Purple Lambert - Threat Group Cards: A Threat Actor
Encyclopedia
Archived: 2026-04-05 18:19:10 UTC
Home > List all groups > List all tools > List all groups using tool Purple Lambert
 Tool: Purple Lambert
Names Purple Lambert
Category Malware
Type Backdoor
Description
(Kaspersky) The samples were compiled in 2014 and, accordingly, were likely deployed in
2014 and possibly as late as 2015. Although we have not found any shared code with any other
known malware, the samples have intersections of coding patterns, style and techniques that
have been seen in various Lambert families. We therefore named this malware Purple Lambert.
Purple Lambert is composed of several modules, with its network module passively listening
for a magic packet. It is capable of providing an attacker with basic information about the
infected system and executing a received payload. Its functionality reminds us of Gray
Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of
the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition,
Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert
and White Lambert.
Information Last change to this tool card: 16 May 2021
Download this tool card in JSON format
All groups using tool Purple Lambert
Changed Name Country Observed
APT groups
 ↳ Subgroup: Longhorn, The Lamberts 2009
1 group listed (1 APT, 0 other, 0 unknown)
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b947f53-6e78-45e6-a1b7-bed678f998ff
Page 1 of 2

Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b947f53-6e78-45e6-a1b7-bed678f998ff
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=6b947f53-6e78-45e6-a1b7-bed678f998ff
Page 2 of 2

APT groups ↳ Subgroup: Longhorn, The Lamberts 2009 
1 group listed (1 APT, 0 other, 0 unknown)  
   Page 1 of 2