{ "id": "252dd6c2-79af-404b-bbcc-c4b21fa0812d", "created_at": "2026-04-06T00:14:36.304689Z", "updated_at": "2026-04-10T03:33:51.937849Z", "deleted_at": null, "sha1_hash": "8ddccc7c78846f2a3b0700a9ece17d847ae4c1e9", "title": "Unraveling the Lamberts Toolkit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6159546, "plain_text": "Unraveling the Lamberts Toolkit\r\nBy GReAT\r\nPublished: 2017-04-11 · Archived: 2026-04-05 16:53:52 UTC\r\nYesterday, our colleagues from Symantec published their analysis of Longhorn, an advanced threat actor that can\r\nbe easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.\r\nLonghorn, which we internally refer to as “The Lamberts”, first came to the attention of the ITSec community in\r\n2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148).\r\nThe attack leveraged malware we called ‘BlackLambert’, which was used to target a high profile organization in\r\nEurope.\r\nSince at least 2008, The Lamberts have used multiple sophisticated attack tools against high-profile victims. Their\r\narsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and\r\nwipers. Versions for both Windows and OSX are known at this time, with the latest samples created in 2016.\r\nAlthough the operational security displayed by actors using the Lamberts toolkit is very good, one sample\r\nincludes a PDB path that points to a project named “Archan~1” (perhaps ‘Archangel’). The root folder on the\r\nPDB path is named “Hudson”. This is one of the very few mistakes we’ve seen with this threat actor.\r\nWhile in most cases the infection vector remains unknown, the high profile attack from 2014 used a very complex\r\nWindows TTF zero-day exploit (CVE-2014-4148).\r\nKaspersky Lab products successfully detect and eradicate all the known malware from the Lamberts family. For\r\nmore information please contact: intelreports@kasperskycom\r\nAn Overview of the Lamberts\r\nFigure 1. Lamberts discovery timeline\r\nThe first time the Lambert family malware was uncovered publicly was in October 2014, when FireEye posted a\r\nblog about a zero day exploit (CVE-2014-4148) used in the wild. The vulnerability was patched by Microsoft at\r\nthe same time. We named the malware involved ‘Black Lambert’ and described it thoroughly in a private report,\r\navailable to Kaspersky APT Intel Reports subscribers.\r\nThe authors of Black Lambert included a couple of very interesting details in the sample, which read as the\r\nfollowing: toolType=wl, build=132914, versionName = 2.0.0. Looking for similar samples, we were able to\r\nidentify another generation of related tools which we called White Lambert. While Black Lambert connects\r\ndirectly to its C\u0026C for instructions, White Lambert is a fully passive, network-driven backdoor.\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 1 of 12\n\nBlack Lambert White Lambert\r\nImplant type Active Passive\r\ntoolType wl aa (“ArchAngel”)\r\nbuild 132914 113140\r\nversionName 2.0.0 5.0.2\r\nInternal configuration similarities in Black and White Lambert\r\nWhite Lambert runs in kernel mode and intercepts network traffic on infected machines. It decrypts packets\r\ncrafted in a special format to extract instructions. We named these passive backdoors ‘White Lambert’ to contrast\r\nwith the active “Black Lambert” implants.\r\nLooking further for any other malware related to White Lambert and Black Lambert, we came by another\r\ngeneration of malware that we called Blue Lambert.\r\nOne of the Blue Lambert samples is interesting because it appears to have been used as second stage malware in a\r\nhigh profile attack, which involved the Black Lambert malware.\r\nLooking further for malware similar to Blue Lambert, we came by another family of malware we called Green\r\nLambert. Green Lambert is a lighter, more reliable, but older version of Blue Lambert. Interestingly, while most\r\nBlue Lambert variants have version numbers in the range of 2.x, Green Lambert is mostly in 3.x versions. This\r\nstands in opposition to the data gathered from export timestamps and C\u0026C domain activity that points to Green\r\nLambert being considerably older than the Blue variant. Perhaps both Blue and Green Lamberts have been\r\ndeveloped in parallel by two different teams working under the same umbrella, as normal software version\r\niterations, with one seeing earlier deployment than the other.