{ "id": "7bffb843-aa5b-4fd7-9973-6aff4132daac", "created_at": "2026-04-06T00:16:41.993676Z", "updated_at": "2026-04-10T03:34:59.501112Z", "deleted_at": null, "sha1_hash": "0e608d47c4ca792f4e322dec9d03a6187be7c80b", "title": "Scattered Spider: Three things the news doesn\u0026rsquo;t tell you", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4986327, "plain_text": "Scattered Spider: Three things the news doesn\u0026rsquo;t tell you\r\nBy Push Security\r\nPublished: 2025-06-03 · Archived: 2026-04-05 23:43:05 UTC\r\nWith the recent attacks on UK retailers Marks \u0026 Spencer and Co-op, so-called Scattered Spider has been all over\r\nthe media, with coverage spilling over into the mainstream news due to the severity of the disruption — currently\r\nlooking like hundreds of millions in lost profits for M\u0026S alone. \r\nThis coverage is extremely valuable for the cyber security community as it raises awareness of the battles that\r\nsecurity teams are fighting every day. But it’s also created a lot of noise that can make it tricky to understand the\r\nbig picture. \r\nSo here’s three things that you might have missed — some you probably know already, and others that you might\r\nnot be aware of if you haven’t been tracking Scattered Spider beyond the recent attacks. \r\n1. There’s no such thing as Scattered Spider\r\nAs a community, we sometimes forget that giving cool names to patterns of threat actor activity can sensationalize\r\nand make supervillains out of criminals. That said, cool names are sticky, and have a better chance of being\r\ncommonly recognized and adopted, which is helpful for intelligence sharing. \r\nBut we need to remember that Scattered Spider didn’t call themselves Scattered Spider. CrowdStrike did. And\r\nthere are lots of other names given to the pattern of activity and techniques that we know as Scattered Spider:\r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/\r\nPage 1 of 8\n\nUNC3944 (Mandiant) \r\nOcto Tempest (Microsoft)\r\n0ktapus (Group-IB)\r\nMuddled Libra (Unit 42) \r\nScatter Swine (Okta)\r\nBut it’s not quite as simple as that, because there aren’t clear boundaries. The pattern of activity that analysts\r\nclassify as Scattered Spider touches on a number of self-named criminal groups like, Lapsus$, Yanluowang,\r\nKarakurt, and ShinyHunters (behind the Snowflake attacks in 2024).\r\nTypically, the main “brands” created by attackers overlap with ransomware/extortion crews, which often have\r\ntheir own unique (or at least modified) ransomware encryptor and platform. \r\nThis explains the other cool name that’s cropped up a lot in the recent reporting — DragonForce  — creating some\r\nconfusion around specifically who executed the attacks on M\u0026S and Co-op. Unlike Scattered Spider,\r\nDragonForce is a Ransomware-as-a-Service group that provides tooling and specialist services for hire to affiliates\r\nlike Scattered Spider.\r\nThey are not the ones executing the attack, but the criminals classified under “Scattered Spider” are effectively\r\nusing their services and encryption software once they have completed the initial intrusion. \r\nWhat defines Scattered Spider?\r\nSo, it’s confusing, but what we’re really tracking is patterns of behavior tied to certain regions of operation. \r\nWhen you think of Scattered Spider, you might be reminded of the series of arrests that happened throughout\r\n2024. And yet, attacks have continued — because we’re not talking about a tight-knit group of specific\r\nindividuals, but a broader community or collective of criminals, all using similar techniques, with the same\r\nultimate goal — making money (typically through data theft, ransomware, and extortion).  \r\nSo, what defines so-called Scattered Spider? \r\nPrimarily English native speakers located mainly in English-speaking countries — the UK, US, Canada,\r\nAustralia — but with activity also traced to mainland Europe, Russia, and India.\r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/\r\nPage 2 of 8\n\nScattered Spider presence\r\nSource: Mandiant\r\nUse of predominantly identity-based tactics, techniques and procedures (TTPs) specialising in phishing,\r\ncredential attacks, help desk scams/vishing, SIM swapping, smishing, etc. — all designed to achieve\r\naccount takeover. \r\nCloud-conscious techniques, such as targeting modern cloud identity provider accounts such as Okta and\r\nMicrosoft Entra, and abusing cloud services and environments. \r\nWhen we think of Scattered Spider, we think of the quintessential cloud-native attacker who has grown up in the\r\nmodern era of computing and internet services where being a hacker is less about network exploits than it is about\r\nlogging into accounts on apps and services. These are people who probably cut their teeth in credit card scams and\r\nother forms of internet fraud rather than trawling the internet for exposed servers and open ports. \r\nSo they’re identity-first, but more important than that, they’re flexible and adaptable. They’re also willing to go\r\nafter any and every company that presents an opportunity. \r\n2. Help desk scams aren’t new\r\nThe headline story from the recent campaign against UK retailers is the use of help desk scams. This typically\r\ninvolves the attacker calling up a company’s help desk with some level of information — at minimum, PII that\r\nallows them to impersonate their victim, and sometimes a password, leaning heavily on their native English-speaking abilities to trick the help desk operator into giving them access to a user account. \r\nHow it works\r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/\r\nPage 3 of 8\n\nThe goal of a help desk scam is to get the help desk operator to reset the credentials and/or MFA used to access an\r\naccount so the attacker can take control of it. They’ll use a variety of backstories and tactics to get that done, but\r\nmost of the time it’s as simple as saying “I’ve got a new phone, can you remove my existing MFA and allow me to\r\nenroll a new one?”