{ "id": "8180cfc0-27a4-457a-9723-8887bdc5f957", "created_at": "2026-04-06T00:08:34.218573Z", "updated_at": "2026-04-10T03:34:41.575564Z", "deleted_at": null, "sha1_hash": "33b1ffd3c339cdc6a31e744bab657607517c61af", "title": "iOS exploit chain deploys LightSpy feature-rich malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2382894, "plain_text": "iOS exploit chain deploys LightSpy feature-rich malware\r\nBy Alexey Firsh\r\nPublished: 2020-03-26 · Archived: 2026-04-05 15:27:20 UTC\r\nA watering hole was discovered on January 10, 2020 utilizing a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong based on the\r\ncontent of the landing page. Since the initial activity, we released two private reports exhaustively detailing\r\nspread, exploits, infrastructure and LightSpy implants.\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 1 of 16\n\nLanding page of watering hole site\r\nWe are temporarily calling this APT group “TwoSail Junk”. Currently, we have hints from known backdoor\r\ncallbacks to infrastructure about clustering this campaign with previous activity. And we are working with\r\ncolleagues to tie LightSpy with prior activity from a long running Chinese-speaking APT group, previously\r\nreported on as Spring Dragon/Lotus Blossom/Billbug(Thrip), known for their Lotus Elise and Evora backdoor\r\nmalware. Considering that this LightSpy activity has been disclosed publicly by our colleagues from TrendMicro,\r\nwe would like to further contribute missing information to the story without duplicating content. And, in our quest\r\nto secure technologies for a better future, we reported the malware and activity to Apple and other relevant\r\ncompanies.\r\nThis supplemental information can be difficult to organize to make for easy reading. In light of this, this document\r\nis broken down into several sections.\r\n1. 1 Deployment timeline – additional information clarifying LightSpy deployment milestone events,\r\nincluding both exploit releases and individual LightSpy iOS implant component updates.\r\n2. 2 Spreading – supplemental technical details on various techniques used to deliver malicious links to\r\ntargets\r\n3. 3 Infrastructure – supplemental description of a TwoSail Junk RDP server, the LightSpy admin panel, and\r\nsome related server-side javascript\r\n4. 4 Android implant and a pivot into evora – additional information on an Android implant and related\r\ninfrastructure. After pivoting from the infrastructure in the previous section, we find related implants and\r\nbackdoor malware, helping to connect this activity to previously known SpringDragon APT with low\r\nconfidence.\r\nMore information about LightSpy is available to customers of Kaspersky Intelligence Reporting. Contact:\r\nintelreports@kaspersky.com\r\nDeployment timeline\r\nDuring our investigation, we observed the actor modifying some components involved in the exploit chain on\r\nFebruary 7, 2020 with major changes, and on March 5, 2020 with minor ones.\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 2 of 16\n\nFigure 1. Brief LightSpy event timeline\r\nThe first observed version of the WebKit exploit dated January 10, 2020 closely resembled a proof of concept\r\n(PoC), containing elements such as buttons, alert messages, and many log statements throughout. The second\r\nversion commented out or removed many of the log statements, changed alert() to print() statements, and also\r\nintroduced some language errors such as “your device is not support…” and “stab not find…”.