{
	"id": "61e0da56-179d-480c-ba0c-0048ca63e3d3",
	"created_at": "2026-04-06T01:32:00.987915Z",
	"updated_at": "2026-04-10T03:36:50.172032Z",
	"deleted_at": null,
	"sha1_hash": "0178f617bc4cf930e5d1dabb3ebe78496f072041",
	"title": "奇安信威胁情报中心",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1720279,
	"plain_text": "奇安信威胁情报中心\r\nArchived: 2026-04-06 01:21:58 UTC\r\nOverview\r\nRecently, an XLSM decoy document is captured by the RedDrip team of QiAnXin Threat Intelligence Center by utilizing\r\npublic intelligence. After taking a deeper analysis, we figure out that the C2 configurations are located on Github and\r\nFeed43. Multiple Github spaces have been exposed through correlation analysis and the earliest one could trace back to July\r\n2018. The relevant accounts were still in use when the report was completed.\r\nDecryption algorithm for configurations retrieved from Github will be described in detail and the portrait of the attacker is\r\npartially based on statistics of the decrypted data.\r\nSample Analysis\r\nThe related attack vector is an XLSM file, created on August 8 and uploaded to VT on August 13, that leverages CVE-2017-\r\n11882 vulnerability to release MSBuild.exe to the %AppData% directory and then add registry Run key to stay persistent.\r\nTo obtain C2 address, it reads data from Github and Feed43 where the content could be controlled by attackers.\r\nHTTP/HTTPS protocols are used while communicating with available C2s.\r\nDropper Analysis\r\nThe sample was uploaded to VT at 5:05 on Aug 13, 2019 with below details:\r\nMD5 0D38ADC0B048BAB3BD91861D42CD39DF\r\nName India makes Kashmir Dangerous Place in the World.xlsm\r\nTime 2019-08-13 05:05:15\r\nAfter opening, a blurred picture shows up to lure the victim to enable macro. After that, a clear picture titled \"India has made\r\nKashmir the most dangerous place in the world\" gets displayed.\r\nFigure 2.1 Images before and after enabling macro\r\nIn fact, the clear picture is covered with a vague one. When macro is enabled, the above picture will be deleted so that the\r\nclear one will be displayed:\r\nFigure 2.2 Content of the macro\r\nThere is an OLE object embedded inside, and it seems that the attacker packed the .bak file by mistake:\r\nhttps://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/\r\nPage 1 of 9\n\nFigure 2.3 The ole objects packed inside\r\nShellcode inside the OLE object performs below functions:\r\n1.Correct the MZ header located at offset 0x558 of the shellcode entry point (add “MZ”)\r\n2.Drop the PE file to \"%AppData%\\MSBuild.exe\".\r\n3.Add registry run key (key value: lollipop) to make \"%AppData%\\MSBuild.exe\" persistent.\r\nFigure 2.4 Shellcode to correct the header\r\nMSBuild.exe Analysis\r\nMSBuild.exe is released to the %AppData% directory, and the compilation time is August 8th, 2019 which coincides with\r\nthe XML creation time on Github that will be described later on:\r\nName MSBuild.exe\r\nMD5 0f4f6913c3aa57b1fc5c807e0bc060fc\r\nCompile Time 2019-08-08 14:00:32\r\nThe main purpose of this sample is to obtain C2 configuration from the attacker's Github and feed43 space, and then\r\nperforms decryption and connects to C2 for further communications.