{ "id": "35627a57-8ca3-4e42-881c-2e5406ac1d6d", "created_at": "2026-04-06T00:21:53.263533Z", "updated_at": "2026-04-10T03:32:20.666896Z", "deleted_at": null, "sha1_hash": "0ef315f05a5e423406d6fff096b772dc24be7ba3", "title": "WyrmSpy and DragonEgg: Lookout Attributes Android Spyware to China’s APT41", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2132705, "plain_text": "WyrmSpy and DragonEgg: Lookout Attributes Android Spyware\r\nto China’s APT41\r\nBy Lookout\r\nPublished: 2023-07-19 · Archived: 2026-04-05 16:01:20 UTC\r\nWhat are WyrmSpy and DragonEgg surveillanceware?\r\nWyrmSpy and DragonEgg are two advanced Android surveillanceware that Lookout attributes to high-profile\r\nChinese threat group APT41, also known as Double Dragon, BARIUM, and Winnti. \r\nWhile APT41 is mostly known for exploiting web-facing applications and infiltrating traditional endpoint devices,\r\nthese malware are rare reported instances of the group exploiting mobile platforms.\r\nLookout Threat Lab researchers have been actively tracking both spyware and providing coverage to Lookout\r\nMobile Endpoint Security customers. We provided the first detailed write-up of WyrmSpy to our Threat\r\nIntelligence Services subscribers in October 2020. The Lookout Security Graph first ingested samples of\r\nWyrmSpy in 2017, while DragonEgg was first detected in early 2021 and our latest example dates to April 2023.\r\nBoth surveillanceware appear to have sophisticated data collection and exfiltration capabilities and hide those\r\nfunctions in additional modules that are downloaded after they are installed. WyrmSpy primarily masquerades as a\r\ndefault operating system app, while DragonEgg pretends to be third-party keyboard or messaging apps.\r\nWhat is the APT41 espionage group?\r\nAPT41 is a state-sponsored APT espionage group based in the People’s Republic of China that has been active\r\nsince 2012. Unlike many nation-state-backed APT groups, APT41 has a track record of compromising both\r\ngovernment organizations for espionage, as well as different private enterprises for financial gain. \r\nAccording to U.S. grand jury indictments from 2019 and 2020, the group was involved in compromising over 100\r\npublic and private organizations, and individuals in the United States and around the world, including Australia,\r\nJapan, India, South Korea, Singapore, and Taiwan. These companies include software development companies,\r\ncomputer hardware manufacturers, telecommunications providers, social media companies, video game\r\ncompanies, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists\r\nin Hong Kong.\r\nThe U.S Department of Justice’s indictment named five individuals associated with APT41, three of whom —\r\nJiang Lizhi (蒋立志), Qian Chuan (钱川), and Fu Qiang (付强) — are publicly listed in leadership positions of\r\nChinese company Chengdu 404 Network Technology Co., Ltd., a.k.a “Chengdu 404.”\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 1 of 12\n\nThe indictment charges the men with conspiracy, racketeering, money laundering, fraud, identity theft, access\r\ndevice fraud, unauthorized access to protected computers and wire fraud in association with Chengdu 404.\r\nThe FBI notice poster with images of the individuals charged in connection to APT41’s cyber\r\nespionage activities. \r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 2 of 12\n\nA Chinese business directory listing for Chengdu 404 lists Qian Chuan as “Managing Director”\r\nand Jiang Lizhi as “Manager.” Chengdu 404 is described as “a network technology company.”\r\nAPT41’s connection with WyrmSpy and DragonEgg\r\nDragonEgg and WyrmSpy are connected to each other through their use of overlapping Android signing\r\ncertificates. Some versions of WyrmSpy introduced unique signing certificates that were later observed in use by\r\nDragonEgg developers.