\r\nSignatures created for Green Lambert (Windows) have also triggered on an OS X variant of Green Lambert, with\r\na very low version number: 1.2.0. This was uploaded to a multiscanner service in September 2014. The OS X\r\nvariant of Green Lambert is in many regards functionally identical to the Windows version, however it misses\r\ncertain functionality such as running plugins directly in memory.\r\nKaspersky Lab detections for Blue, Black, and Green Lamberts have been triggered by a relatively small set of\r\nvictims from around the world. While investigating one of these infections involving White Lambert (network-driven implant) and Blue Lambert (active implant), we found yet another family of tools that appear to be related.\r\nWe called this new family Pink Lambert.\r\nThe Pink Lambert toolset includes a beaconing implant, a USB-harvesting module and a multi-platform\r\norchestrator framework which can be used to create OS-independent malware. Versions of this particular\r\norchestrator were found on other victims, together with White Lambert samples, indicating a close relationship\r\nbetween the White and Pink Lambert malware families.\r\nBy looking further for other undetected malware on victims of White Lambert, we found yet another apparently\r\nrelated family. The new family, which we called Gray Lambert is the latest iteration of the passive network tools\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 2 of 12\n\nfrom the Lamberts’ arsenal. The coding style of Gray Lambert is similar to the Pink Lambert USB-harvesting\r\nmodule, however, the functionality mirrors that of White Lambert. Compared to White Lambert, Gray Lambert\r\nruns in user mode, without the need for exploiting a vulnerable signed driver to load arbitrary code on 64-bit\r\nWindows variants.\r\nConnecting all these different families by shared code, data formats, C\u0026C servers, and victims, we have arrived at\r\nthe following overarching picture:\r\nFigure 2. An overview of connections between the Lambert families\r\nThe Lamberts in Brief – from Black to Gray\r\nBelow, we provide a small summary of all the Lamberts. A full description of all variants is available to\r\nsubscribers of Kaspersky APT Reports. Contact intelreports@kaspersky.com\r\nBlack Lambert\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 3 of 12\n\nThe only known sample of Black Lambert was dropped by a TTF-exploit zero day (CVE-2014-4148). Its internal\r\nconfiguration included a proxy server which suggests the malware was created to work in a very specific network\r\nconfiguration, inside the victim’s network.\r\nAn internal description of Black Lambert indicates what appears to be a set of markers used by the attackers to\r\ndenote this particular branch: toolType=wl, build=132914, versionName = 2.0.0.\r\nHash Description\r\n683afdef710bf3c96d42e6d9e7275130 generic loader (hdmsvc.exe)\r\n79e263f78e69110c09642bbb30f09ace winlib.dll, final payload (toolType=wl)\r\nBlue Lambert\r\nThe Blue Lambert implants contain what appear to be version numbers in the 2.x range, together with\r\nproject/operation codename sets, which may also indicate codenames for the victims or campaigns.\r\nFigure 4. Blue Lambert configuration in decrypted form, highlighting internal codenames\r\nKnown codenames include TRUE CRIME (2.2.0.2), CERVELO YARDBIRD (2.6.1.1), GAI SHU (2.2.0.5),\r\nDOUBLESIDED SCOOBYSNACK (2.3.0.2), FUNNELCAKE CARNIVAL (2.5.0.2), PROSPER SPOCK\r\n(2.0.0.2), RINGTOSS CARNIVAL (2.4.2.2), COD FISH (2.2.0.0), and INVERTED SHOT (2.6.2.3).\r\nGreen Lambert\r\nGreen Lambert is a family of tools deeply related to Blue Lambert. The functionality is very similar, both Blue\r\nand Green are active implants. The configuration data shares the same style of codenames for victims, operations,\r\nor projects.\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 4 of 12\n\nFigure 5. Green Lambert configuration block (decrypted) highlighting internal codenames\r\nThe Green Lambert family is the only one where non-Windows variants have been found. An old version of Green\r\nLambert, compiled for OS X was uploaded from Russia to a multiscanner service in 2014. Its internal codename is\r\nHO BO (1.2.0).