{ "id": "5a4c02f6-6e81-4ced-a52f-e281d3b45946", "created_at": "2026-04-06T00:21:32.215333Z", "updated_at": "2026-04-10T03:31:17.773547Z", "deleted_at": null, "sha1_hash": "bc834603e648380a5bc99e7d56c2197ef55611f3", "title": "[Vault 7/8] - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34009, "plain_text": "[Vault 7/8] - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:40:30 UTC\r\nDescriptionAn unnamed source leaked almost 10,000 documents describing a large number of 0-day\r\nvulnerabilities, methodologies and tools that had been collected by the CIA's Subgroup: Longhorn, The Lamberts.\r\nThis leaking was done through WikiLeaks, since March 2017. In weekly publications, the dumps were said to\r\ncome from Vault 7 and later Vault 8, until his arrest in 2018.\r\nMost of the published vulnerabilities have since been fixed by the respective vendors, but many have been used by\r\nother threat actors.\r\nThis actor turned out to be a former CIA software engineer.\r\n(WikiLeaks) Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central\r\nIntelligence Agency. Code-named “Vault 7” by WikiLeaks, it is the largest ever publication of confidential\r\ndocuments on the agency.\r\nThe first full part of the series, “Year Zero”, comprises 8,761 documents and files from an isolated, high-security\r\nnetwork situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina. It follows an introductory\r\ndisclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012\r\npresidential election.\r\nRecently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, Trojans,\r\nweaponized “zero day” exploits, malware remote control systems and associated documentation. This\r\nextraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor\r\nthe entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S.\r\ngovernment hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with\r\nportions of the archive.\r\n“Year Zero” introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal\r\nand dozens of “zero day” weaponized exploits against a wide range of U.S. and European company products,\r\ninclude Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned\r\ninto covert microphones.\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ddcea012-f9ad-4602-bcfb-a04f2913d58c\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ddcea012-f9ad-4602-bcfb-a04f2913d58c\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ddcea012-f9ad-4602-bcfb-a04f2913d58c" ], "report_names": [ "showcard.cgi?u=ddcea012-f9ad-4602-bcfb-a04f2913d58c" ], "threat_actors": [ { "id": "c91e335e-42be-48d9-96b5-ba56749a723b", "created_at": "2022-10-25T16:07:23.458346Z", "updated_at": "2026-04-10T02:00:04.616481Z", "deleted_at": null, "main_name": "CIA", "aliases": [ "Central Intelligence Agency" ], "source_name": "ETDA:CIA", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "740a85d2-4072-42a6-9dfc-c72449ccdfa5", "created_at": "2022-10-25T16:07:24.58714Z", "updated_at": "2026-04-10T02:00:05.044403Z", "deleted_at": null, "main_name": "[Vault 7/8]", "aliases": [], "source_name": "ETDA:[Vault 7/8]", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "56742211-e3f9-40b7-bafb-8a6cebf257d0", "created_at": "2023-01-06T13:46:39.030574Z", "updated_at": "2026-04-10T02:00:03.18915Z", "deleted_at": null, "main_name": "[Vault 7/8]", "aliases": [], "source_name": "MISPGALAXY:[Vault 7/8]", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434892, "ts_updated_at": 1775791877, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc834603e648380a5bc99e7d56c2197ef55611f3.pdf", "text": "https://archive.orkl.eu/bc834603e648380a5bc99e7d56c2197ef55611f3.txt", "img": "https://archive.orkl.eu/bc834603e648380a5bc99e7d56c2197ef55611f3.jpg" } }