{
	"id": "e83f5805-098a-4eab-a47d-40f082d50712",
	"created_at": "2026-04-06T00:14:35.218081Z",
	"updated_at": "2026-04-10T03:31:17.752208Z",
	"deleted_at": null,
	"sha1_hash": "c47f2925abc495bdd79218658592982ebb476fe7",
	"title": "Purple Lambert - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58863,
	"plain_text": "Purple Lambert - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 18:19:10 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Purple Lambert\n Tool: Purple Lambert\nNames Purple Lambert\nCategory Malware\nType Backdoor\nDescription\n(Kaspersky) The samples were compiled in 2014 and, accordingly, were likely deployed in\n2014 and possibly as late as 2015. Although we have not found any shared code with any other\nknown malware, the samples have intersections of coding patterns, style and techniques that\nhave been seen in various Lambert families. We therefore named this malware Purple Lambert.\nPurple Lambert is composed of several modules, with its network module passively listening\nfor a magic packet. It is capable of providing an attacker with basic information about the\ninfected system and executing a received payload. Its functionality reminds us of Gray\nLambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of\nthe kernel-mode passive-listener White Lambert implant in multiple incidents. In addition,\nPurple Lambert implements functionality similar to, but in different ways, both Gray Lambert\nand White Lambert.\nInformation Last change to this tool card: 16 May 2021\nDownload this tool card in JSON format\nAll groups using tool Purple Lambert\nChanged Name Country Observed\nAPT groups\n ↳ Subgroup: Longhorn, The Lamberts 2009\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b947f53-6e78-45e6-a1b7-bed678f998ff\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b947f53-6e78-45e6-a1b7-bed678f998ff\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b947f53-6e78-45e6-a1b7-bed678f998ff\r\nPage 2 of 2\n\nAPT groups ↳ Subgroup: Longhorn, The Lamberts 2009 \n1 group listed (1 APT, 0 other, 0 unknown)  \n   Page 1 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b947f53-6e78-45e6-a1b7-bed678f998ff"
	],
	"report_names": [
		"listgroups.cgi?u=6b947f53-6e78-45e6-a1b7-bed678f998ff"
	],
	"threat_actors": [
		{
			"id": "e993faab-f941-4561-bd87-7c33d609a4fc",
			"created_at": "2022-10-25T16:07:23.460301Z",
			"updated_at": "2026-04-10T02:00:04.617715Z",
			"deleted_at": null,
			"main_name": "Longhorn",
			"aliases": [
				"APT-C-39",
				"Platinum Terminal",
				"The Lamberts"
			],
			"source_name": "ETDA:Longhorn",
			"tools": [
				"Black Lambert",
				"Blue Lambert",
				"Corentry",
				"Cyan Lambert",
				"Fluxwire",
				"Gray Lambert",
				"Green Lambert",
				"Magenta Lambert",
				"Pink Lambert",
				"Plexor",
				"Purple Lambert",
				"Silver Lambert",
				"Violet Lambert",
				"White Lambert"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "70db80bd-31b7-4581-accb-914cd8252913",
			"created_at": "2023-01-06T13:46:38.57727Z",
			"updated_at": "2026-04-10T02:00:03.028845Z",
			"deleted_at": null,
			"main_name": "Longhorn",
			"aliases": [
				"the Lamberts",
				"APT-C-39",
				"PLATINUM TERMINAL"
			],
			"source_name": "MISPGALAXY:Longhorn",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1",
			"created_at": "2024-05-01T02:03:08.146025Z",
			"updated_at": "2026-04-10T02:00:03.67072Z",
			"deleted_at": null,
			"main_name": "PLATINUM TERMINAL",
			"aliases": [
				"APT-C-39 ",
				"Longhorn ",
				"The Lamberts ",
				"Vault7 "
			],
			"source_name": "Secureworks:PLATINUM TERMINAL",
			"tools": [
				"AfterMidnight",
				"Assassin",
				"Marble Framework"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434475,
	"ts_updated_at": 1775791877,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c47f2925abc495bdd79218658592982ebb476fe7.pdf",
		"text": "https://archive.orkl.eu/c47f2925abc495bdd79218658592982ebb476fe7.txt",
		"img": "https://archive.orkl.eu/c47f2925abc495bdd79218658592982ebb476fe7.jpg"
	}
}