{
	"id": "dbe496d1-f289-4dc3-8b3a-ae504d13e94e",
	"created_at": "2026-04-06T00:10:50.817622Z",
	"updated_at": "2026-04-10T13:12:33.861642Z",
	"deleted_at": null,
	"sha1_hash": "253535ae7a94246b22e50a481e96c642779d7501",
	"title": "ESET discovers Attor, a spy platform with curious GSM fingerprinting",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 379529,
	"plain_text": "ESET discovers Attor, a spy platform with curious GSM fingerprinting\r\nBy Zuzana Hromcová\r\nArchived: 2026-04-05 16:27:19 UTC\r\nESET researchers have discovered a new espionage platform with a complex architecture, a host of measures to make\r\ndetection and analysis more difficult and two notable features. First, its GSM plugin uses the AT command protocol, and\r\nsecond, it uses Tor for its network communications. ESET researchers thus named the cyberespionage platform Attor.\r\nTargets\r\nAttor’s espionage operation is highly targeted – we were able to trace Attor’s operation back to at least 2013, yet we only\r\nidentified a few dozen victims. Despite that, we were able to learn more about the intended victims by analyzing artifacts in\r\nthe malware.\r\nFor example, in order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of\r\nselected applications. Only certain applications are targeted – those with specific substrings in the process name or window\r\ntitle.\r\nBesides standard services such as popular web browsers, instant messaging applications and email services, the list of\r\ntargeted applications contains several Russian services, as detailed in Table 1.\r\nTable 1. Domains misused in the campaign #colspan#\r\nProcess name/window title substring Context\r\nОДНОКЛАССНИКИ (transl. Classmates)\r\nRussian social network\r\n(Odnoklassniki)\r\nAGENTVKONTAKTE Russian social network (VKontakte)\r\nWEBMONEY\r\nOnline payment system used in Russia\r\n(WebMoney)\r\nMAIL.YANDEX, ЯНДЕКС.ПОЧТА (transl. Yandex.Mail), MAIL.RU,\r\nPOCHTA (transl. Mail), MAGENT\r\nRussian email services (Mail.ru,\r\nYandex.Mail)\r\nПРИГЛАШЕНИЕ ДРУЖИТЬ (transl. Friend request) Russian text\r\nВАМ СООБЩЕНИЕ (transl. Message for you) Russian text\r\nMULTIFON Russian VoIP service\r\nQIP, INFIUM Russian IM application (QIP)\r\nRAMBLER Russian search engine (Rambler)\r\nThe list includes the two most popular social networks in Russia (Odnoklassniki, VKontakte) and a VoIP service provided\r\nby a Russian telecom operator (Multifon). Our conclusion is that Attor is specifically targeting Russian-speakers, which is\r\nfurther supported by the fact that most of the targets are located in Russia, as seen in Figure 1. Other targets are located in\r\nEastern Europe, and they include diplomatic missions and governmental institutions.\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 1 of 12\n\nFigure 1. Countries affected by Attor\r\nIn addition to its geographical and language targeting, Attor’s creators appear to be specifically interested in users concerned\r\nabout their privacy.\r\nAttor is configured to capture screenshots of encryption/digital signature utilities, the VPN service HMA, end‑to‑end\r\nencryption email services Hushmail and The Bat!, and the disk encryption utility TrueCrypt.\r\nThe victim’s usage of TrueCrypt is further inspected in another part of Attor. It monitors hard disk devices connected to the\r\ncompromised computer, and searches for the presence of TrueCrypt. If TrueCrypt is detected, its version is determined by\r\nsending IOCTLs to the TrueCrypt driver (0x222004 (TC_IOCTL_GET_DRIVER_VERSION) and 0x72018\r\n(TC_IOCTL_LEGACY_GET_DRIVER_VERSION)). As these are TrueCrypt-specific control codes, not standard codes,\r\nthe authors of the malware must actually understand the open-source code of TrueCrypt installer. We have not seen this\r\ntechnique used before nor seen it documented in other malware.\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 2 of 12\n\nFigure 2. The Device monitor plugin sends non-standard, TrueCrypt-specific control codes to the TrueCrypt driver, in order\r\nto determine the TrueCrypt version\r\nPlatform architecture\r\nAttor consists of a dispatcher and loadable plugins, all of which are implemented as dynamic-link libraries (DLLs). The first\r\nstep of a compromise comprises dropping all these components on disk and loading the dispatcher DLL.\r\nThe dispatcher is the core of the whole platform – it serves as a management and synchronization unit for the additional\r\nplugins. On each system start, it injects itself into almost all running processes and loads all available plugins within each of\r\nthese processes. As an exception, Attor avoids injection into some system and security‑product‑related processes.