\r\nThe Windows versions of Green Lambert have the following code names: BEARD BLUE (2.7.1), GORDON\r\nFLASH (3.0), APE ESCAPE (3.0.2), SPOCK LOGICAL (3.0.2), PIZZA ASSAULT (3.0.5), and SNOW\r\nBLOWER (3.0.5).\r\nInterestingly, one of the droppers of Green Lambert abused an ICS software package named “Subway\r\nEnvironmental Simulation Program” or “SES”, which has been available on certain forums visited by engineers\r\nworking with industrial software. Similar techniques have been observed in the past from other threat groups, for\r\ninstance, trojanized Oracle installers by the Equation group.\r\nWhite Lambert\r\nWhite Lambert is a family of tools that share the same internal description as Black Lambert. Known tool types,\r\nbuilds, and version names include:\r\nToolType “aa”, protocol 3, version 7, versionName 5.0.2, build 113140\r\nToolType “aa”, protocol 3, version 7, versionName 5.0.0, build 113140\r\nToolType “aa”, protocol 3, version 6, versionName 4.2.0, build 110836M\r\nToolType “aa”, protocol 3, version 5, versionName 3.2.0\r\nOne of the White Lambert samples is interesting because it has a forgotten PDB path inside, which points to\r\n“Archan~1l” and “Hudson”. Hudson could point to a project name, if the authors name their projects by rivers in\r\nthe US, or, it could also be the developer’s first name. The truncated (8.3) path “archan~1” most likely means\r\n“Archangel”. The tool type “aa” could also suggest “ArchAngel”. By comparison, the Black Lambert tool type\r\n“wl” has no known meaning.\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 5 of 12\n\nWhite Lambert samples run in kernel mode and sniff network traffic looking for special packets containing\r\ninstructions to execute. To run unsigned code in kernel mode on 64-bit Windows, White Lambert uses an exploit\r\nagainst a signed, legitimate SiSoftware Sandra driver. The same method was used before by Turla, ProjectSauron,\r\nand Equation’s Grayfish, with other known, legitimate drivers.\r\nPink Lambert\r\nPink Lambert is a suite of tools initially discovered on a White Lambert victim. It includes a beaconing implant,\r\npartially based on publicly available source code. The source code on top of which Pink Lambert’s beaconing\r\nimplant was created is “A Fully Featured Windows HTTP Wrapper in C++”.\r\nFigure 6. “A Fully Featured Windows HTTP Wrapper” by shicheng\r\nOther tools in the Pink Lambert suite include USB stealer modules and a very complex multi-platform\r\norchestrator.\r\nIn a second incident, a Pink Lambert orchestrator was found on another White Lambert victim, substantiating the\r\nconnection between the Pink and White Lamberts.\r\nGray Lambert\r\nGray Lambert is the most recent tool in the Lamberts’ arsenal. It is a network-driven backdoor, similar in\r\nfunctionality to White Lambert. Unlike White Lambert, which runs in kernel mode, Gray Lambert is a user-mode\r\nimplant. The compilation and coding style of Gray Lambert is similar to the Pink Lambert USB stealers. Gray\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 6 of 12\n\nLambert initially appeared on the computers of victims infected by White Lambert, which could suggest the\r\nauthors were upgrading White Lambert infections to Gray. This migration activity was last observed in October\r\n2016.\r\nSome of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll – it should be pointed though that\r\nthe filenames used by the Lamberts are generally unique and have never been used twice.\r\nTimeline\r\nMost of the Blue and Green Lambert samples have two C\u0026C servers hardcoded in their configuration block: a\r\nhostname and an IP address. Using our own pDNS as well as DomainTools IP history, we plotted the times when\r\nthe C\u0026C servers were active and pointing to the same IP address as the one from the configuration block.\r\nUnfortunately, this method doesn’t work for all samples, since some of them don’t have a domain for C\u0026C.\r\nAdditionally, in some cases we couldn’t find any pDNS information for the hostname configured in the malware.