\r\nBy analyzing the changes in the first stage WebKit exploit, we discovered the list of supported devices was also\r\nsignificantly extended:\r\nTable 1. iOS version exploit support expansion\r\nDevice iOS version Supported as of Jan 10 Supported as of Feb 7\r\niPhone 6 11.03 + –\r\niPhone 6S\r\n12.01 + commented\r\n12.2 – +\r\niPhone 7\r\n12.1 – +\r\n12.11 + +\r\n12.12 + +\r\n12.14 – +\r\n12.2 – +\r\niPhone 7+ 12.2 – +\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 3 of 16\n\niPhone 8 12.2 – +\r\niPhone 8+ 12.2 – +\r\niPhone X 12.2 – +\r\nAs seen above, the actor was actively changing implant components, which is why we are providing a full list of\r\nhistorical hashes in the IoC section at the end of this report. There were many minor changes that did not directly\r\naffect the functionality of each component, but there were also some exceptions to this that will be expanded on\r\nbelow. Based on our observations of these changes over a relatively short time frame, we can assess that the actor\r\nimplemented a fairly agile development process, with time seemingly more important than stealthiness or quality.\r\nOne interesting observation involved the “EnvironmentalRecording” plugin (MD5:\r\nae439a31b8c5487840f9ad530c5db391), which was a dynamically linked shared library responsible for recording\r\nsurrounding audio and phone calls. On February 7, 2020, we noticed a new binary (MD5:\r\nf70d6b3b44d855c2fb7c662c5334d1d5) with the same name with no similarities to the earlier one. This new file\r\ndid not contain any environment paths, version stamps, or any other traces from the parent plugin pattern. Its sole\r\npurpose was to clean up the implant components by erasing all files located in “/var/iolight/”, “/bin/light/”, and\r\n“/bin/irc_loader/”. We are currently unsure whether the actor intended to replace the original plugin with an\r\nuninstall package or if this was a result of carelessness or confusion from the rapid development process.\r\nAnother example of a possible mistake involved the “Screenaaa” plugin. The first version (MD5:\r\n35fd8a6eac382bfc95071d56d4086945) that was deployed on January 10, 2020 did what we expected: it was a\r\nsmall plugin designed to capture a screenshot, create a directory, and save the captured file in JPEG format.\r\nHowever, the plugin (MD5: 7b69a20920d3b0e6f0bffeefdce7aa6c) with the same name that was packaged on\r\nFebruary 7 had a completely different functionality. This binary was actually a LAN scanner based on\r\nMMLanScan, an open source project for iOS that helps scan a network to show available devices along with their\r\nMAC addresses, hostname, and manufacturer. Most likely, this plugin was mistakenly bundled up in the February\r\n7 payload with the same name as the screenshot plugin.\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 4 of 16\n\nFigure 2. LightSpy iOS implant component layout and communications\r\nSpreading\r\nWe cannot say definitively that we have visibility into all of their spreading mechanisms. We do know that in past\r\ncampaigns, precise targeting of individuals was performed over various social network platforms with direct\r\nmessaging. And, both ours and previous reporting from others have documented TwoSail Junk’s less precise and\r\nbroad use of forum posts and replies. These forum posts direct individuals frequenting these sites to pages hosting\r\niframes served from their exploit servers. We add Telegram channels and Instagram posts to the list of\r\ncommunication channels abused by these attackers.\r\nThese sites and communication media are known to be frequented by some activist groups.\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 5 of 16\n\nFigure 3. LightSpy iPhone infection steps\r\nThe initial watering hole site (hxxps://appledaily.googlephoto[.]vip/news[.]html) on January 10, 2020 was\r\ndesigned to mimic a well-known Hong Kong based newspaper “Apple Daily” by copy-pasting HTML content\r\nfrom the original:\r\nFigure 4. Source of html page mimicking newspaper “Apple Daily”\r\nHowever, at that time, we had not observed any indications of the site being purposely distributed in the wild.