\r\nIt was through WyrmSpy that Lookout was able to attribute the two malware to APT41 due to a link between the\r\ncommand-and-control (C2) infrastructure hard-coded into the malware’s source code and Chengdu 404. Early\r\nsamples use IP address “121.42.149[.]52” as part its C2 infrastructure, which was the resolving IP for a\r\nsubdomain, “vpn2.umisen[.]com,” a part of the hacking infrastructure APT41 used between May 2014 until\r\nAugust 2020, as revealed in the U.S. Department of Justice’s indictment.\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 3 of 12\n\nWyrmSpy includes a hard-coded C2 IP address, “121.42.149[.]52”, used as a resolving IP for a\r\nknown APT41 domain.\r\n“Vpn2.umisen[.]com” is a subdomain of umisen[.]com, which itself resolved only to 121.42.149[.]52 from the end\r\nof 2015 through late 2017. A total of 14 samples that Lookout researchers analyzed that communicated with this\r\nIP address, which appeared to have been packaged between March and July 2017.\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 4 of 12\n\nThe IP address found in earlier WyrmSpy samples was the resolving IP for “umisen[.]com” between\r\nDecember 2015 and August 2017, when malware samples containing this C2 were created and\r\ndistributed.\r\nA WHOIS record for “umisen[.]com” from 2015 and 2016 lists one of the individuals named in the indictment,\r\nJiang Lizhi, as the registrant for the domain. The email listed in the WHOIS record, “huliwahaha@gmail[.]com,”\r\nresembles a password ”wahaha@20170”, which is also mentioned in the indictment.\r\nThe IP address found in earlier WyrmSpy samples was the resolving IP for “umisen[.]com” between\r\nDecember 2015 and August 2017, when malware samples containing this C2 were created and\r\ndistributed.\r\nHow are WyrmSpy and DragonEgg deployed\r\nIt appears that the targeting of WyrmSpy and DragonEgg varies greatly.\r\nWyrmSpy primarily masquerades as a default Android system app used for displaying notifications to the user.\r\nLater variants package the malware into apps masquerading as adult video content, “Baidu Waimai” food delivery\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 5 of 12\n\nplatform, and Adobe Flash. \r\nDragonEgg has been observed in apps purporting to be third-party Android keyboards and messaging apps like\r\nTelegram.\r\nLookout researchers have not yet encountered samples in the wild and assess with moderate confidence that they\r\nare distributed to victims through social engineering campaigns. Google confirmed that based on current\r\ndetection, no apps containing this malware are found to be on Google Play.\r\nNotable capabilities of WyrmSpy and DragonEgg\r\nThe two malware request extensive device permissions while relying on modules that are downloaded after the\r\napps are installed to enable data-exfiltration capabilities. \r\nWyrmSpy capabilities\r\nAfter it’s installed and launched, WyrmSpy uses known rooting tools to gain escalated privileges to the device and\r\nperform surveillance activities specified by commands received from its C2 servers. These commands include\r\ninstructing the malware to upload log files, photos stored on the device, and acquire device location using the\r\nBaidu Location library.\r\nAlthough we were not able to acquire additional modules from the C2 infrastructure at the time of discovery, we\r\nassess with high confidence that a secondary payload is used by the malware to perform additional surveillance\r\nfunctionality. This is based on the permissions that WyrmSpy obtains but does not use in the code contained in the\r\napp, which indicates abilities to exfiltrate additional data, such as SMS and audio recordings.\r\nConfiguration files used by the malware to execute instructions received by the C2 further support this hypothesis,\r\nwith references to “AudioRecord” and “Files” set to true or false based on received commands.