\r\nFrom there, the attacker is then sent an MFA reset link via email or SMS. Usually, this would be sent to, for\r\nexample, a number on file — but at this point, the attacker has already established trust and bypassed the help\r\ndesk process to a degree. So asking “can you send it to this email address” or “I’ve actually got a new number too,\r\ncan you send it to…” gets this sent directly to the attacker. \r\nAt this point, it’s simply a case of using the self service password reset functionality for Okta or Entra (which you\r\ncan get around because you now have the MFA factor to verify yourself) and voila, the attacker has taken control\r\nof the account. \r\nAnd the best part? Most help desks have the same process for every account — it doesn’t matter who you’re\r\nimpersonating or which account you’re trying to reset. So, attackers are specifically targeting accounts likely to\r\nhave top tier admin privileges — meaning once they get in, progressing the attack is trivial and much of the\r\ntypical privilege escalation and lateral movement is removed from the attack path. \r\nSo, help desk scams have proved to be a reliable way of bypassing MFA and achieving account takeover — the\r\nfoothold from which to launch the rest of an attack, such as stealing data, deploying ransomware, etc. \r\nThis isn’t their first rodeo\r\nBut something that’s not quite coming across in the reporting is that Scattered Spider have been doing this\r\nsuccessfully since 2022, with the M\u0026S and Co-op attacks merely the tip of the iceberg. Vishing (calling a user to\r\nget them to give up their MFA code) has been a part of their toolkit since the beginning, with the early attacks on\r\nTwilio, LastPass, Riot Games, and Coinbase involving some form of voice-based social engineering. \r\nNotably, the high-profile attacks on Caesars, MGM Resorts, and Transport for London all involved calling a help\r\ndesk to reset credentials as the initial access vector. \r\nCaesars in August 2023 where hackers impersonated an IT user and convinced an outsourced help desk to\r\nreset credentials, after which the attacker stole the customer loyalty program database and secured a $15m\r\nransom payment. \r\nMGM Resorts in September 2023, where the hacker used LinkedIn information to impersonate an\r\nemployee and reset the employee’s credentials, resulting in a 6TB data theft. After MGM refused to pay,\r\nthe attack eventually resulted in a 36-hour outage, a $100m hit, and a class-action lawsuit settled for $45m. \r\nTransport for London in September 2024 resulted in 5,000 users’ bank details exposed, 30,000 staff\r\nrequired to attend in-person appointments to verify their identities and reset passwords, and significant\r\ndisruption to online services lasting for months. \r\nSo not only have Scattered Spider been using these techniques for some time, but the severity and impact of these\r\nattacks has been ramping up. \r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/\r\nPage 4 of 8\n\nAvoiding help desk gotchas\r\nThere’s lots of advice for securing help desks being circulated, but much of the advice still results in a process that\r\nis either phishable or difficult to implement. \r\nUltimately, organizations need to be prepared to introduce friction to their help desk process and either delay or\r\ndeny requests in situations where there’s significant risk. So, for example, having a process for MFA reset that\r\nrecognizes the risk associated with resetting a high-privileged account:\r\nRequire multi-party approval / escalation for admin-level account resets\r\nRequire in-person verification if the process can’t be followed remotely\r\nFreeze self-service resets when suspicious behavior is encountered (this would require some kind of\r\ninternal process and awareness training to raise the alarm if an attack is suspected)\r\nAnd watch out for these gotchas: \r\nIf you receive a call, good practice is to terminate the call and dial the number on file for the employee.\r\nBut, in a world of SIM swapping, this isn’t a foolproof solution — you could just be re-dialing the\r\nattacker. \r\nIf your solution is to get the employee on camera, increasingly sophisticated deepfakes can thwart this\r\napproach.  \r\nBut, help desks are a target for a reason. They’re “helpful” by nature. This is usually reflected in how they’re\r\noperated and performance measured — delays won’t help you to hit those SLAs! Ultimately, a process only works\r\nif employees are willing to adhere to it — and can’t be socially engineered to break it.