\r\nAll plugins rely on the dispatcher for implementing basic functionalities. Rather than calling Windows API functions\r\ndirectly, the plugins use a reference to a helper function (a function dispatcher) implemented by the dispatcher DLL. A\r\nreference to the function dispatcher is passed to the plugins when they are loaded. Because the plugins are injected in the\r\nsame process as the dispatcher itself, they share the same address space and are thus able to call this function directly.\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 3 of 12\n\nCalls to the function dispatcher take as their arguments the function type and its numerical identifier. This design makes it\r\nharder to analyze individual components of Attor without having access to the dispatcher, as it translates the specified\r\nidentifier to a meaningful function that is then executed.\r\nFigure 3 illustrates a part of one plugin, calling the function dispatcher on several occasions. In the disassembly on the right,\r\nwe have replaced the numeric identifiers (that we recovered by reverse-engineering the dispatcher) with descriptive names.\r\nRefer to our white paper for a full analysis of the dispatcher’s interface.\r\nFigure 3. Additional plugins use functions implemented in the main module, by calling the function dispatcher (dubbed\r\nhelperFnc here)\r\nFurthermore, the dispatcher is the only component of the platform that has access to the configuration data. Attor’s plugins\r\nretrieve their configuration data from the dispatcher via the interface, as described above.\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 4 of 12\n\nPlugins\r\nAttor’s plugins are delivered to the compromised computer as DLLs, asymmetrically encrypted with RSA. The plugins are\r\nonly fully recovered in memory, using the public RSA key embedded in the dispatcher. As a result, it is difficult to obtain\r\nAttor’s plugins, and to decrypt them, without access to the dispatcher.\r\nWe were able to recover eight of Attor’s plugins, some in multiple versions – we list them in Table 2. Assuming the\r\nnumbering of plugins is continuous, and that actors behind Attor may use different sets of plugins on a per‑victim basis, we\r\nsuspect there are even more plugins that have not yet been discovered.\r\nTable 2. The analyzed plugins and their\r\nversions\r\n#colspan# #colspan#\r\nPlugin ID Analyzed versions Functionality\r\n0x01 0x0E Device monitor\r\n0x02 (no version), 0x0C Screengrabber\r\n0x03\r\n(no version), 0x08, 0x09, 0x0B,\r\n0x0C\r\nAudio recorder\r\n0x05 0x0A File uploader\r\n0x06 0x0A\r\nCommand dispatcher/SOCKS\r\nproxy\r\n0x07 0x02, 0x04, 0x09, 0x0A Key/clipboard logger\r\n0x0D 0x03 Tor client\r\n0x10 0x01 Installer/watchdog\r\nThe plugins are responsible for persistence of the platform (Installer/watchdog plugin), for collecting sensitive information\r\n(Device monitor, Screengrabber, Audio recorder, Key/clipboard logger) and for network communication with the C\u0026C\r\nserver (File uploader, Command dispatcher/SOCKS proxy, Tor client).\r\nAttor has built-in mechanisms for adding new plugins, for updating itself, and for automatically exfiltrating collected data\r\nand log files. These mechanisms are illustrated in Figure 4.\r\nIn the following sections, we focus on plugins responsible for the two notable features that gave Attor its name – GSM\r\nfingerprinting via AT commands, and elaborate network communication using Tor.\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 5 of 12\n\nFigure 4. Attor’s architecture. Note that ID 0x06 represents a single plugin, but the functionality is split here into two parts\r\nfor clarity.\r\nNetwork communication\r\nAttor’s espionage plugins collect sensitive data (such as a list of documents present on the disk) that are ultimately\r\nexfiltrated to a remote server, but these plugins themselves do not communicate over the network.\r\nOnly two of Attor’s components communicate with its C\u0026C server: File uploader and Command dispatcher.\r\nFiles collected by the “espionage plugins” (Device monitor, Screengrabber, Audio recorder, and Key/clipboard logger) are\r\nuploaded to the C\u0026C server automatically by the File uploader plugin. These plugins use a dedicated Upload folder as a\r\ncentral folder to store collected data, and other plugins use it to store log files.\r\nThe Command dispatcher plugin downloads commands and additional tools from the C\u0026C server and interprets them.\r\nAgain, it uses dedicated folders to store its data – most prominently, freshly downloaded plugins and platform updates, and\r\nencrypted log data containing status/results of the executed commands.\r\nAttor’s dispatcher monitors the shared folders, and loads any new plugins and updates pushed to the compromised computer.