Green Lambert

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Green Lambert is a family of malware tools that are closely related to Blue Lambert. It was discovered while looking for malware similar to Blue Lambert, and it is considered a lighter, more reliable, but older version of Blue Lambert. The Green Lambert family stands out as the only one where non-Windows variants have been found. Signatures created for the Windows version of Green Lambert have also triggered on an OS X variant with a very low version number: 1.2.0. This discovery led to the revelation of an OS X implant called Green Lambert. The use of a revamped version of MATA malware to strike defense contractors was disclosed by Kaspersky in July 2023. While attribution to the Lazarus Group remains uncertain due to the presence of techniques used by Five Eyes APT actors such as Purple Lambert, Magenta Lambert, and Green Lambert, there are still apparent links to Lazarus activity. The newer MATA variants and techniques such as TTLV serialization, multilayered protocols, and handshake mechanisms resemble those of 'Five Eyes' APT groups like Purple, Magenta, and Green Lambert. Green Lambert is the oldest and longest-running malware in its family, with Gray being the newest. Notably, one of the Green Lambert versions has the internal codename “GORDON FLASH”. One of the droppers of Green Lambert abused an ICS software package named “Subway Environmental Simulation Program” or “SES”, which has been available on certain forums visited by engineers working with industrial software. The Windows versions of Green Lambert have various code names including BEARD BLUE (2.7.1), GORDON FLASH (3.0), APE ESCAPE (3.0.2), SPOCK LOGICAL (3.0.2), PIZZA ASSAULT (3.0.5), and SNOW BLOWER (3.0.5). An old version of Green Lambert, compiled for OS X, was uploaded from Russia to a multiscanner service in 2014.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Green Lambert Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Made In America: Green Lambert for OS X
CERT-EU
7 months ago
MATA malware framework exploits EDR in attacks on defense firms
CERT-EU
7 months ago
Sophisticated MATA Framework Strikes Eastern European Oil and Gas Companies
MITRE
a year ago
Unraveling the Lamberts Toolkit