\r\nHelp desks that are removed from day-to-day operations (especially when outsourced or offshored) are also\r\ninherently susceptible to attacks where employees are impersonated. \r\nBut, the attacks we’re experiencing at the moment should give security stakeholders plenty of ammunition as to\r\nwhy help desk reforms are vital to securing the business (and what can happen if you don’t make changes). \r\n3. Scattered Spider don’t just do help desk scams\r\nAll that said, there’s a bigger picture here — help desk scams aren’t the only tool in the Scattered Spider toolkit. \r\nThey’ve consistently used a range of techniques, with a particular affinity for SIM swapping, smishing, and even\r\nbasic credential phishing (usually targeted at Okta accounts). \r\nAnd this year, security researchers have observed Scattered Spider increasingly using Attacker-in-the-Middle\r\n(AiTM) phishing toolkits to bypass MFA. \r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/\r\nPage 5 of 8\n\nScattered Spider phishing pages running Evilginx\r\nSource: Researchers at SilentPush \r\nThis is very much on-brand for Scattered Spider. They exclusively use identity-based methods for their initial\r\nintrusions, all of which are designed to bypass MFA and achieve account takeover. \r\nTheir attacks are usually very direct. Scattered Spider tend to go straight for accounts that have elevated\r\npermissions, enabling them to quickly progress their attack.\r\nFor example, in the 2023 MGM attack, the attacker directly accessed an account with Super Admin permissions in\r\nOkta, which they combined with an inbound federation attack to impersonate any user in the tenant, get Azure\r\nadmin privileges, and authenticate to the Azure-hosted VMware environment where they deployed ransomware. \r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/\r\nPage 6 of 8\n\nThey’ve also demonstrated that they are specifically targeting VMware servers as their target for ransomware\r\ndeployment/encryption, noted in the MGM and M\u0026S attacks. By targeting the VMware hypervisor (usually by\r\nadding their compromised identity to the Admins group in VCentre), they’re able to consciously evade endpoint-level controls running on the virtual machines themselves, such as EDR. \r\nParticularly if we consider the bigger picture with adjacent groups like ShinyHunters, who were behind the\r\nSnowflake attacks in 2024, and the severity of their attacks, we can see similar goals but different ways of\r\nachieving those goals.\r\nThe Snowflake attacks leveraged stolen credentials from prior infostealer infections dating back to 2021 to log\r\ninto accounts without MFA (with widespread MFA gaps a big problem due to the nature of Snowflake identity\r\nmanagement at the time), resulting in hundreds of millions of breached records across 165 victims.\r\nYou can also look at groups like Lapsus$, who’ve demonstrated strikingly similar techniques in the past too.  \r\nSo in summary, Scattered Spider uses a range of identity-based techniques to take over privileged accounts for\r\ntheir initial intrusion, all of which are designed to bypass MFA. They aren’t wedded to any specific technique\r\nthough, and will use whatever means necessary within that identity-based framework to get the job done. \r\nConclusion\r\nYou can think of Scattered Spider as a kind of “post-MFA” threat actor that does everything they can to evade\r\nestablished security controls.\r\nBy targeting identities and account takeovers, they bypass endpoint and network surfaces as much as possible,\r\nuntil the very end of the attack chain — by which point it’s almost too late to be relying on those controls. \r\nSo, don’t over-index on help desk scams — you need to consider your broader identity attack surface and various\r\nintrusion methods, from apps and accounts with MFA gaps, local accounts giving attackers a backdoor into\r\naccounts otherwise accessed with SSO, and MFA-bypassing AiTM phishing kits that are the new normal for\r\nphishing attacks.\r\nWant to know more about Scattered Spider?\r\nWatch this on-demand webinar from researchers at Push Security to learn more about Scattered Spider’s TTP\r\nevolution and what you can do to defend your organization. \r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/\r\nPage 7 of 8\n\nLearn how Push Security stops identity attacks\r\nPush Security provides comprehensive identity attack detection and response capabilities against techniques like\r\nAiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can\r\nalso use Push to find and fix identity vulnerabilities across every app that your employees use, like: ghost logins;\r\nSSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more. \r\nIf you want to learn more about how Push helps you to detect and defeat common identity attack techniques, book\r\nsome time with one of our team for a live demo. \r\nSponsored and written by Push Security.\r\nSource: https://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/\r\nhttps://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/scattered-spider-three-things-the-news-doesnt-tell-you/" ], "report_names": [ "scattered-spider-three-things-the-news-doesnt-tell-you" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434601, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e608d47c4ca792f4e322dec9d03a6187be7c80b.pdf", "text": "https://archive.orkl.eu/0e608d47c4ca792f4e322dec9d03a6187be7c80b.txt", "img": "https://archive.orkl.eu/0e608d47c4ca792f4e322dec9d03a6187be7c80b.jpg" } }