\r\nBased on our KSN detection statistics, we began seeing a massive distribution campaign beginning on February\r\n18, 2020.\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 6 of 16\n\nTable 2. LightSpy related iframe domains, urls, and first seen timestamps\r\nStarting on February 18, the actors began utilizing a series of invisible iframes to redirect potential victims to the\r\nexploit site as well as the intended legitimate news site from the lure.\r\nFigure 5. Source of html page with lure and exploit\r\nInfrastructure\r\nRDP Clues\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 7 of 16\n\nThe domain used for the initial watering hole page (googlephoto[.]vip) was registered through GoDaddy on\r\nSeptember 24, 2019. No unmasked registration information was able to be obtained for this domain. The\r\nsubdomain (appledaily.googlephoto[.]vip) began resolving to a non-parked IP address (103.19.9[.]185) on January\r\n10, 2020 and has not moved since. The server is located in Singapore and is hosted by Beyotta Network, LLP.\r\nAt the time of our initial investigation, the server was listening on ports 80 (HTTP) and 3389 (RDP with SSL/TLS\r\nenabled). The certificate for the server was self-signed and created on December 16, 2019. Based on Shodan data\r\nas early as December 21, 2019, there was a currently logged in user detected whose name was “SeinandColt”.\r\nFigure 6. Screenshot of RDP login page for the server 103.19.9[.]185\r\nAdmin Panel\r\nThe C2 server for the iOS payload (45.134.1[.]180) also appeared to have an admin panel on TCP port 50001.\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 8 of 16\n\nThe admin panel seems to be a Vue.js application bundled with Webpack. It contains two language packs: English\r\nand Chinese. A cursory analysis provides us the impression of actual scale of the framework:\r\nIf we take a closer look at the index.js file for the panel, some interesting configurations are visible, to include a\r\nuser config, an application list, log list, and other interesting settings.\r\nThe “userConfig” variable indicates other possible platforms that may have been targeted by the same actors, such\r\nas linux, windows, and routers.\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 9 of 16\n\nAnother interesting setting includes the “app_list” variable which is commented out. This lists two common\r\napplications used for streaming and chat mostly in China (QQ and Miapoi). Looking further, we can also see that\r\nthe default map coordinates in the config point directly to the Tian’anmen Gate in Beijing, however, most likely\r\nthis is just a common and symbolic mapping application default for the center of Beijing.\r\nAndroid implants and a pivot into “evora”\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 10 of 16\n\nDuring analysis of the infrastructure related to iOS implant distribution we also found a link directing to Android\r\nmalware – hxxp://app.hkrevolution[.]club/HKcalander[.]apk (MD5: 77ebb4207835c4f5c4d5dfe8ac4c764d).\r\nAccording to artefacts found in google cache, this link was distributed through Telegram channels “winuxhk” and\r\n“brothersisterfacebookclub”, and Instagram posts in late November 2019 with a message lure in Chinese\r\ntranslated as “The Hong Kong People Calendar APP is online ~~~ Follow the latest Hong Kong Democracy and\r\nFreedom Movement. Click to download and support the frontline. Currently only Android version is available.”\r\nFurther technical analysis of the packed APK reveals the timestamp of its actual build – 2019-11-04 18:12:33.\r\nAlso it uses the subdomain, sharing an iOS implant distribution domain, as its c2 server –\r\nhxxp://svr.hkrevolution[.]club:8002.