{ "id": "d2a647a7-3275-45b6-b430-ef0efdbcf2a8", "created_at": "2026-04-06T00:09:24.882084Z", "updated_at": "2026-04-10T13:12:57.538765Z", "deleted_at": null, "sha1_hash": "41a6cf7f05291740126705a6a9f59683a5a8aac2", "title": "Remember Fancy Bear?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 329471, "plain_text": "Remember Fancy Bear?\r\nBy Jmetinfosec\r\nPublished: 2018-08-26 · Archived: 2026-04-02 12:18:35 UTC\r\nFancy Bear is a cyber-espionage group that has recently become a household name due to the highly publicized\r\nDemocratic National Committee (DNC) hack in 2016.\r\nAug 26, 2018 • 7 min read\r\nhttps://www.secjuice.com/fancy-bear-review/\r\nPage 1 of 6\n\nFancy Bear, not to be confused with Cozy Bear, is a cyber-espionage group that has recently become a household\r\nname due to the highly publicized Democratic National Committee (DNC) hack in 2016. The group, however, has\r\nbeen meddling in the affairs of other groups, business, and nations for more than a decade.\r\nWhat’s in a Name?\r\nThe hacker group has several aliases including APT28, Tsar Team, Pawn Storm, Sofacy Group, Sednit, IRON\r\nTWILIGHT, and STRONTIUM. The actual name Fancy Bear was given to the group by the private cybersecurity\r\nfirm CrowdStrike and its co-founder Dmitri Alperovitch based on a coding system that he created to name\r\nhackers. The coding appoints an animal according to the hacker’s country of origin. Russian hackers are bears,\r\nChinese hackers are pandas, and Iranians are kittens [1]. CrowdStrike investigated the 2016 DNC Breach at the\r\nDNC’s request and concluded that the hacks were perpetrated by hackers working on behalf of the Russian\r\nIntelligence Service GRUs hence the designation “Bear” [2]. The analyst who discovers the new hacker gives the\r\nfirst part of the nickname. That analyst, Iggy Azalea, who discovered the hacker group chose “Fancy” because it\r\nsounded like the word “Sofacy” which is prominent in the hacker group’s first-state malware (SOURFACE\r\nimplant) [1]. The names Pawn Storm and Sednit were derivatives from the group’s 2014 Operation Pawn Storm\r\nthat used a SEDNIT/Sofacy malware that targeted Microsoft Office products [3]. FireEye called the group APT28\r\nor Advanced Persistent Threat 28 and Microsoft uses the code-name STRONTIUM.\r\nFancy Bear uses different methods that are consistent with the resources and abilities of a nation-state actor,\r\nincluding spear phishing, malware drop websites and zero-day vulnerabilities. From 2011 to 2012, Fancy Bear\r\nused its namesake first stage malware called “Sofacy” or SOURFACE before expanding to other backdoors and\r\ntools, including CORESHELL, SPLM (aka Xagent, AKA CHOPSTICK) JHUHGIT, AZZY (ADVSTORESHELL,\r\nNETUI, EVILTOSS), and OLDBAIT. Also other implants such as X-Agent, X-Tunnel, WinIDS, Foozer, and\r\nDownRange droppers. They have even dabbled in malware for Linux, and mobile devices [4].\r\nSofacy\r\nSofacy or SOURFACE is a Trojan horse in the form of a .dll file. It is usually attached to a document and once\r\nexecuted, attempts to find 4 remote locations:\r\n[http://]scanmalware.info/ch[REMOVED]\r\n[http://]malwarecheck.info/ch[REMOVED]\r\n[http://]adawareblock.com/ch[REMOVED]\r\n[http://]checkmalware.org/ch[REMOVED]\r\nIt also gathers information about the computer like its name, OS, and running processes. Depending on\r\nvulnerabilities in any of those processes combined with the operating system, it will also download exploits to\r\ncontinue the process of gathering more information or escalate privileges. Sofacy was used from around 2011 to\r\n2012.\r\nCORESHELL\r\nCORESHELL is an updated version of SOURFACE, since most endpoint protection services include Sofacy in\r\ntheir definitions. CORESHELL also uses the same attack method, it is a .dll file that is attached to documents. It\r\nhttps://www.secjuice.com/fancy-bear-review/\r\nPage 2 of 6\n\nincludes code that is not used in what analysts suspect as an attempt to bypass endpoint security because it mimics\r\nlegitimate machine instructions. It operates in much the same fashion, as Sofacy did, collecting machine\r\ninformation to send back to a C2 server and run it through an exploit database. It is capable of obfuscating its\r\nstrings using a stream cipher custom made with 6 or 8-byte keys and can use HTTP, SMTP, or POP3 to reach the\r\nC2 server. It also contains code to stay persistent by making autostart extensibility point entries in the run key.