Longhorn  (Back to overview)

aka: APT-C-39, Lamberts, PLATINUM TERMINAL, the Lamberts

Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name "Vault 7."

Associated Families
elf.vault8_hive osx.lambert win.lambert win.unidentified_020_cia_vault7

2022-01-21Twitter (@_CPResearch_)Check Point Research
Tweet on WhiteLambert malware
2021-10-01Objective-SeeRuna Sandvik
Made In America: Green Lambert for OS X
2020-03-02Qihoo 360 TechnologyQihoo 360
The CIA Hacking Group (APT-C-39) Conducts Cyber-Espionage Operation on China's Critical Industries for 11 Years
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
TalentRAT Equation Group Longhorn
2019-09-30QianxinRed Raindrop Team
Analysis and disclosure of the CIA's cyber arsenal
2019-01-01Council on Foreign RelationsCyber Operations Tracker
2018-06-15Youtube (defconswitzerland)Costin Raiu
Area41 Keynote
Lambert Regin
2017-11-26Github (infoskirmish)infoskirmish
Source Code of HIVE
Hive (Vault 8)
Vault 8: Hive
Hive (Vault 8)
2017-04-10SymantecA L Johnson
Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10Bleeping ComputerCatalin Cimpanu
Longhorn Cyber-Espionage Group Is Actually the CIA
2017-04-10SymantecSymantec Security Response
Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
Vault 7: CIA Hacking Tools Revealed
Unidentified 020 (Vault7)

Credits: MISP Project