\r\nPotential data that WyrmSpy collects\r\nLog files\r\nPhotos\r\nDevice location\r\nSMS messages (read and write)\r\nAudio recording\r\nDragonEgg capabilities\r\nSimilar to WyrmSpy, DragonEgg appears to rely on additional payloads to implement the full scale of its\r\nsurveillance functionality. \r\nAt launch, the malware acquires — either from C2 infrastructure or a bundled file within the APK — a payload\r\noften named “smallmload.jar” which attempts to acquire and launch additional functionality. Like WyrmSpy, the\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 6 of 12\n\nDragonEgg samples request extensive permissions for services that are not directly exploited in the core app. \r\nWe suspect that by trojanizing legitimate chat apps like Telegram, APT41 is trying to remain inconspicuous while\r\nrequesting access to extensive device data. Messaging apps typically request access to sensitive device data, and\r\nby hiding its surveillance functionality within a large, fully-functional app, the threat actor is better able to remain\r\ninconspicuous while the app is running on the device or statically analyzed by a researcher.\r\nPotential data that DragonEgg collects\r\nDevice contacts\r\nSMS messages\r\nExternal device storage files\r\nDevice location\r\nAudio recording\r\nCamera photos\r\nWyrmSpy Technical analysis\r\nCommunications with C2 and configuration files\r\nWyrmSpy relies on commands received from C2, as well as configuration files to determine the actions it takes\r\nagainst the compromised device and the data it exfiltrates. As server-side code is not accessible from the C2, it is\r\nnot yet clear whether a threat actor has automated the commands sent to the malware client, or whether direct\r\nhuman interaction is required. \r\nThe configuration files are created and populated by WyrmSpy on startup and form the basis of the behavior on an\r\ninfected device. As the malware interacts with the device and receives instructions from its C2, it modifies the\r\nconfiguration files accordingly.\r\nAdditional configuration files contain information about the C2, metadata and identifiers that were initially\r\ncollected about the infected device. A file named “ManifestFile.json” is acquired from the C2 and specifies C2\r\nbeaconing intervals, lists of files for upload and download, and a list of shell commands to execute on the device.\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 7 of 12\n\nWyrmSpy relies on commands received from its C2, as well as configuration files to determine the\r\nactions it takes against the compromised device and the data it exfiltrates.\r\nRooting the device\r\nWyrmSpy leverages well known rooting tools such as KingRoot11 and IovyRoot/IvyRoot12. It’s also able to\r\ndisable SELinux on appropriate versions of Android, an action attackers sometimes take in order to access data\r\nthey might not otherwise be able to.\r\nIf the packaged rooting tool does not work or does not exist, and if the device is not already rooted, the malware\r\nqueries the C2 infrastructure with the model and kernel version of the infected device. It then receives a response\r\ncontaining a file name which the malware uses to download additional rooting binaries from C2 infrastructure if\r\none exists for the specified device.\r\nThe malware attempts to acquire an additional rooting tool to gain root privileges if the bundled\r\ntools, like KingRoot, are unsuccessful.\r\nDragonEgg technical analysis\r\nSimilar to WyrmSpy, DragonEgg relies on a secondary payload often named “smallmload.jar” to load a tertiary\r\nmodule.\r\nDragonEgg relies on a secondary payload that’s often named “smallmload.jar.”\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 8 of 12\n\nIn DragonEgg’s logging messages, the developers refer to the tertiary module acquired by the “smallmload” class\r\nfiles as “forensics program (T1 version)”. Naming surveillance tools as “forensics program” is common amongst\r\nChinese-speaking defense or software development firms. This is in contrast to the use of “trojan” or other\r\nmalware-related moniker that independent developers of surveillance tools would use.