{ "id": "7707127b-5f93-4373-99b2-359b38a2d09d", "created_at": "2026-04-06T00:17:55.656946Z", "updated_at": "2026-04-10T03:31:17.801324Z", "deleted_at": null, "sha1_hash": "ad613c57914075f3fb3fbf16aa618006ce650d90", "title": "Gray Lambert - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58502, "plain_text": "Gray Lambert - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 14:40:56 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Gray Lambert\n Tool: Gray Lambert\nNames Gray Lambert\nCategory Malware\nType Backdoor\nDescription\n(Kaspersky) Gray Lambert is the most recent tool in the Lamberts’ arsenal. It is a network-driven backdoor, similar in functionality to White Lambert. Unlike White Lambert, which runs\nin kernel mode, Gray Lambert is a user-mode implant. The compilation and coding style of\nGray Lambert is similar to the Pink Lambert USB stealers. Gray Lambert initially appeared on\nthe computers of victims infected by White Lambert, which could suggest the authors were\nupgrading White Lambert infections to Gray. This migration activity was last observed in\nOctober 2016.\nSome of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll – it should be\npointed though that the filenames used by the Lamberts are generally unique and have never\nbeen used twice.\nInformation Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool Gray Lambert\nChanged Name Country Observed\nAPT groups\n ↳ Subgroup: Longhorn, The Lamberts 2009\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7aa0981d-8323-42c0-85fc-2cb97ef2f2e3\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7aa0981d-8323-42c0-85fc-2cb97ef2f2e3\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7aa0981d-8323-42c0-85fc-2cb97ef2f2e3\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7aa0981d-8323-42c0-85fc-2cb97ef2f2e3" ], "report_names": [ "listgroups.cgi?u=7aa0981d-8323-42c0-85fc-2cb97ef2f2e3" ], "threat_actors": [ { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434675, "ts_updated_at": 1775791877, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad613c57914075f3fb3fbf16aa618006ce650d90.pdf", "text": "https://archive.orkl.eu/ad613c57914075f3fb3fbf16aa618006ce650d90.txt", "img": "https://archive.orkl.eu/ad613c57914075f3fb3fbf16aa618006ce650d90.jpg" } }