\r\nThis means that neither Attor’s dispatcher, nor espionage plugins, ever communicate with the C\u0026C server – they only use\r\nlocal shared folders for storing data to be exfiltrated and for reading further instructions from the server.\r\nBoth File uploader, and Command dispatcher use the same infrastructure to reach the remote server – the network\r\ncommunication itself is scattered across four different Attor components, each implementing a different layer.\r\nAttor uses Tor: Onion Service Protocol, with an onion address for the C\u0026C server. In order to communicate with the C\u0026C\r\nserver, any plugin must thus first establish a connection with the Tor client plugin (listening on the non‑default\r\n127.0.0.1:8045) which is responsible for resolving the onion domain, choosing a circuit and encrypting data in layers. The\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 6 of 12\n\nTor client plugin is based on the Tor client, and customized to the design of this malware (tor.exe with added interaction with\r\nAttor’s dispatcher).\r\nThe Tor client plugin must communicate with the dispatcher, which implements the cryptographic functions. Furthermore, it\r\ncommunicates with the SOCKS proxy plugin (listening on 127.0.0.1:5153) that relays communications between the Tor\r\nclient and the remote server.\r\nBoth File uploader and Command dispatcher use FTP; files are uploaded to/downloaded from an FTP server that is\r\nprotected by credentials hardcoded in the configuration:\r\nC\u0026C server: idayqh3zhj5j243t[.]onion\r\nUsername: do\r\nPassword: [Redacted]\r\nThe plugins log in to the FTP server and copy the collected data to, or download commands from, a victim‑specific\r\ndirectory.\r\nIn total, the infrastructure for C\u0026C communication spans four Attor components – the dispatcher providing encryption\r\nfunctions, and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication, as\r\nillustrated in Figure 5. This mechanism makes it impossible to analyze Attor’s network communication unless all pieces of\r\nthe puzzle have been collected.\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 7 of 12\n\nFigure 5. Four Attor components cooperate to enable communication with the C\u0026C server\r\nIt is important to note that Attor uses several additional tricks to hide its communications from the user and security\r\nproducts:\r\nFirst, the C\u0026C server is a Tor service, aiming for anonymity and untraceability.\r\nSecond, all network-communication-related plugins are only activated if running within the process of a web browser or an\r\ninstant messaging application or other network applications (this is determined by checking the process name against a\r\nhardcoded list). This trick hides the exfiltration-related network communication in a stream of legitimate communications\r\nmade by that application, and thus reduces the risk of raising any suspicion.\r\nGSM fingerprinting\r\nThe most curious plugin in Attor’s arsenal collects information about both connected modem/phone devices and connected\r\nstorage drives, and about files present on these drives. It is responsible for collection of metadata, not the files themselves,\r\nso we consider it a plugin used for device fingerprinting, and hence likely used as a base for further data theft.\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 8 of 12\n\nWhile Attor’s functionality of fingerprinting storage drives is rather standard, its fingerprinting of GSM devices is unique.\r\nWhenever a modem or a phone device is connected to a COM port, Device monitor uses AT commands to communicate\r\nwith the device, via the associated serial port.\r\nAT commands, also known as Hayes command set, were originally developed in the 1980s to command a modem to dial,\r\nhang up or change connection settings. The command set was subsequently extended to support additional functionality,\r\nboth standardized and vendor-specific.\r\nIn a recent paper, it was discovered that the commands are still in use in most modern smartphones. Those researchers were\r\nable to bypass security mechanisms and communicate with smartphones using AT commands through their USB interface.\r\nThousands of commands were recovered and tested, including those to send SMS messages, emulate on-screen touch\r\nevents, or leak sensitive information. That research illustrates that the old‑school AT commands pose a serious risk when\r\nmisused.\r\nAs for Attor’s plugin, however, we may only speculate why AT commands are employed. We have detected a 64‑bit version\r\nof this plugin in 2019, and we can confirm it is still a part of the newest Attor version (that we first saw in 2018). On the\r\nother hand, it seems unlikely it is targeting modern smartphone devices. The plugin ignores devices connected via a USB\r\nport, and only contacts those connected via a serial port (more precisely, devices whose friendly names match “COM*”).