\r\nIts code contains a link to another related domain:\r\nChecking this server, we found it hosted another related APK:\r\nMD5 fadff5b601f6fca588007660934129eb\r\nURL hxxp://movie.poorgoddaay[.]com/MovieCal[.]apk\r\nC2 hxxp://app.poorgoddaay[.]com:8002\r\nBuild timestamp 2019-07-25 21:57:47\r\nThe distribution vector remains the same – Telegram channels:\r\nThe latest observed APK sample is hosted on a server that is unusual for the campaign context – xxinc-media[.]oss-cn-shenzhen.aliyuncs[.]com. We assume that the actors are taking steps to split the iOS and Android\r\nactivities between different infrastructure pieces.\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 11 of 16\n\nMD5 5d2b65790b305c186ef7590e5a1f2d6b\r\nURL hxxps://xxinc-media.oss-cn-shenzhen.aliyuncs[.]com/calendar-release-1.0.1.apk\r\nC2 hxxp://45.134.0[.]123:8002\r\nBuild timestamp 2020-01-14 18:30:30\r\nWe had not observed any indications of this URL being distributed in the wild yet.\r\nIf we take a look closer at the domain poorgoddaay[.]com that not only hosted the malicious APK but also was a\r\nC2 for them, we can note that there are two subzones of particular interest to us:\r\nzg.poorgoddaay[.]com\r\nns1.poorgoddaay[.]com\r\nWe were able to work with partners to pivot into a handful of “evora” samples that use the above two subzones as\r\ntheir C2. Taking that a step further, using our Kaspersky Threat Attribution Engine (KTAE), we can see that the\r\npartner samples using those subzones are 99% similar to previous backdoors deployed by SpringDragon.\r\nWe are aware of other related and recent “evora” malware samples calling back to these same subnets while\r\ntargeting organizations in Hong Kong as well. These additional factors help lend at least low confidence to\r\nclustering this activity with SpringDragon/LotusBlossom/Billbug.\r\nConclusion\r\nThis particular framework and infrastructure is an interesting example of an agile approach to developing and\r\ndeploying surveillance framework in Southeast Asia. This innovative approach is something we have seen before\r\nfrom SpringDragon, and LightSpy targeting geolocation at least falls within previous regional targeting of\r\nSpringDragon/LotusBlossom/Billbug APT, as does infrastructure and “evora” backdoor use.\r\nIndicators of Compromise\r\nFile hashes\r\npayload.dylib\r\n9b248d91d2e1d1b9cd45eb28d8adff71 (Jan 10, 2020)\r\n4fe3ca4a2526088721c5bdf96ae636f4 (Feb 7, 2020)\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 12 of 16\n\nircbin.plist\r\ne48c1c6fb1aa6c3ff6720e336c62b278 (Jan 10, 2020)\r\nirc_loader\r\n53acd56ca69a04e13e32f7787a021bb5 (Jan 10, 2020)\r\nlight\r\n184fbbdb8111d76d3b1377b2768599c9 (Jan 10, 2020)\r\nbfa6bc2cf28065cfea711154a3204483 (Feb 7, 2020)\r\nff0f66b7089e06702ffaae6025b227f0 (Mar 5, 2020)\r\nbaseinfoaaa.dylib\r\na981a42fb740d05346d1b32ce3d2fd53 (Jan 10, 2020)\r\n5c69082bd522f91955a6274ba0cf10b2 (Feb 7, 2020)\r\nbrowser\r\n7b263f1649dd56994a3da03799611950 (Jan 10, 2020)\r\nEnvironmentalRecording\r\nae439a31b8c5487840f9ad530c5db391 (Jan 10, 2020)\r\nf70d6b3b44d855c2fb7c662c5334d1d5 (Feb 7, 2020)\r\nFileManage\r\nf1c899e7dd1f721265cc3e3b172c7e90 (Jan 10, 2020)\r\nea9295d8409ea0f1d894d99fe302070e (Feb 7, 2020)\r\nios_qq\r\nc450e53a122c899ba451838ee5250ea5 (Jan 10, 2020)\r\nf761560ace765913695ffc04dfb36ca7 (Feb 7, 2020)\r\nios_telegram\r\n1e12e9756b344293352c112ba84533ea (Jan 10, 2020)\r\n5e295307e4429353e78e70c9a0529d7d (Feb 7, 2020)\r\nios_wechat\r\n187a4c343ff4eebd8a3382317cfe5a95 (Jan 10, 2020)\r\n66d2379318ce8f74cfbd0fb26afc2084 (Feb 7, 2020)\r\nKeyChain\r\ndb202531c6439012c681328c3f8df60c (Jan 10, 2020)\r\nlocationaaa.dylib\r\n3e7094eec0e99b17c5c531d16450cfda (Jan 10, 2020)\r\n06ff47c8108f7557bb8f195d7b910882 (Feb 7, 2020)\r\nScreenaaa\r\n35fd8a6eac382bfc95071d56d4086945 (Jan 10, 2020)\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 13 of 16\n\n7b69a20920d3b0e6f0bffeefdce7aa6c (Feb 7, 2020)\r\nShellCommandaaa\r\na8b0c99f20a303ee410e460730959d4e (Jan 10, 