\r\nLuckily, the attackers have made a few mistakes, which allow us to identify the activity times for most of the other\r\nsamples. For instance, in case when no pDNS information was available for a subdomain on top of the main C\u0026C\r\ndomain, the domain registration dates were sufficient to point out when the activity began. Additionally, in some\r\ncases the top domain pointed to the same IP address as the one from the configuration file, allowing us to identify\r\nthe activity times.\r\nAnother worthwhile analysis method focuses on the set of Blue Lambert samples that have exports. Although\r\nmost compilation timestamps in the PE header appear to have been tampered (to reflect a 2003-2004 range), the\r\nauthors forgot to alter the timestamps in the export section. This allowed us to identify not just the activity /\r\ncompilation timestamps, but also the method used for faking the compilation timestamps in the PE header.\r\nIt seems the algorithm used to tamper with the samples was the following: subtract 0x10 from the highest byte of\r\ntimestamp (which amounts to about 8 and half years) and then randomize the lowest 3 bytes. This way we\r\nconclude that for Blue Lamberts, that original compilation time of samples was in the range of 2012-2015.\r\nPutting together all the various families, with recovered activity times, we come to the following picture:\r\nFigure 8. A timeline of activity for known Lamberts\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 7 of 12\n\nAs it can be seen from the chart above, Green Lambert is the oldest and longest-running in the family, while Gray\r\nis the newest. White, Blue and Pink somehow overlap in deployment, with Blue replacing Green Lambert. Black\r\nLambert was seen only briefly and we assume it was “retired” from the arsenal after being discovered by FireEye\r\nin 2014.\r\nCodenames and Popular Culture Referenced in Lamberts\r\nThe threat group(s) behind the Lambert toolkits have used a large number of codenames extensively throughout\r\ntheir projects. Some of these codenames are references to old computer games, Star Trek, and cartoons, which is\r\nvery unusual for high profile APT groups. We really enjoyed going through the backstories of these codenames\r\nand wanted to provide them below for others to enjoy as well.\r\nFor instance, one of the Green Lambert versions has the internal codename “GORDON FLASH”, which can also\r\nbe read as “FLASH GORDON”. Flash Gordon is the hero of a space opera adventure comic strip created by and\r\noriginally drawn by Alex Raymond. It was first published in 1934 and subsequently turned into a popular film in\r\n1980.\r\nFlash Gordon poster\r\nA ‘Funnel cake’ is a regional food popular in North America at carnivals, fairs, sporting events, and seaside\r\nresorts. This explains the codename “FUNNELCAKE CARNIVAL”:\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 8 of 12\n\nFigure 9. A typical funnel cake\r\nSpock and Prosper obviously refers to Star Trek, the well-known science fiction television series created by Gene\r\nRoddenberry. Cdr. Spock is a half-Vulcan, half-human character, portrayed by Leonard Nimoy. “Live long and\r\nprosper” is the traditional Vulcan greeting in the series.\r\nLeonard Nimoy as “Spock” displaying the traditional Vulcan greeting “Live long and prosper”\r\nRingtoss is a game that is very popular at carnivals in North America.\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 9 of 12\n\nDOUBLESIDED SCOOBYSNACK is likely a reference to an NFL Lip Reading video featuring Adrian Peterson\r\nthat went viral in mid-2013. According to the urban dictionary, it is also used to denote a sexual game in which the\r\nparticipants are dressed as Scooby-Doo and his master.\r\nApe Escape (also known as Saru Get You (サルゲッチュ Saru Getchu) in Japan) is a series of video games made\r\nby SCE Japan Studio, starting with Ape Escape for PlayStation in 1999. The series often incorporates ape-related\r\nhumor, unique gameplay, and a wide variety of pop culture references; it is also notable for being the first game to\r\nmake the DualShock or Dual Analog controller mandatory.\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 10 of 12\n\nApe Escape\r\nINVERTED SHOT is likely a reference to a mixed martial arts move also known as an ‘Imanari roll takedown’,\r\nnamed after Masakazu Imanari who popularized the grappling technique. It consists of a modified Brazilian jiu-jitsu granby roll that places the fighter in inverted guard position while taking the opponent down to the mat.