\r\nA more likely explanation of the plugin’s main motive is that it targets modems and older phones. Alternatively, it may be\r\nused to communicate with some specific devices (used by the victim or target organization) that are connected to the COM\r\nport or to the USB port using a USB-to-serial adaptor. In this scenario, it is possible the attackers have learned about the\r\nvictim’s use of these devices using some other reconnaissance techniques.\r\nIn any case, the plugin retrieves the following information from the connected devices, using the AT commands listed in\r\nTable 3:\r\nBasic information about the mobile phone or GSM/GPRS modem: name of manufacturer, model number, IMEI\r\nnumber and software version\r\nBasic information about the subscriber: MSISDN and IMSI number\r\nTable 3. The commands\r\nof the AT protocol used\r\nby the Device monitor\r\nplugin\r\n#colspan#\r\nAT command Functionality\r\nAT Signals start of communication (AT for attention).\r\nAT+MODE=2 Prepares the phone for an extended AT+ command set.\r\nAT+CGSN\r\nRequests IMEI number (International Mobile Equipment Identity), which is a unique\r\nnumber to identify a device.\r\nAT+CGMM Requests information about the model of the device (model number).\r\nAT+CGMI Requests name of the device manufacturer.\r\nAT+CGMR Requests the version of the software loaded on the device.\r\nAT+CNUM\r\nRequests MSISDN (Mobile Station International Subscriber Directory Number), which is\r\nthe mapping of the telephone number to the subscriber identity module in a mobile or\r\ncellular phone.\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 9 of 12\n\nTable 3. The commands\r\nof the AT protocol used\r\nby the Device monitor\r\nplugin\r\n#colspan#\r\nAT+CIMI\r\nRequests IMSI (International Mobile Subscriber Identity), which is a unique number\r\nidentifying a GSM subscriber. This number has two parts. The initial part is comprised of\r\nsix digits in the North American standard and five digits in the European standard. It\r\nidentifies the GSM network operator in a specific country with whom the subscriber holds\r\nan account. The second part is allocated by the network operator to identify the subscriber\r\nuniquely.\r\nNote that many more (vendor-specific) AT commands exist that are not used by this plugin. It is possible that the malware\r\noperators use the listed commands to fingerprint the connected devices, and then deploy another plugin with more specific\r\ncommands to extract information from the device.\r\nConclusion\r\nAttor is an espionage platform, used for highly targeted attacks against high-profile users in Eastern Europe, and Russian-speaking, security-concerned users.\r\nThe malware, which has flown under the radar since 2013, has a loadable-plugin architecture that can be used to customize\r\nthe functionality to specific victims. It includes an unusual plugin for GSM fingerprinting that utilizes the rarely used AT\r\ncommand set, and incorporates Tor with the aim of anonymity and untraceability.\r\nOur research provides a deep insight into the malware and suggests that it is well worth further tracking of the operations of\r\nthe group behind it.\r\nESET detection names and other Indicators of Compromise for these campaigns can be found in the full white paper: AT\r\ncommands, TOR-based communications: Meet Attor, a fantasy creature and also a spy platform.\r\nAcknowledgements to Anton Cherepanov, Peter Košinár, and Zoltán Rusnák for their work on this investigation.\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nExecution\r\nT1106 Execution through API Attor’s dispatcher uses CreateProcessW API for execution.\r\nT1129\r\nExecution through\r\nModule Load\r\nAttor’s dispatcher executes additional plugins by loading the respective DLL\r\nT1085 Rundll32 Plugin 0x10 schedules rundll32.exe to load the dispatcher.\r\nT1053 Scheduled Task\r\nPlugin 0x10 schedules rundll32.exe to be executed on each boot/logon, and\r\nsubsequently to load the dispatcher.\r\nT1035 Service Execution Attor’s dispatcher can be executed as a service.\r\nPersistence\r\nT1037 Logon Scripts\r\nAttor’s dispatcher can establish persistence via adding a Registry key with a\r\nlogon script:\r\nHKEY_CURRENT_USER\\Environment\"UserInitMprLogonScript\".\r\nT1050 New Service Attor’s dispatcher can establish persistence by registering a new service.\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Control\\SafeBoot\\Min\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 10 of 12\n\nTactic ID Name Description\r\nregistry keys are updated to execute the service even in Safe mode and Safe\r\nmode with networking.