\r\nAfter the malicious code is executed, it will “sleep” for a period of time. This is implemented by executing function in a\r\nloop for 80,000 times, to delay execution in the sandbox:\r\nFigure 3.1 Executing function in a big loop to achieve sleep purpose\r\nhttps://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/\r\nPage 2 of 9\n\nIt checks network connectivity by connecting to “https://en.wikipedia.org\", then retrieves C2 configuration from two hard\r\ncoded addresses (one works as a backup). The hard coded address is encrypted, each byte need to be subtracted by one to\r\nobtain the decrypted URL:\r\nFigure 3.2 Code to decrypt C2 configuration\r\nSource Decrypted Content\r\nfeed43 URL https://node2.feed43.com/0056234178515131.xml\r\nGithub URL https://raw.githubusercontent.com/petersonmike/test/master/xml.xml\r\nThe Github account used by the attacker is created on August 7th, 2019, which matches the compilation time of the sample:\r\nFigure 3.3 The attacker's Github home page\r\nThe C2 configuration is located inside the “description” field after encryption:\r\nFigure 3.4 Github configuration file content\r\nThe Base64 encoded data get decoded first, then performs ROL1((v11 + 16 * v9) ^ 0x23, 3) operation. After that, Base64\r\ndecode again and finally uses Blowfish (older version without Blowfish decryption) by decryption key below:\r\nF0 E1 D2 C3 B4 A5 96 87 78 69 5A 4B 3C 2D 1E 0F 00 11 22 33 44 55 66 77\r\nThe decrypted C2 address is 139.28.38.236 and the malware uses HTTP/HTTPS in network communication:\r\nhttps://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/\r\nPage 3 of 9\n\nFigure 3.5 C2 decryption algorithm\r\nSystem information of the compromised computer will be collected and then exfiltrated, AES encryption and Base64\r\nencoding will be performed before sending out the collected data:\r\nURI Content\r\nuuid ID generated by GetCurrentHwProfile\r\nun System info\r\ncn Computer name\r\non OS version\r\nlan IP list\r\nnop Blank\r\nver Malware version, here it is 1.0\r\nAfter that the malware enters a while loop, to perform actions according to HTTP response:\r\nURI Function\r\n/e3e7e71a0b28b5e96cc492e636722f73/4sVKAOvu3D/ABDYot0NxyG.php Online, message queue\r\n/e3e7e71a0b28b5e96cc492e636722f73/4sVKAOvu3D/UYEfgEpXAOE.php Upload data\r\nFigure 3.6 Loop thread creation and message receiving\r\nThe following table is a comparison table of the received tokens and the functions to be performed:\r\nToken Function\r\n0 Exit\r\nhttps://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/\r\nPage 4 of 9\n\n8 Upload keylog file\r\n23 Upload screen capture file\r\n13 Upload collected list of files for a specific suffix\r\n5 Upload local file\r\n33 Extract EXE download link from URL, then download and execute.\r\nThe attacker uploads the files generated after executing remote commands to the C\u0026C server. The following table is a\r\ncomparison table of the cached files and the contents of the records:\r\nFile Name Content\r\n9PT568.dat UUID\r\nTPX498.dat Keylog file\r\nTPX499.dat Screen capture file\r\nAdbFle.tmp Retrieved files specified by attacker\r\nedg499.dat\r\nFiles with specific suffixes:\r\n(\".txt\",\".doc\",\".xls\",\".xlsx\",\".docx\",\".xls\",\".ppt\",\".pptx\",\".pdf\")\r\nThe malware collects a list of files with specific suffixes, stores them in a local file, and uploads to the C2 server:\r\nFigure 3.7 List of specified file extensions\r\nData Analysis\r\nAfter performing correlation analysis, we discovered 44 configuration files hosted on Github and utilized by this APT group.\r\nAll C2s have been decrypted and extracted for investigation. From the time of file creation, the attacker started working at\r\nleast as early as July 2018. The earliest created account was on July 3, 2018, and continued to August 2019 when the\r\ndocument was completed. In terms of the statistics of monthly creations, the number of creations in July 2018 is much\r\nhigher than the follow-up. We give the following reasonable speculations based on the data distribution.