Kaspersky announces discovery of new CIA spyware

Kaspersky announces in its latest quarterly report the discovery of spyware attributed to the CIA. Dubbed “Purple Lambert”, this malware has been under the radar for years – researchers believe it has been actively exploited since 2015, if not 2014. This highly sophisticated spyware can execute arbitrary code. It does not contain a default payload and accepts commands passively, which explains the difficulties in detecting it.


Russian security firm Kaspersky announces in its latest APT Trends report for the first quarter of 2021 the discovery of new malware attributed to the CIA. Internally baptized “Purple Lambert” the spyware was part of a collection of samples received by various antivirus companies in February 2019. It had initially gone completely unnoticed by Kaspersky researchers, but his teams recently realized similarities between malware code and other spyware produced by the CIA.

Four years ago, we learned from a leak on Wikileaks of the existence of the CIA’s Vault7 program. It is a set of measures taken by the agency to spy on smartphones and computers on a massive scale – including a series of specialized malware. With the discovery of the CIA’s first backdoors, Kaspersky started talking about “Lambert family malware” to designate these programs. Since then, the term has stuck: as soon as Kaspersky discovers that malware is attributed to the CIA, it receives a name made up of a color + the word Lambert.

Kaspersky discovers new dormant CIA malware

According to its metadata Purple Lambert was compiled in 2014. Kaspersky therefore believes thatit has remained undetected by antiviruses since at least 2015, or even, probably 2014. The malware appears to be designed specifically not to arouse suspicion. Malware commands are passively listened to and rely on quite mundane “magic packets”. They are the same type as WoL packets to wake up computers on a network from their sleep at the same time, with a small command in Cmd.

Kaspersky explains: “Purple Lambert is made up of several modules, including a network module that passively waits to receive a magic packet. It is able to transmit basic information about the infected system to an attacker and can execute payloads that it receives. These features remind us of Gray Lambert, another type of passively controlled program. Gray Lambert turned out to be a replacement for […] White Lambert involved in multiple incidents. In addition, Purple Lambert has similar functionality although implemented in other ways to Gray Lambert and White Lambert.“.

The discovery of this new malware is itself a small event. Since the scandals unveiled by Wikileaks, discoveries of malware attributed to American intelligence agencies have been rare. Not that the development of this type of program has stopped – malware produced by American intelligence agencies seems to opt instead for increased sophistication, in order not to trigger alerts. Thus since Vault7 only 3 malware attributed to American intelligence agencies have been discovered.

In particular, there was a malware targeting internet routers discovered in March 2018 – it seemed to target mainly theaters of operations fighting against the Islamic State in the Middle East. In 2019 ESET also discovered another malware from the same family. Most recently in March 2020 Qihoo 360 exposed new malware, while revealing how US intelligence has targeted China’s civil aviation industry for 11 years. It’s unclear what the implications of this announcement are at this point. Kaspersky does not confirm, for example, in its press release, whether the next version of the antivirus will be able to detect and remove Purple Lambert.

Read also: Kaspersky will launch an “impossible to hack” smartphone

Moreover, Kaspersky’s quarterly report is not at all dedicated to this discovery. The antivirus firm believes that the biggest threats in the first quarter of 2021 were rather the hacking of SolarWinds with the discovery of numerous 0-day flaws in SolarWinds products, vulnerabilities in Microsoft Exchange servers, actively exploited by hackers or even The Lazarus Pirate Group Campaign which targets security researchers by hacking their computers through 0-day internet browsers’ vulnerabilities. An attack that appears to aim to steal information about exploitable security vulnerabilities.

Leave a Comment