\r\nT1053 Scheduled Task Plugin 0x10 schedules a new task that loads the dispatcher on boot/logon.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nStrings are encrypted with a XOR cipher, using a hardcoded key.\r\nConfiguration data, log files and plugins are encrypted using a hybrid encryp\r\nscheme – Blowfish-OFB combined with RSA.\r\nT1107 File Deletion The collected files and log files are deleted after exfiltration by plugin 0x05.\r\nT1158\r\nHidden Files and\r\nDirectories\r\nThe attributes of log files and directories are set to\r\nHIDDEN/SYSTEM/ARCHIVE (or combination of those).\r\nT1036 Masquerading\r\nAttor’s dispatcher disguises itself as a legitimate task (i.e., the task name and\r\ndescription appear legitimate).\r\nT1112 Modify Registry Attor’s dispatcher can modify the Run registry key.\r\nT1055 Process Injection\r\nAttor’s dispatcher injects itself into running processes, to gain higher privileg\r\nand to evade detection. It avoids specific system and Symantec processes.\r\nT1108 Redundant Access\r\nBoth 32-bit and 64-bit versions of Attor’s dispatcher are executed; also they\r\ninjected into almost all processes.\r\nThere is a watchdog component, implemented in the dispatcher or as a separ\r\nplugin, that reinstalls Attor if it has been removed.\r\nT1099 Timestomp\r\nThe time of last access to files and registry keys is manipulated after they ha\r\nbeen created/modified.\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nAttor can detect whether it is executed in some virtualized or emulated\r\nenvironments. If detected, it terminates itself immediately.\r\nCredential\r\nAccess\r\nT1056 Input Capture User credentials can be collected by plugin 0x07 via capturing keystrokes.\r\nDiscovery\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nPlugin 0x01 enumerates files with specific extensions on all hard disk drives\r\nstores file information in encrypted log files.\r\nT1120\r\nPeripheral Device\r\nDiscovery\r\nPlugin 0x01 collects information about inserted storage devices, modems and\r\nphone devices.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nAttor monitors the free disk space on the system.\r\nCollection T1123 Audio Capture Plugin 0x03 is capable of recording audio using available input sound device\r\nT1119 Automated Collection Attor automatically collects data about the compromised system.\r\nT115 Clipboard Data\r\nPlugin 0x07 collects data stored in the Windows clipboard by using the\r\nOpenClipboard and GetClipboardData APIs.\r\nT1074 Data Staged Collected data is staged in a central upload directory prior to exfiltration.\r\nT1056 Input Capture\r\nPlugin 0x07 captures keystrokes pressed within the window of the process w\r\nAttor is injected.\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 11 of 12\n\nTactic ID Name Description\r\nT1113 Screen Capture Plugin 0x02 captures screenshots of target applications.\r\nCommand\r\nand\r\nControl\r\nT1043 Commonly Used Port Attor uses port 21 for C\u0026C communication.\r\nT1188 Multi-hop Proxy Attor uses Tor for C\u0026C communication.\r\nT1079 Multilayer Encryption\r\nAttor sends encrypted traffic using Tor, which itself uses multiple layers of\r\nencryption.\r\nT1105 Remote File Copy Attor can download additional plugins, updates and other files.\r\nT1071\r\nStandard Application\r\nLayer Protocol\r\nFTP protocol is used for C\u0026C communication.\r\nT1032\r\nStandard\r\nCryptographic\r\nProtocol\r\nA combination of Blowfish-OFB and RSA is used for data encryption.\r\nExfiltration T1020\r\nAutomated\r\nExfiltration\r\nExfiltration of the collected data and log files is done automatically by plugin\r\n0x05.\r\nT1022\r\nData\r\nEncrypted\r\nAttor encrypts data\r\nwith a combination of\r\nBlowfish and RSA\r\nciphers before sending\r\nit to the C\u0026C server.\r\nT1041\r\nExfiltration\r\nOver\r\nCommand\r\nand\r\nControl\r\nChannel\r\nAttor exfiltrates data\r\nover the C\u0026C channel.\r\nSource: https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nhttps://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/"
	],
	"report_names": [
		"eset-discovers-attor-spy-platform"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a76ba723-d744-472a-b683-19d80e105d9f",
			"created_at": "2023-01-06T13:46:39.089347Z",
			"updated_at": "2026-04-10T02:00:03.209505Z",
			"deleted_at": null,
			"main_name": "Attor",
			"aliases": [],
			"source_name": "MISPGALAXY:Attor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434250,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/253535ae7a94246b22e50a481e96c642779d7501.pdf",
		"text": "https://archive.orkl.eu/253535ae7a94246b22e50a481e96c642779d7501.txt",
		"img": "https://archive.orkl.eu/253535ae7a94246b22e50a481e96c642779d7501.jpg"
	}
}