2020)\r\nSoftInfoaaa\r\n8cdf29e9c6cca6bf8f02690d8c733c7b (Jan 10, 2020)\r\nWifiList\r\nc400d41dd1d3aaca651734d4d565997c (Jan 10, 2020)\r\nAndroid malware\r\n77ebb4207835c4f5c4d5dfe8ac4c764d\r\nfadff5b601f6fca588007660934129eb\r\n5d2b65790b305c186ef7590e5a1f2d6b\r\nPast similar SpringDragon evora\r\n1126f8af2249406820c78626a64d12bb\r\n33782e5ba9067b38d42f7ecb8f2acdc8\r\nDomains and IPs\r\nImplant c2\r\n45.134.1[.]180 (iOS)\r\n45.134.0[.]123 (Android)\r\napp.poorgoddaay[.]com (Android)\r\nsvr[.]hkrevolution[.]club (Android)\r\nWebKit exploit landing\r\n45.83.237[.]13\r\nmessager[.]cloud\r\nSpreading\r\nappledaily.googlephoto[.]vip\r\nwww[.]googlephoto[.]vip\r\nnews2.hkrevolution[.]club\r\nnews.hkrevolution[.]club\r\nwww[.]facebooktoday[.]cc\r\nwww[.]hkrevolt[.]com\r\nnews.hkrevolt[.]com\r\nmovie.poorgoddaay[.]com\r\nxxinc-media[.]oss-cn-shenzhen.aliyuncs[.]com\r\nRelated subdomains\r\napp.hkrevolution[.]club\r\nnews.poorgoddaay[.]com\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 14 of 16\n\nzg.poorgoddaay[.]com\r\nns1.poorgoddaay[.]com\r\nFull Mobile Device Command List\r\nchange_config\r\nexe_cmd\r\nstop_cmd\r\nget_phoneinfo\r\nget_contacts\r\nget_call_history\r\nget_sms\r\ndelete_sms\r\nsend_sms\r\nget_wechat_account\r\nget_wechat_contacts\r\nget_wechat_group\r\nget_wechat_msg\r\nget_wechat_file\r\nget_location\r\nget_location_coninuing\r\nget_browser_history\r\nget_dir\r\nupload_file\r\ndownload_file\r\ndelete_file\r\nget_picture\r\nget_video\r\nget_audio\r\ncreate_dir\r\nrename_file\r\nmove_file\r\ncopy_file\r\nget_app\r\nget_process\r\nget_wifi_history\r\nget_wifi_nearby\r\ncall_record\r\ncall_photo\r\nget_qq_account\r\nget_qq_contacts\r\nget_qq_group\r\nget_qq_msg\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 15 of 16\n\nget_qq_file\r\nget_keychain\r\nscreenshot\r\nSource: https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nhttps://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/\r\nPage 16 of 16\n\nFigure 6. Screenshot Admin Panel of RDP login page for the server 103.19.9[.]185 \nThe C2 server for the iOS payload (45.134.1[.]180) also appeared to have an admin panel on TCP port 50001.\n Page 8 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" ], "report_names": [ "96407" ], "threat_actors": [ { "id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788", "created_at": "2022-10-25T15:50:23.722608Z", "updated_at": "2026-04-10T02:00:05.397432Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "Thrip" ], "source_name": "MITRE:Thrip", "tools": [ "PsExec", "Mimikatz", "Catchamas" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb", "created_at": "2023-01-06T13:46:38.793461Z", "updated_at": "2026-04-10T02:00:03.102807Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "G0076", "ATK78" ], "source_name": "MISPGALAXY:Thrip", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3703894e-cf68-4c1e-a71a-e8fd2ef76747", "created_at": "2023-11-08T02:00:07.166789Z", "updated_at": "2026-04-10T02:00:03.432192Z", "deleted_at": null, "main_name": "TwoSail Junk", "aliases": [ "Operation Poisoned News" ], "source_name": "MISPGALAXY:TwoSail Junk", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null }, { "id": "741d58a1-0fc0-41a8-9681-106a06c07e61", "created_at": "2022-10-25T16:07:23.983046Z", "updated_at": "2026-04-10T02:00:04.822372Z", "deleted_at": null, "main_name": "Operation Poisoned News", "aliases": [ "Operation Poisoned News", "TwoSail Junk" ], "source_name": "ETDA:Operation Poisoned News", "tools": [ "dmsSpy", "lightSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434114, "ts_updated_at": 1775792081, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/33b1ffd3c339cdc6a31e744bab657607517c61af.pdf", "text": "https://archive.orkl.eu/33b1ffd3c339cdc6a31e744bab657607517c61af.txt", "img": "https://archive.orkl.eu/33b1ffd3c339cdc6a31e744bab657607517c61af.jpg" } }