\r\nBy the time we analyzed DragonEgg, its C2 infrastructure was already offline, which prevented Lookout\r\nresearchers from acquiring this “T1” forensics tool loaded by the core application.\r\nDragonEgg developers refer to the tertiary payload as the “forensics program (T1 version)”.\r\nIndicators of Compromise\r\nWyrmSpy\r\nSHA1\r\n92ddbe438c8c8c1ef82fa5bb02e526db10829736\r\n0b4a9a3f167178054ef9f9a97463cbe31f078c2f\r\nd713b8b0f3764157cc18d5dc1cb0f9c558067728\r\n589d88093dad377d46f34415a7f9df11d65b81ed\r\nab560af6bafff8f58ea5bc53c0391501415aed14\r\n5891fa6a3a8232192ebd57a171bad29f53c7598c\r\n4405af38c4a6b6130fcf242a11b0ce7963a1be28\r\n5c16637848d6f1eb4aa6c5b2a4928a1144cd2113\r\n2fbd56b1f3859c6d03dec47f8fcee7e37dc303a1\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 9 of 12\n\n085191fb59d3933f8447610126600754b35697d4\r\nd634a548973c7931e224a41201be0a273d561cff\r\n971f4cd569ad9f84e654b62bffdba3a4aa21d4e9\r\n331acbdd270acecfa80bc7b4e37629611593de0a\r\n215847e4c41144365b94cb924d969dbc5e69052b\r\ncc351ffbe748b1db43de6dcd40934fe23986e753\r\n85ca8cd21d70668bd2aab9c53163f5e03a0e1a8b\r\n6dd20f7b9ccbd961d155fff78452303a54714841\r\nd02f548d354adff645318de6edc45dff23170241\r\n2438069c43771f0011da2f22b57b8336aaa7562c\r\n5c2fc57609ee28753b78a0f33ba7519fc9fbb6f8\r\n53c745956c3501d1daf232aeea5edfb52168c6b4\r\ndfff9ae245cc0beed8fdf409c00ec758d7d2678f\r\n517ec909bc9e308b44d59dfd144188d1e23f57bc\r\n232b868e36f064b4151e4386835642fc8bf07e0b\r\n92ddbe438c8c8c1ef82fa5bb02e526db10829736\r\n9b6297825a6c00b3af16748684d4de551cc7be75\r\n0b4a9a3f167178054ef9f9a97463cbe31f078c2f\r\nd713b8b0f3764157cc18d5dc1cb0f9c558067728\r\n589d88093dad377d46f34415a7f9df11d65b81ed\r\nab560af6bafff8f58ea5bc53c0391501415aed14\r\n5891fa6a3a8232192ebd57a171bad29f53c7598c\r\ne514042565ffb2811f780227fee5ed5683925d49\r\n4405af38c4a6b6130fcf242a11b0ce7963a1be28\r\n17e6bbed5e43ec5b8d2821e0145da7ee32a58ea6\r\n5c16637848d6f1eb4aa6c5b2a4928a1144cd2113\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 10 of 12\n\n2fbd56b1f3859c6d03dec47f8fcee7e37dc303a1\r\n085191fb59d3933f8447610126600754b35697d4\r\nd634a548973c7931e224a41201be0a273d561cff\r\n971f4cd569ad9f84e654b62bffdba3a4aa21d4e9\r\n331acbdd270acecfa80bc7b4e37629611593de0a\r\n58cda5e4607557d79bc5e36764b577f17e77af49\r\na9d2f59b8457c6998b654054084b102adfcf3306\r\n215847e4c41144365b94cb924d969dbc5e69052b\r\ncc351ffbe748b1db43de6dcd40934fe23986e753\r\n85ca8cd21d70668bd2aab9c53163f5e03a0e1a8b\r\n6dd20f7b9ccbd961d155fff78452303a54714841\r\nd02f548d354adff645318de6edc45dff23170241\r\n2438069c43771f0011da2f22b57b8336aaa7562c\r\n5c2fc57609ee28753b78a0f33ba7519fc9fbb6f8\r\n53c745956c3501d1daf232aeea5edfb52168c6b4\r\nInfrastructure\r\n116.205.4[.]18\r\ndns.win10micros0ft[.]com\r\nwww.andropwn[.]xyz\r\n121.42.149[.]52\r\nupdate.umisen[.]com\r\nDragonEgg\r\nSHA1\r\nb456a61a3e0ac6073a716b06293a3295a261de56\r\n209567f4f28c5c8abcbe56d789e558aa64239534\r\nb456a61a3e0ac6073a716b06293a3295a261de56\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 11 of 12\n\ncab70e99516a36ab0f0d3851375adf0740f4bd5e\r\n81762cfae0bd5585e8c0c86e4fdbbe47d2dd614a\r\nfbda76a2c2834f89d642a72c24b1988a1f56e4b8\r\nInfrastructure\r\n118.193.39[.]165\r\n121.201.109[.]98\r\nalxc.tbtianyan[.]com\r\nyxwasec[.]com\r\nsmiss.imwork[.]net\r\nhuaxin-bantian.duckdns[.]org\r\n103.43.17[.]99\r\nLookout would like to thank former Lookout researcher Apurva Kumar for her extensive contribution to this\r\nresearch. \r\nSource: https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nhttps://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41" ], "report_names": [ "wyrmspy-dragonegg-surveillanceware-apt41" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434913, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ef315f05a5e423406d6fff096b772dc24be7ba3.pdf", "text": "https://archive.orkl.eu/0ef315f05a5e423406d6fff096b772dc24be7ba3.txt", "img": "https://archive.orkl.eu/0ef315f05a5e423406d6fff096b772dc24be7ba3.jpg" } }