Green Lambert

Green Lambert is a family of malware tools that are closely related to Blue Lambert. It was discovered while looking for malware similar to Blue Lambert, and it is considered a lighter, more reliable, but older version of Blue Lambert. The Green Lambert family stands out as the only one where non-Windows variants have been found. Signatures created for the Windows version of Green Lambert have also triggered on an OS X variant with a very low version number: 1.2.0. This discovery led to the revelation of an OS X implant called Green Lambert. The use of a revamped version of MATA malware to strike defense contractors was disclosed by Kaspersky in July 2023. While attribution to the Lazarus Group remains uncertain due to the presence of techniques used by Five Eyes APT actors such as Purple Lambert, Magenta Lambert, and Green Lambert, there are still apparent links to Lazarus activity. The newer MATA variants and techniques such as TTLV serialization, multilayered protocols, and handshake mechanisms resemble those of 'Five Eyes' APT groups like Purple, Magenta, and Green Lambert. Green Lambert is the oldest and longest-running malware in its family, with Gray being the newest. Notably, one of the Green Lambert versions has the internal codename “GORDON FLASH”. One of the droppers of Green Lambert abused an ICS software package named “Subway Environmental Simulation Program” or “SES”, which has been available on certain forums visited by engineers working with industrial software. The Windows versions of Green Lambert have various code names including BEARD BLUE (2.7.1), GORDON FLASH (3.0), APE ESCAPE (3.0.2), SPOCK LOGICAL (3.0.2), PIZZA ASSAULT (3.0.5), and SNOW BLOWER (3.0.5). An old version of Green Lambert, compiled for OS X, was uploaded from Russia to a multiscanner service in 2014.