\r\nThis updated version of Sofacy was first seen in 2013\r\nJHUHGIT\r\nJHUHGIT a variant of the updated CORESHELL malware which was modified to be delivered through a zero-day exploit with Adobe Flash. It followed a series of exploit kits that were crafted after a response to Microsoft\r\nand Oracle fixing vulnerabilities in Internet Explorer and Java, respectively in 2014-2015.\r\nEVILTOSS\r\nThis is one of the exploit kits downloaded by the Sofacy trojan after it establishes a connection. It is used to gain\r\naccess to the system for reconnaissance. It logs keystrokes, and monitors machines for the purpose of escalating\r\nprivileges and executing code. It utilizes a public RSA key for encryption and communicates information via\r\nSMTP.\r\nCHOPSTICK\r\nThis is another tool used by Sofacy that is complex and provides multiple uses. It is another variant used by Fancy\r\nBear that is more modular and flexible, it can be used for keylogging and collecting information like Microsoft\r\nfiles. It is designed to send messages back to its handling server in HTTP format and is capable of using email\r\nservers to relay information as well.\r\nOLDBAIT\r\nIt is a credential harvester. Installs itself in\r\n%ALLUSERPROFILE%\\\\ApplicationData\\Microsoft\\MediaPlayer\\updatewindws.exe and is used to steal\r\ncredentials saved in browser software like Mozilla firefox and internet explorer. It can use HTTP or email to send\r\nmessages back to its handling server with these stolen usernames and passwords.\r\nA Sleuth of Hacks\r\nFancy Bear has a long resume of notable hacks including the Windows zero-day (2016), French television hack\r\n(2015), and the now infamous DNC hacks. They have targeted Aerospace, Defense, Energy, Government, and\r\nMedia sectors, and it favors a variety of targets from security-related organizations and its members like NATO\r\n[4], corporations like Boeing, Lockheed Martin and Raytheon, journalist/bloggers, politicians/political activists, to\r\neven private citizens, like five United States military wives in 2015 [5]. The cybersecurity firm Secureworks\r\nfound targets of the group from 116 different countries, however from March 2015 and May 2016, they identified\r\nmost of the targets were from the United States, Ukraine, Russia, Georgia, and Syria. The most common thread\r\namong the varied targets leads back to strategic Russian interests.\r\nhttps://www.secjuice.com/fancy-bear-review/\r\nPage 3 of 6\n\nThe Masked Unmasked?\r\nIn 2016, after CrowdStrike had announced that the DNC hack had been committed by the Russian Intelligence\r\nAgencies, an online persona called Guccifer 2.0 took credit for the breach. Shortly, after Guccifer 2.0 developed\r\nan online social media presence (WordPress and Twitter accounts) and started to leak the stolen emails and\r\ndocuments. Many experts, including CrowdStrike had their doubts about Guccifer and its claimed identity because\r\nof forensic analysis of the leaked documents (including tampering and editing of information contained in the\r\ndocuments) and communications made by Guccifer to members of the media.\r\nFrom October 2016 to January 2017, Guccifer’s social media posts started to show a better command of English,\r\nand according to sources from the Daily Beast, it was because the responsibility of the accounts was given to a\r\nmore senior GRU officer that had better proficiency with the English language. The hacktivist was further\r\ndiscredited when a Russia intelligence official maintaining the Guccifer 2.0 social media accounts made the fatal\r\nerror of failing to use a virtual private network to access the US-based social media platform. The IP address left\r\nin the service logs was located at GRU HQ in Moscow [10].\r\nThis past year, Deputy Attorney General Rod Rosenstein announced twelve Russian Intelligence officers were\r\nindicted by Special Counsel Robert Mueller for “conspiracy to commit an offense against the United States”,\r\n“aggravated Identity theft”, and “conspiracy to launder money” in order to influence and meddle in the 2016\r\nPresidential campaign. The alleged hackers reportedly worked for Russia’s Intelligence GRU Units 26165 and\r\nUnit 74455, the same Russian intelligence units theorized by the different cybersecurity firms. The indictment\r\noutlines how the GRU Units hacked the DNC and DCCC’s email accounts and computer networks and used spear\r\nphishing and malware to gather damaging information. The information was then disseminated through fabricated\r\nonline personas, including DCLeaks and Guccifer 2.0. Robert Mueller having access to classified intelligence\r\nreports must have concluded that Guccifer 2.0 was at the very least an agent working for Russian intelligence as it\r\nwas made part of the formal accusation.