\r\nGAI and SHU (as used in Green Lambert OS X) are characters from the Guilty Crown anime series. Gai\r\nTsutsugami (恙神 涯 Tsutsugami Gai) is the 17-year-old resourceful and charismatic leader of the “Funeral\r\nParlor” resistance group, while Shu Ouma (桜満 集 Ōma Shū) is the 17-year-old main protagonist of Guilty\r\nCrown.\r\nFigure 10. Main characters of Guilty Crown with Shu Ouma in the middle.\r\nConclusions\r\nThe Lamberts toolkit spans across several years, with most activity occurring in 2013 and 2014. Overall, the\r\ntoolkit includes highly sophisticated malware, which relies on high-level techniques to sniff network traffic, run\r\nplugins in memory without touching the disk, and leverages exploits against signed drivers to run unsigned code\r\non 64-bit Windows.\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 11 of 12\n\nTo further exemplify the proficiency of the attackers leveraging the Lamberts toolkit, deployment of Black\r\nLambert included a rather sophisticated TTF zero day exploit, CVE-2014-4148. Taking that into account, we\r\nclassify the Lamberts as the same level of complexity as Regin, ProjectSauron, Equation and Duqu2, which makes\r\nthem one of the most sophisticated cyber espionage toolkits we have ever analysed.\r\nConsidering the complexity of these projects and the existence of an implant for OS X, we assume that it is highly\r\npossible that other Lamberts also exist for other platforms, such as Linux. The fact that in the vast majority of\r\ncases the infection method is unknown probably means there are still a lot of unknown details about these attacks\r\nand the group(s) leveraging them.\r\nAs usual, defense against attacks such as those from the Lamberts/Longhorn should include a multi-layered\r\napproach. Kaspersky products include special mitigation strategies against the malware used by this group, as well\r\nas the many other APT groups we track. If you are interested in reading more about effective mitigation strategies\r\nin general, we recommend the following articles:\r\nStrategies for mitigating APTs\r\nHow to mitigate 85% of threats with four strategies\r\nWe will continue tracking the Lamberts and sharing new findings with our intel report subscribers, as well as with\r\nthe general public. If you would like to be the first to hear our news, we suggest you subscribe to our intel reports.\r\nKaspersky Lab products successfully detect and eradicate all the known malware from the Lamberts family.\r\nFor more information about the Lamberts, please contact: intelreports@kaspersky.com\r\nSource: https://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nhttps://securelist.com/unraveling-the-lamberts-toolkit/77990/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://securelist.com/unraveling-the-lamberts-toolkit/77990/" ], "report_names": [ "77990" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "99845f58-2c39-46f7-8369-bb621ebb7002", "created_at": "2022-10-25T16:07:24.238844Z", "updated_at": "2026-04-10T02:00:04.90851Z", "deleted_at": null, "main_name": "Strider", "aliases": [ "G0041", "ProjectSauron" ], "source_name": "ETDA:Strider", "tools": [ "Backdoor.Remsec", "ProjectSauron", "Remsec" ], "source_id": "ETDA", "reports": null }, { "id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde", "created_at": "2023-01-06T13:46:38.472883Z", "updated_at": "2026-04-10T02:00:02.989134Z", "deleted_at": null, "main_name": "ProjectSauron", "aliases": [ "Sauron", "Project Sauron", "G0041" ], "source_name": "MISPGALAXY:ProjectSauron", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "a0d369c1-f0b7-4c70-a3a5-77aabbd17979", "created_at": "2022-10-25T15:50:23.311311Z", "updated_at": "2026-04-10T02:00:05.407733Z", "deleted_at": null, "main_name": "Strider", "aliases": [ "ProjectSauron" ], "source_name": "MITRE:Strider", "tools": [ "Remsec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434476, "ts_updated_at": 1775792031, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ddccc7c78846f2a3b0700a9ece17d847ae4c1e9.pdf", "text": "https://archive.orkl.eu/8ddccc7c78846f2a3b0700a9ece17d847ae4c1e9.txt", "img": "https://archive.orkl.eu/8ddccc7c78846f2a3b0700a9ece17d847ae4c1e9.jpg" } }