{ "id": "51c8e70a-a962-442b-a510-b7f4137dc38e", "created_at": "2026-04-06T00:21:42.12963Z", "updated_at": "2026-04-10T13:12:51.451188Z", "deleted_at": null, "sha1_hash": "e8710803eef625c3a6bd614b106c992ed49756b7", "title": "Tools Used by Lamberts APT Found in Vault 7 Dumps", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 286111, "plain_text": "Tools Used by Lamberts APT Found in Vault 7 Dumps\r\nBy Michael Mimoso\r\nPublished: 2017-04-11 · Archived: 2026-04-05 22:50:50 UTC\r\nResearchers at Kaspersky Lab today disclosed the activities of the Lamberts APT, a group using many of the tools\r\nand tactics found in the Vault 7 dumps.\r\nLinks have emerged connecting targeted attacks going back a decade against high-profile government, industrial\r\nand financial targets around the world to hacking tools and documents leaked in the Vault 7 dump.\r\nResearchers at Kaspersky Lab today published a technical report on the activities of a group it calls the Lamberts,\r\nwhich they say is the same group Symantec identifies as Longhorn. The Lamberts’ toolkit is on par with malware\r\nand backdoors used by other APT operations such as Regin, Project Sauron, Duqu2 and Project Sauron,\r\nKaspersky researchers said. And they added the group was most active in 2013 and 2014, but samples created last\r\nyear have been discovered.\r\nThe toolkit includes memory-resident malware plugins, exploits against signed Windows drivers, network-driven\r\nbackdoors, modular backdoors, data-harvesting tools and destructive wiper malware. Kaspersky researchers said\r\nthat Windows and Mac OS X versions of numerous tools have been discovered as recently as last year, and that\r\nthere are likely versions for other platforms Linux.\r\nThe Lamberts toolkit features six color-coded versions, according to Kaspersky. For example, Black Lambert, a\r\nmalware implant, was found in a 2014 targeted attack against European organizations. This is one of the few\r\nknown infection vectors used by this APT group, researchers said. In this case, the attackers exploited a zero-day\r\nvulnerability in Windows True Type Font by spreading a malicious TTF in an Office document attachment. The\r\nmalicious font file was processed in kernel mode, giving the attacker remote access deep inside the compromised\r\nmachine.\r\nhttps://threatpost.com/tools-used-by-lamberts-apt-found-in-vault-7-dumps/124900/\r\nPage 1 of 2\n\nIn analyzing Black Lambert, researchers found details such as a build number and version name that led them to\r\nWhite Lambert, a passive network-drive backdoor that contained similar internal configurations. White Lambert\r\nruns in kernel mode and sniffs network traffic, and receives instructions from a command and control server.\r\n“White Lambert samples run in kernel mode and sniff network traffic looking for special packets containing\r\ninstructions to execute. To run unsigned code in kernel mode on 64-bit Windows, White Lambert uses an exploit\r\nagainst a signed, legitimate SiSoftware Sandra driver,” the researchers wrote. “The same method was used before\r\nby Turla, ProjectSauron, and Equation’s Grayfish, with other known, legitimate drivers.”\r\nAnalysis of Black Lambert also exposed Blue Lambert, a second stage malware attack against a Black Lambert\r\nvictim. Blue Lambert also exposed a number of operation or victim codenames that reference popular culture,\r\nincluding DOUBLESIDED SCOOBYSNACK, FUNNELCAKE CARNIVAL, RINGTOSS CARNIVAL and\r\nothers.\r\nThe researchers also found Green Lambert, an older version of the Blue Lambert malware. Signatures developed\r\nfor Green Lambert also triggered an OS X version of the malware.\r\n“The OS X variant of Green Lambert is in many regards functionally identical to the Windows version, however it\r\nmisses certain functionality such as running plugins directly in memory,” the Kaspersky researchers wrote.\r\nPink Lambert is another set of attack tools that includes a beaconing implant, USB-harvesting capabilities and a\r\nframework used to write malware that runs regardless of platform. Kaspersky Lab said it found Pink Lambert on\r\nsystems infected with White Lambert.\r\nThe newest version of the Lamberts’ malware, Gray Lambert, has a similar coding style to Pink Lambert and\r\nincludes updated versions of much of the same types of capabilities.\r\nThe Lamberts, or Longhorn, employ a number of the same crypto protocols and means of evading detection by\r\nsecurity software as described in the Vault 7 dumps allegedly tied to the CIA by Wikileaks.\r\nThe dumps of thousands of documents started March 7, and included malware, weaponized zero-day exploits,\r\nremote access Trojans and related documentations. Wikileaks claims this is the CIA’s entire hacking catalogue.\r\nCisco and other vendors have begun patching some of the zero days released in the Year Zero dump.\r\nA second release on March 23, called Dark Matter, included a capabilities focusing on Apple platforms, including\r\ntracking iPhone users and developing implants and exploits for Mac OS X firmware.\r\n“The fact that in the vast majority of cases the infection method is unknown probably means there are still a lot of\r\nunknown details about these attacks and the group(s) leveraging them,” the researchers wrote.\r\nSource: https://threatpost.com/tools-used-by-lamberts-apt-found-in-vault-7-dumps/124900/\r\nhttps://threatpost.com/tools-used-by-lamberts-apt-found-in-vault-7-dumps/124900/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://threatpost.com/tools-used-by-lamberts-apt-found-in-vault-7-dumps/124900/" ], "report_names": [ "124900" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "99845f58-2c39-46f7-8369-bb621ebb7002", "created_at": "2022-10-25T16:07:24.238844Z", "updated_at": "2026-04-10T02:00:04.90851Z", "deleted_at": null, "main_name": "Strider", "aliases": [ "G0041", "ProjectSauron" ], "source_name": "ETDA:Strider", "tools": [ "Backdoor.Remsec", "ProjectSauron", "Remsec" ], "source_id": "ETDA", "reports": null }, { "id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde", "created_at": "2023-01-06T13:46:38.472883Z", "updated_at": "2026-04-10T02:00:02.989134Z", "deleted_at": null, "main_name": "ProjectSauron", "aliases": [ "Sauron", "Project Sauron", "G0041" ], "source_name": "MISPGALAXY:ProjectSauron", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "a0d369c1-f0b7-4c70-a3a5-77aabbd17979", "created_at": "2022-10-25T15:50:23.311311Z", "updated_at": "2026-04-10T02:00:05.407733Z", "deleted_at": null, "main_name": "Strider", "aliases": [ "ProjectSauron" ], "source_name": "MITRE:Strider", "tools": [ "Remsec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434902, "ts_updated_at": 1775826771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e8710803eef625c3a6bd614b106c992ed49756b7.pdf", "text": "https://archive.orkl.eu/e8710803eef625c3a6bd614b106c992ed49756b7.txt", "img": "https://archive.orkl.eu/e8710803eef625c3a6bd614b106c992ed49756b7.jpg" } }