1 malware family

cia

Also known ascia

CIA is referenced in the provided content as the operator of OSX.GreenLambert, described as a first-stage macOS implant. The content specifically states that security researcher Runa Sandvik analyzed OSX.GreenLambert and that it was utilized by the CIA. No additional high-confidence details about targeting, tactics, techniques, sub-groups, or other aliases are directly provided in the content beyond the alias "cia".

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

31 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics33 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

5 techniques

T1589×3

Gather Victim Identity Information

T1590

Gather Victim Network Information

T1591

Gather Victim Org Information

T1592

Gather Victim Host Information

T1598

Phishing for Information

TA0042

Resource Development

3 techniques

T1584

Compromise Infrastructure

T1584.001

Domains

T1585

Establish Accounts

T1586

Compromise Accounts

TA0001

Initial Access

1 technique

T1195×3

Supply Chain Compromise

TA0002

Execution

1 technique

T1574

Hijack Execution Flow

TA0003

Persistence

1 technique

T1136

Create Account

TA0005

Stealth

5 techniques

T1027

Obfuscated Files or Information

T1070

Indicator Removal

T1070.004

File Deletion

T1564

Hide Artifacts

T1574

Hijack Execution Flow

T1620

Reflective Code Loading

TA0112

Defense Impairment

1 technique

T1600

Weaken Encryption

TA0006

Credential Access

3 techniques

T1555

Credentials from Password Stores

T1557

Adversary-in-the-Middle

T1649

Steal or Forge Authentication Certificates

TA0009

Collection

4 techniques

T1123×4

Audio Capture

T1125×4

Video Capture

T1213

Data from Information Repositories

T1557

Adversary-in-the-Middle

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1219×2

Remote Access Tools

T1572

Protocol Tunneling

T1573

Encrypted Channel

TA0010

Exfiltration

1 technique

T1052

Exfiltration Over Physical Medium

TA0040

Impact

2 techniques

T1485×2

Data Destruction

T1498

Network Denial of Service

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DarkComet RATA new piece of old computer spyware, known as DarkComet RAT, was found cleverly hidden inside a file that looked exactly like a legitimate Bitcoin wallet or trading program.1Mar 18, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

objective seeNews

Dec 11, 2025

Objective-See: Blog

The CIA has developed and deployed macOS implants such as OSX.GreenLambert for cyber-espionage purposes, targeting foreign entities and individuals of interest.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping31

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.