\r\nConclusion\r\nFancy bear is a cyber group that is highly sophisticated, organized and thorough.  They use tools that are complex\r\nand custom made and have been used successfully to attack countries.  They should be respected and not taken\r\nlightly because they are a danger to their opposition.  When faced with adversity they have proven the ability to\r\nadapt and overcome it.  With the success they have had one should assume they are out there right now, working\r\nto undermine their enemies.  Just because we know who they are doesn't mean they will stop.\r\nWorks Cited\r\n[1] V. Ward, \"The Russian Expat Leading the Fight to Protect America,\" Esquire, 24 10 2016. [Online]. Available:\r\nhttps://www.esquire.com/news-politics/a49902/the-russian-emigre-leading-the-fight-to-protect-america/.\r\n[Accessed 18 08 2018].\r\n[2] The American Journal of International Law, vol. 111, no. 2, pp. 483-504, 2017.\r\n[3] J. Gogolinkski, \"Operation Pawn Storm: The Red in SEDNIT,\" Trend Micro, vol. 22, p. October, 2014.\r\n[4] D. Alperovitch, \"CrowdStrike,\" 15 06 2016. [Online]. Available: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/. [Accessed 24 08 2018].\r\nhttps://www.secjuice.com/fancy-bear-review/\r\nPage 4 of 6\n\n[5] GReAT, \"SecureList,\" 04 12 2015. [Online]. Available: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/. [Accessed 24 08 2018].\r\n[6] J. Brown, \"Report: Russian Hackers Posed as ISIS to Attack U.S. Military Wives,\" 08 05 2018. [Online].\r\nAvailable: https://gizmodo.com/report-russian-hackers-posed-as-isis-to-attack-u-s-mi-1825855349. [Accessed 24\r\n08 2018].\r\n[7] Secureworks Counter Threat Unit Threat Intelligence, \"Secureworks,\" 30 03 2017. [Online]. Available:\r\nhttps://www.secureworks.com/research/iron-twilight-supports-active-measures. [Accessed 24 08 2018].\r\n[8] S. Gallagher, \"ARS Technica,\" 23 03 2018. [Online]. Available: https://arstechnica.com/tech-policy/2018/03/dnc-lone-hacker-guccifer-2-0-pegged-as-russian-spy-after-opsec-fail/. [Accessed 24 08 2018].\r\n[9] P. Muncaster, \"InfoSecurity Magazine,\" 21 04 2015. [Online]. Available: https://www.infosecurity-magazine.com/news/apt28-back-russiandoll-attack/. [Accessed 24 08 2018].\r\n[10] M. Ostrowski and T. Pietrzyk, \"Security Case Study,\" 05 2015. [Online]. Available:\r\nhttps://www.securitycasestudy.pl/wp-content/uploads/2015/05/SCS14–MOstrowski.TPietrzyk.pdf. [Accessed 24\r\n08 2018].\r\n[11] J. Vrijenhoek, \"Komplex Malware: The Return of Sofacy’s XAgent,\" 16 02 2017. [Online]. Available:\r\nhttps://www.intego.com/mac-security-blog/komplex-malware-the-return-of-sofacys-xagent/. [Accessed 24 08\r\n2018].\r\n[12] UNITED STATESDISTRICT COURT FOR THE DISTRICT OF COLUMBIA, \"Case 1:18-cr-00215-ABJ,\"\r\nU.S. Justice Department, https://www.justice.gov/file/1080281/download, 2018.\r\nThe artwork used to head this article is called 'Low Poly Bear' and it was created by Jeremiah\r\nShaw.\r\nhttps://www.secjuice.com/fancy-bear-review/\r\nPage 5 of 6\n\nHelp Support Our Non-Profit Mission\r\nIf you enjoyed this article or found it helpful, please consider donating. Secjuice is a 501(c)(6) non-profit and\r\nvolunteer-based publication powered by donations. We will use your donation to cover our hosting costs and keep\r\nSecjuice an advertisement and sponsor-free zone.\r\nDonate at Open Collective\r\nSource: https://www.secjuice.com/fancy-bear-review/\r\nhttps://www.secjuice.com/fancy-bear-review/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.secjuice.com/fancy-bear-review/" ], "report_names": [ "fancy-bear-review" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434164, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/41a6cf7f05291740126705a6a9f59683a5a8aac2.pdf", "text": "https://archive.orkl.eu/41a6cf7f05291740126705a6a9f59683a5a8aac2.txt", "img": "https://archive.orkl.eu/41a6cf7f05291740126705a6a9f59683a5a8aac2.jpg" } }