S0690: Green Lambert
Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[1][2]
Analyst context for executives and security teams
Green Lambert is a modular backdoor documented by ATT&CK as malware associated in reporting with the Longhorn/The Lamberts activity set. Its practical significance is not a single indicator, but the breadth of behaviors ATT&CK relates to it: discovery, persistence, credential access on macOS Keychain, stealth, local data collection, and command-and-control using DNS or proxies. For leaders, this means coverage should be assessed across endpoint, macOS/Linux administration paths, and network/DNS telemetry rather than only by looking for a named malware family.
Executive priority
Prioritize Green Lambert as a validation scenario for resilience against advanced backdoor tradecraft across Windows, iOS, macOS, and Linux environments. The ATT&CK object has no official detection guidance, so executive value comes from asking whether SOC, IR, identity, and endpoint teams can prove visibility into persistence mechanisms, credential-store access, DNS/proxy-based command-and-control, file deletion, obfuscation, and local data collection. This is especially relevant for environments where macOS and Linux systems hold privileged access, developer data, administrative credentials, or sensitive operational information.
Technical view
ATT&CK lists Green Lambert as a modular backdoor and relates it to techniques including Data from Local System, network and system discovery, Unix shell execution, obfuscation/deobfuscation, masquerading, file deletion, DNS and proxy command-and-control, macOS Launch Agents/Daemons, Login Items, Unix shell configuration modification, RC scripts, and macOS Keychain access. Because official detection text is not provided, defenders should validate behavioral coverage by platform: macOS persistence and Keychain access monitoring; Linux/macOS shell and startup-script modification visibility; endpoint file creation, rename, deletion, and suspicious location/name patterns; and DNS/proxy network analytics. Treat the relationships as defensive test themes, not proof that every variant or platform will show every behavior.
Likely telemetry
- Endpoint process execution telemetry for Windows, macOS, and Linux where available
- macOS Launch Agent, Launch Daemon, Login Item, and plist creation or modification events
- Linux/macOS shell history, shell configuration file changes, and RC script modification events
- File system telemetry for suspicious creation, renaming, placement in trusted-looking locations, obfuscation indicators, and deletion activity
- macOS Keychain access events or security logs where collection is available
Detection direction
- Build behavior-based detections around the related ATT&CK techniques rather than relying on the Green Lambert name alone, because the official ATT&CK object provides no detection section.
- For macOS, validate alerts for new or modified Launch Agents, Launch Daemons, Login Items, and unexpected Keychain access, with tuning for legitimate administration and software management activity.
- For Linux and macOS, monitor modifications to RC scripts and shell configuration files, especially when paired with new binaries, unusual execution paths, or recent privilege changes.
- Correlate discovery behaviors such as system information, network configuration, and time discovery with persistence changes, file deletion, obfuscated artifacts, or outbound DNS/proxy communications.
- Tune masquerading detections for task, service, file, or resource names that closely match legitimate names or appear in trusted-looking locations, while accounting for normal software installers and enterprise management tools.
Mitigation priorities
- First, confirm endpoint visibility and response capability across the stated platforms: Windows, iOS, macOS, and Linux, with special validation for macOS/Linux behaviors reflected in the ATT&CK relationships.
- Harden and monitor persistence locations, including macOS Launch Agents/Daemons/Login Items and Unix RC or shell configuration paths, using least privilege and change-control expectations.
- Restrict and audit access to credential stores such as macOS Keychain, and ensure privileged account use on macOS systems is visible to identity and incident response teams.
- Improve DNS, proxy, and egress monitoring so command-and-control over common protocols or through intermediaries can be investigated with endpoint context.
- Use allowlisting, trusted software baselines, and file integrity monitoring where appropriate to reduce masquerading and unauthorized startup modifications.
Analyst notes and limits
The most decision-useful context comes from the relationship set: Green Lambert is linked to collection, discovery, stealth, persistence, privilege-escalation, command-and-control, execution, and macOS credential-access techniques. The official description also notes a Windows variant reported as possibly used as early as 2008 and a macOS version uploaded to a multiscanner service in 2014, based on the cited research. Use this object to test whether platform coverage and incident playbooks are balanced beyond Windows-centric assumptions.
ATT&CK provides no official detection text, no aliases, no labels, and no tactics directly on the malware object. Relationship descriptions are technique-level context and should not be interpreted as a complete Green Lambert procedure list for every platform. Local validation, telemetry availability, asset criticality, and environment-specific baselines are required before making coverage or risk claims.
Green Lambert
Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.004 | Launch Daemon Sub-technique | Green Lambert can add a plist file in the `Library/LaunchDaemons` to establish persistence.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1555.001 | Keychain Sub-technique | Green Lambert can use Keychain Services API functions to find and collect passwords, such as `SecKeychainFindInternetPassword` and `SecKeychainItemCopyAttributesAndData`.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1082 | System Information Discovery | Green Lambert can use `uname` to identify the operating system name, version, and processor type.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1071.004 | DNS Sub-technique | Green Lambert can use DNS for C2 communications.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Green Lambert can use multiple custom routines to decrypt strings prior to execution.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Green Lambert can obtain proxy information from a victim's machine using system environment variables.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1090 | Proxy | Green Lambert can use proxies for C2 traffic.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1547.015 | Login Items Sub-technique | Green Lambert can add Login Items to establish persistence.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Green Lambert can delete the original executable after initial installation in addition to unused functions.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1005 | Data from Local System | Green Lambert can collect data from a compromised host.CitationObjective See Green Lambert for OSX Oct 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | Green Lambert has encrypted strings.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Green Lambert can use shell scripts for execution, such as |
| Enterprise | T1546.004 | Unix Shell Configuration Modification Sub-technique | Green Lambert can establish persistence on a compromised host through modifying the `profile`, `login`, and run command (rc) files associated with the `bash`, `csh`, and `tcsh` shells. CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | Green Lambert can create a Launch Agent with the `RunAtLoad` key-value pair set to |
| Enterprise | T1037.004 | RC Scripts Sub-technique | Green Lambert can add |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Green Lambert has created a new executable named `Software Update Check` to appear legitimate.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Green Lambert has been disguised as a Growl help file.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
| Enterprise | T1124 | System Time Discovery | Green Lambert can collect the date and time from a compromised host.CitationObjective See Green Lambert for OSX Oct 2021CitationGlitch-Cat Green Lambert ATTCK Oct 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 57f9d6092e67… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Lamberts Toolkit April 2017
GREAT. (2017, April 11). Unraveling the Lamberts Toolkit. Retrieved March 21, 2022.
Open source URL -
[2]
Objective See Green Lambert for OSX Oct 2021
Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
Open source URL -
[3]
Green Lambert
(Citation: Kaspersky Lamberts Toolkit April 2017)
-
[4]
mitre-attack S0690Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.