\r\nThe attacker may conduct a concentrated attack from July to September in 2018.\r\nAccounts are created on demand when the sample gets updated or related Github link is blocked.\r\nhttps://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/\r\nPage 5 of 9\n\nFigure 4.1 Configuration file distribution\r\nSome extracted Github user names are listed as follows. We found that the names are generated based on some family\r\nnames. So the attacks may be completed by multiple attackers considering the different names being used. Many IDs can be\r\nfound on social media, and most of them are located in India and Pakistan:\r\nmalikzafar786,Zunaid-zunaid1,a1amir1,Alaeck,aleks0rg0v,alexboycott,alfreednobeli,chrisyoks,dawoood,ehsaankhan,fakheragainfkhr,fangflee,habrew,hazkabeeb,husngilgit,imra\r\nKeywords such as “android” and “mobile” are used in the Github directory, perhaps it indicates there are samples for\r\nAndroid phones.\r\ntesty,test,amnigomestro,android,blch,cartoon,fashion,harrypotter,haz,helbrat,huric,husnahazrt,introduction,Joncorbat,kjhlkjhjkl,likingd,mdfs,metest,mobil\r\nMost of the C2s are located in Ukraine, while there are 2 IPs in China:\r\nFigure 4.2 C2 distribution\r\nStatistics of XML creation time is provided in the below (the horizontal axis is the time of UTC+0, and the vertical axis is\r\nthe number of occurrences).\r\nhttps://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/\r\nPage 6 of 9\n\nFigure 4.3 Attacker's 24-hour activity distribution\r\nConclusion\r\nThe link to feeds.rapidfeeds.com left in its XML configuration file was also mentioned by Kaspersky’s report in the\r\nreference section, which confirms that the APT-C-09 group keeps updating its C2 configuration channel and the recent one\r\nreserves some past features.\r\nIn the perspective of cyber wars, the conflict between India and Pakistan over the territory of Kashmir has lasted for\r\ndecades, which makes it a perfect topic in target attacks. For example, Donot and Bitter disguised as Kashmiri Voice to\r\nattack Pakistan, Transparent Tribe attacked India with decoy document regarding terrorist attacks in Kashmir. These combats\r\nhave proved that national power plays an important role in defending the national sovereignty and in the mean while spying\r\non the military intelligence.\r\nIndia’s attempt to abolish India-controlled Kashmir is to detonate the conflict between the two countries. The two sides\r\nexchanged fire and some soldiers have died because of this. In terms of cyber attacks, related incidences will continue to rise\r\nup. Considering APT-C-09, Bitter and Donot have carried out targeted attacks against China, we must take actions in\r\nadvance and keep a close eye on their recent activities.\r\nQiAnXin Threat Intelligence Center will provide customers with the latest attack trends in the first time, helping government\r\nand enterprises to resist network intrusions from foreign enemies.\r\nIOCs\r\nC2:\r\n139.28.38.236\r\nAES Key:\r\nDD1876848203D9E10ABCEEC07282FF37\r\nBlowFish Key:\r\nF0E1D2C3B4A5968778695A4B3C2D1E0F0011223344556677\r\nHost Name:\r\nWIN-ABPA7FG820B\r\nAppendix: Extracted C2 Information\r\nC2 Time Github username\r\nhttp://149.56.80.64/u5b62ed973d963913bb/u5a3ewfasdk9.php 2018-07-03T05:19:43 y4seenkhan\r\nhttp://149.56.80.64/u5b62ed973d963913bb/u5a3ewfasdk9.php 2018-07-03T05:29:54 hazkabeeb\r\nhttp://43.249.37.165/kungfu/ghsnls.php 2018-07-04T12:45:13 Zunaid-zunaid1\r\nhttp://123.57.158.115/shujing/ghsnls.php 2018-07-04T14:39:00 Zunaid-zunaid1\r\nhttps://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/\r\nPage 7 of 9\n\n185.82.217.200/@lb3rt/dqvabs.php 2018-07-04T20:46:50 