for espionage-type operations, with detailed system\r\nfingerprinting, discovery, and exfiltration capabilities. The malware uses a high degree of operational security,\r\ncommunicating externally at only select times, with upload limits on exfiltrated data, and randomization of\r\ncommunication intervals—all attempts to stay under the radar during intrusions.\r\nFor C\u0026C servers, Longhorn typically configures a specific domain and IP address combination per target. The\r\ndomains appear to be registered by the attackers; however they use privacy services to hide their real identity. The\r\nIP addresses are typically owned by legitimate companies offering virtual private server (VPS) or webhosting\r\nservices. The malware communicates with C\u0026C servers over HTTPS using a custom underlying cryptographic\r\nprotocol to protect communications from identification.\r\nPrior to the Vault 7 leak, Symantec’s assessment of Longhorn was that it was a well-resourced organization which\r\nwas involved in intelligence gathering operations. This assessment was based on its global range of targets and\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-\r\n4cb83f9602de\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 4\n\naccess to a range of comprehensively developed malware and zero-day exploits. The group appeared to work a\r\nstandard Monday to Friday working week, based on timestamps and domain name registration dates, behavior\r\nwhich is consistent with state-sponsored groups.\r\nSymantec’s analysis uncovered a number of indicators that Longhorn was from an English-speaking, North\r\nAmerican country. The acronym MTWRFSU (Monday Tuesday Wednesday ThuRsday Friday Saturday SUnday)\r\nwas used to configure which day of the week malware would communicate with the attackers. This acronym is\r\ncommon in academic calendars in North America. Some of the code words found in the malware, such as\r\nSCOOBYSNACK, would be most familiar in North America. In addition to this, the compilation times of tools\r\nwith reliable timestamps indicate a time zone in the Americas.\r\nDistinctive fingerprints\r\nLonghorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide.\r\nTaken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to\r\nthis group, leaving little doubt about its link to Vault 7.\r\nThroughout its investigation of Longhorn, Symantec’s priority has been protection of its customers. Through\r\nidentifying different strains of Longhorn malware, connecting them to a single actor, and learning more about the\r\ngroup’s tactics and procedures, Symantec has been able to better defend customer organizations against this and\r\nsimilar threats. In publishing this new information, Symantec’s goal remains unchanged: to reassure customers\r\nthat it is aware of this threat and actively working to protect them from it.\r\nProtection\r\nSymantec and Norton products have been protecting against Longhorn malware for a number of years with the\r\nfollowing detections:\r\nBackdoor.Plexor\r\nTrojan.Corentry\r\nBackdoor.Trojan.LH1\r\nBackdoor.Trojan.LH2\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=7ca2e331-2209-46a8-9e60-4cb83f9602de\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-\r\n4cb83f9602de\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "report_names": [ "viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "threat_actors": [ { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434553, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b8fc970a90f09d92c4b13a1bb810895a3885413.pdf", "text": "https://archive.orkl.eu/5b8fc970a90f09d92c4b13a1bb810895a3885413.txt", "img": "https://archive.orkl.eu/5b8fc970a90f09d92c4b13a1bb810895a3885413.jpg" } }