{
	"id": "cc7e70f7-1589-45f9-baca-27ea2e3fee0d",
	"created_at": "2026-04-06T01:28:55.715065Z",
	"updated_at": "2026-04-10T13:11:31.390347Z",
	"deleted_at": null,
	"sha1_hash": "d1f041e1bbbf5b555d6c26a4e9a402c9f2b12235",
	"title": "Green Lambert and ATT\u0026CK — Glitch-Cat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67956,
	"plain_text": "Green Lambert and ATT\u0026CK — Glitch-Cat\r\nBy Oct 18 Written By Runa Sandvik\r\nPublished: 2001-10-18 · Archived: 2026-04-06 01:19:25 UTC\r\nOn October 1, I gave a talk at Objective By The Sea about a CIA implant called Green Lambert. The recording is\r\navailable on YouTube and the written post on Objective-See's blog. Inspired by a talk Adam Pennington and Cat\r\nSelf gave about ATT\u0026CK for macOS, I decided to map Green Lambert to that framework.\r\nMITRE ATT\u0026CK\r\nThe MITRE ATT\u0026CK framework is a great way to document adversary tactics and techniques based on real-world observations. In writing this blog post, I also found that it's a helpful way to identify what you know and\r\ndon't know about an adversary and/or a piece of malware. If you haven’t used ATT\u0026CK before, check out the\r\nresources from CISA and MITRE.\r\nInitial Access\r\nThe first tactic in the matrix is Initial Access, which consists of techniques used to gain entry to a system. As I\r\nwrote in the post for Objective-See, \"we don't know how this implant makes it onto a target system; the type of\r\nsystem it’s used on; or the geographical location of a typical target.\" For that reason, we'll leave this blank.\r\nExecution\r\nThe next tactic, Execution, focuses on techniques used to run the implant on the target system. Comparing\r\nMITRE's list with my post on Objective-See, we find that Green Lambert can:\r\nUse shell scripts for execution (Command and Scripting Interpreter: Unix Shell [T1059.004])\r\nUse Launchd for initial and recurring execution (Scheduled Task/Job: Launchd [T1053.004])\r\nPersistence\r\nPersistence is all about retaining access to the system across restarts, changed credentials, and other interruptions.\r\nIf we look at the section about Entry Points in the Objective-See post, we find that Green Lambert can:\r\nPersist via a LoginItem (Boot or Logon Autostart Execution: Plist Modification [T1547.011])\r\nPersist via RC scripts (Boot or Logon Initialization Scripts: RC Scripts [T1037.004])\r\nPersist via LaunchAgent (Create or Modify System Process: Launch Agent [T1543.001])\r\nPersist via LaunchDaemon (Create or Modify System Process: Launch Daemon [T1543.004])\r\nhttps://web.archive.org/web/20211018145402/https://www.glitch-cat.com/blog/green-lambert-and-attack\r\nPage 1 of 3\n\nPersist via shells (Event Triggered Execution: Unix Shell Configuration Modification [T1546.004])\r\nUse Launchd for initial and recurring execution (Scheduled Task/Job: Launchd [T1053.004])\r\nPrivilege Escalation\r\nWe have not seen Green Lambert gain elevated access, so we'll leave Privilege Escalation blank.\r\nDefense Evasion\r\nThe Defense Evasion tactic looks at how an adversary avoids detection. In this case, that means:\r\nUse of custom routines to decrypt strings (Deobfuscate/Decode Files or Information [T1140])\r\nAbility to self-delete once installed (Indicator Removal on Host: File Deletion [T1070.004])\r\nMasquerade as GrowlHelper (Masquerading: Masquerade Task or Service [T1036.004])\r\nAnd as Software Update Check (Masquerading: Masquerade Task or Service [T1036.004])\r\nDecrypt strings in-memory, per CIA guidelines (Obfuscated Files or Information [T1027])\r\nCredential Access\r\nCredential Access looks at techniques used to steal credentials, such as account names and passwords. During\r\ninitial triage of Green Lambert, we found a string that (at least) suggests the following technique.\r\nUse of SecKeychainFindInternet… (Credentials from Password Stores: Keychain [T1555.001])\r\nDiscovery\r\nFor Discovery, we'll look for ways that Green Lambert gains knowledge about the system. We don't have a lot of\r\ninformation to go on, just a few clues from our initial triage and what appears to be a configuration file and/or\r\nsystem survey. Green Lambert can:\r\nDetermine the Linux version and system uptime (System Information Discovery [T1082])\r\nDetermine proxy settings (System Network Configuration Discovery [T1016])\r\nDetermine the current date and time (System Time Discovery [T1124])\r\nLateral Movement\r\nWe have not seen Green Lambert access remote systems, so we'll leave Lateral Movement blank.\r\nCollection\r\nWe don't know how Green Lambert treats collected data, so we'll leave Collection blank.\r\nhttps://web.archive.org/web/20211018145402/https://www.glitch-cat.com/blog/green-lambert-and-attack\r\nPage 2 of 3\n\nCommand and Control\r\nCommand and Control consists of techniques used for communication. Green Lambert can:\r\nMake a DNS request (Application Layer Protocol: DNS [T1071.004])\r\nCommunicate with hostname and IP address (Fallback Channels [T1008])\r\nUse a proxy for communications (Proxy [T1090])\r\nExfiltration\r\nWe don't know how Green Lambert steals data from the system, so we'll leave Exfiltration blank.\r\nImpact\r\nWe don't have any data to suggest Green Lambert destroys the target, so we'll leave Impact blank.\r\nLet's visualize it!\r\nPlugging (almost all) the information gathered into the ATT\u0026CK Navigator, we get this visualization.\r\nConclusion\r\nThat's it! (I think. Please let me know if I've missed anything.) As the visualization above shows, there's a lot more\r\nto dig into here. For example, you can use @osxreverser's Delambert plugin to decrypt more strings. Or you can\r\ntake a closer look at command line arguments. Or how the Green Lambert generates the victim ID. Or what the\r\nimplant collects and how it exfiltrates data.\r\nHappy hunting!\r\nSource: https://web.archive.org/web/20211018145402/https://www.glitch-cat.com/blog/green-lambert-and-attack\r\nhttps://web.archive.org/web/20211018145402/https://www.glitch-cat.com/blog/green-lambert-and-attack\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20211018145402/https://www.glitch-cat.com/blog/green-lambert-and-attack"
	],
	"report_names": [
		"green-lambert-and-attack"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775438935,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1f041e1bbbf5b555d6c26a4e9a402c9f2b12235.pdf",
		"text": "https://archive.orkl.eu/d1f041e1bbbf5b555d6c26a4e9a402c9f2b12235.txt",
		"img": "https://archive.orkl.eu/d1f041e1bbbf5b555d6c26a4e9a402c9f2b12235.jpg"
	}
}