Zunaid-zunaid1\r\n185.82.217.200/N3wt0n/dqvabs.php 2018-07-04T22:01:40 aleks0rg0v\r\nhttp://185.82.217.200/d3m0n/dqvabs.php 2018-07-05T10:43:25 Vldir\r\nhttp://81.17.30.28/th0mas/dqvabs.php 2018-07-05T20:30:57 Alaeck\r\nhttp://46.183.216.222/0racl3/dqvabs.php 2018-07-07T12:10:04 yamichaeldavid\r\nhttp://91.229.79.183/b15d0e30a7738037/j8fiandfuesmg.php 2018-07-10T16:26:55 habrew\r\nhttp://176.107.182.24/f0357a3f154bc2ff/sadk9f043ejf.php 2018-07-10T16:35:49 ehsaankhan\r\nhttp://146.185.234.71/Ms3f3g45thgy5/f3af3fasf32.php 2018-07-11T00:03:07 dawoood\r\nhttp://185.203.116.58/d394d142687ff5a0/dfae43rsfdgq4e.php 2018-07-11T01:24:49 fangflee\r\n185.156.173.73 2018-07-11T02:47:04 noorhasima\r\nhttp://188.165.124.30/c6afebaa8acd80e7/byuehf8af.php 2018-07-11T03:15:07 alfreednobeli\r\nhttp://146.185.234.71/Ms3f3g45thgy5/f3af3fasf32.php 2018-07-11T09:27:55 jahilzubaine\r\n94.156.35.204 2018-07-11T11:23:16 husngilgit\r\nhttp://94.156.35.204/22af645d1859cb5c/sg4gasdnjf984.php 2018-07-11T16:26:29 raqsebalooch\r\n185.203.118.115 2018-07-12T10:19:05 lctst\r\n185.29.11.59 2018-07-13T18:28:04 rehmanlaskkr\r\n?桔%?旵`辚3 2018-07-13T19:33:56 noorfirdousi\r\n185.206.144.67 2018-07-14T12:04:38 rizvirehman\r\n185.36.188.14 2018-08-20T10:58:18 fakheragainfkhr\r\n199.168.138.119 2018-08-24T12:46:00 malikzafar786\r\n199.168.138.119 2018-08-24T12:55:02 malikzafar786\r\n199.168.138.119 2018-08-24T12:57:59 malikzafar786\r\n85.217.171.138 2018-09-01T09:47:20 malikzafar786\r\n85.217.171.138 2018-09-01T09:53:03 malikzafar786\r\nhttp://46.183.216.222/0racl3/dqvabs.php 2018-09-01T10:35:34 malikzafar786\r\n199.168.138.119 2018-09-18T10:34:23 malikzafar786\r\n199.168.138.119 2018-09-18T10:37:49 malikzafar786\r\n193.37.213.101 2018-11-05T11:53:40 a1amir1\r\n178.33.94.35 2018-12-05T12:11:46 malikzafar786\r\n178.33.94.35 2018-12-05T12:38:34 malikzafar786\r\n;3癬??^a;?筛 2018-12-17T06:50:14 yusufk1\r\n185.29.11.59 2019-01-15T08:03:17 str1ngstr\r\n164.132.75.22 2019-03-01T05:28:04 z00min\r\n193.22.98.17 2019-05-27T05:47:11 alexboycott\r\n91.92.136.239 2019-06-24T11:14:16 imrankhan713\r\n91.92.136.239 2019-06-24T12:05:21 imranikhan17\r\n185.116.210.8 2019-07-18T10:35:43 chrisyoks\r\n185.161.210.8 2019-07-18T12:10:48 johnhenery12\r\n139.28.38.231 2019-08-07T10:58:56 petersonmike\r\n139.28.38.236 2019-08-08T09:06:03 shaikmalik22\r\nhttps://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/\r\nPage 8 of 9\n\nReference\r\n1. https://securelist.com/the-dropping-elephant-actor/75328/\r\nSource: https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/\r\nhttps://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/"
	],
	"report_names": [
		"apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "fce5181c-7aab-400f-bd03-9db9e791da04",
			"created_at": "2022-10-25T15:50:23.759799Z",
			"updated_at": "2026-04-10T02:00:05.3002Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"Transparent Tribe",
				"COPPER FIELDSTONE",
				"APT36",
				"Mythic Leopard",
				"ProjectM"
			],
			"source_name": "MITRE:Transparent Tribe",
			"tools": [
				"DarkComet",
				"ObliqueRAT",
				"njRAT",
				"Peppy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7ea1e0de-53b9-4059-802f-485884180701",
			"created_at": "2022-10-25T16:07:24.04846Z",
			"updated_at": "2026-04-10T02:00:04.84985Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"APT-C-09",
				"ATK 11",
				"Capricorn Organisation",
				"Chinastrats",
				"Dropping Elephant",
				"G0040",
				"Maha Grass",
				"Quilted Tiger",
				"TG-4410",
				"Thirsty Gemini",
				"Zinc Emerson"
			],
			"source_name": "ETDA:Patchwork",
			"tools": [
				"AndroRAT",
				"Artra Downloader",
				"ArtraDownloader",
				"AutoIt backdoor",
				"BADNEWS",
				"BIRDDOG",
				"Bahamut",
				"Bozok",
				"Bozok RAT",
				"Brute Ratel",
				"Brute Ratel C4",
				"CinaRAT",
				"Crypta",
				"ForeIT",
				"JakyllHyde",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NDiskMonitor",
				"Nadrac",
				"PGoShell",
				"PowerSploit",
				"PubFantacy",
				"Quasar RAT",
				"QuasarRAT",
				"Ragnatela",
				"Ragnatela RAT",
				"SocksBot",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL",
				"Yggdrasil"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6",
			"created_at": "2022-10-25T15:50:23.285448Z",
			"updated_at": "2026-04-10T02:00:05.282202Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"Hangover Group",
				"Dropping Elephant",
				"Chinastrats",
				"Operation Hangover"
			],
			"source_name": "MITRE:Patchwork",
			"tools": [
				"NDiskMonitor",
				"QuasarRAT",
				"BackConfig",
				"TINYTYPHON",
				"AutoIt backdoor",
				"PowerSploit",
				"BADNEWS",
				"Unknown Logger"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2b29dd16-a06f-4830-81a1-365443bc54b8",
			"created_at": "2023-01-06T13:46:38.460047Z",
			"updated_at": "2026-04-10T02:00:02.983931Z",
			"deleted_at": null,
			"main_name": "QUILTED TIGER",
			"aliases": [
				"Chinastrats",
				"Sarit",
				"APT-C-09",
				"ZINC EMERSON",
				"ATK11",
				"G0040",
				"Orange Athos",
				"Thirsty Gemini",
				"Dropping Elephant"
			],
			"source_name": "MISPGALAXY:QUILTED TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "abb24b7b-6baa-4070-9a2b-aa59091097d1",
			"created_at": "2022-10-25T16:07:24.339942Z",
			"updated_at": "2026-04-10T02:00:04.944806Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"APT 36",
				"APT-C-56",
				"Copper Fieldstone",
				"Earth Karkaddan",
				"G0134",
				"Green Havildar",
				"Mythic Leopard",
				"Opaque Draco",
				"Operation C-Major",
				"Operation Honey Trap",
				"Operation Transparent Tribe",
				"ProjectM",
				"STEPPY-KAVACH",
				"Storm-0156",
				"TEMP.Lapis",
				"Transparent Tribe"
			],
			"source_name": "ETDA:Transparent Tribe",
			"tools": [
				"Amphibeon",
				"Android RAT",
				"Bezigate",
				"Bladabindi",
				"Bozok",
				"Bozok RAT",
				"BreachRAT",
				"Breut",
				"CapraRAT",
				"CinaRAT",
				"Crimson RAT",
				"DarkComet",
				"DarkKomet",
				"ElizaRAT",
				"FYNLOS",
				"Fynloski",
				"Jorik",
				"Krademok",
				"Limepad",
				"Luminosity RAT",
				"LuminosityLink",
				"MSIL",
				"MSIL/Crimson",
				"Mobzsar",
				"MumbaiDown",
				"Oblique RAT",
				"ObliqueRAT",
				"Peppy RAT",
				"Peppy Trojan",
				"Quasar RAT",
				"QuasarRAT",
				"SEEDOOR",
				"Scarimson",
				"SilentCMD",
				"Stealth Mango",
				"UPDATESEE",
				"USBWorm",
				"Waizsar RAT",
				"Yggdrasil",
				"beendoor",
				"klovbot",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c68fa27f-e8d9-4932-856b-467ccfe39997",
			"created_at": "2023-01-06T13:46:38.450585Z",
			"updated_at": "2026-04-10T02:00:02.980334Z",
			"deleted_at": null,
			"main_name": "Operation C-Major",
			"aliases": [
				"APT36",
				"APT 36",
				"TMP.Lapis",
				"COPPER FIELDSTONE",
				"Storm-0156",
				"Transparent Tribe",
				"ProjectM",
				"Green Havildar",
				"Earth Karkaddan",
				"C-Major",
				"Mythic Leopard"
			],
			"source_name": "MISPGALAXY:Operation C-Major",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439120,
	"ts_updated_at": 1775792210,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0178f617bc4cf930e5d1dabb3ebe78496f072041.pdf",
		"text": "https://archive.orkl.eu/0178f617bc4cf930e5d1dabb3ebe78496f072041.txt",
		"img": "https://archive.orkl.eu/0178f617bc4cf930e5d1dabb3ebe78496f072041.jpg"
	}
}