{
	"id": "7cf4b18d-d878-4f53-b0a2-8573c0e0617f",
	"created_at": "2026-04-06T00:16:52.572369Z",
	"updated_at": "2026-04-10T03:36:01.273741Z",
	"deleted_at": null,
	"sha1_hash": "41dc099583f2aebf46ad0960455294e1e03d04ec",
	"title": "4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3089308,
	"plain_text": "4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year\r\nMalware Campaign\r\nBy Tuval Admoni,,\r\nArchived: 2026-04-05 15:11:59 UTC\r\nKoi researchers have identified a threat actor we're calling ShadyPanda - responsible for a seven-year browser\r\nextension campaign that has infected 4.3 million Chrome and Edge users.\r\nOur investigation uncovered two active operations:\r\nA 300,000-user RCE backdoor: Five extensions, including the \"Featured\" and \"Verified\" Clean Master, were\r\nweaponized in mid-2024 after years of legitimate operation. These extensions now run hourly remote code\r\nexecution - downloading and executing arbitrary JavaScript with full browser access. They monitor every website\r\nvisit, exfiltrate encrypted browsing history, and collect complete browser fingerprints.\r\nA 4-million-user spyware operation: Five additional extensions from the same publisher, including WeTab with\r\n3 million installs alone, are actively collecting every URL visited, search query, and mouse click - transmitting\r\ndata to servers in China.\r\nSome of ShadyPanda's extensions were featured and verified by Google, granting instant trust and massive\r\ndistribution. For seven years, this actor learned how to weaponize browser marketplaces - building trust,\r\naccumulating users, and striking through silent updates.\r\nClean Master - the malware that was featured by Google\r\nPhase 1: The Wallpaper Hustle (145 Extensions)\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 1 of 14\n\nShadyPanda's first campaign was straightforward but massive, and took place during 2023. 145 extensions total\r\nacross both marketplaces - 20 on Chrome Web Store under publisher nuggetsno15, and 125 on Microsoft Edge\r\nunder publisher rocket Zhang. All disguised as wallpaper or productivity apps.\r\nThe attack was simple affiliate fraud. Every time a user clicked on eBay, Amazon, or Booking.com, ShadyPanda's\r\nextensions silently injected affiliate tracking codes. Hidden commissions on every purchase. The extensions also\r\ndeployed Google Analytics tracking to monetize browsing data - every website visit, search query, and click\r\npattern logged and sold.\r\nThis phase wasn't sophisticated, but it was successful, ShadyPanda learned three critical lessons:\r\nChrome's review process focused on initial submission, not ongoing behavior\r\nUsers trust extensions with high install counts and positive reviews\r\nPatience pays off - some extensions operated for months before detection. The longer you look legitimate,\r\nthe more damage you can do.\r\nPhase 2: Search Hijacking Evolution\r\nShadyPanda got bolder. The next wave, in early 2024, shifted from passive monetization to active browser control.\r\nThe Infinity V+ extension exemplifies this phase. Disguised as a new tab productivity tool, it hijacked core\r\nbrowser functionality:\r\nSearch redirection: Every web search was redirected through trovi.com - a known browser hijacker. Search\r\nqueries logged, monetized, and sold. Search results manipulated for profit.\r\nCookie exfiltration: Extensions read cookies from specific domains and send tracking data to\r\nnossl.dergoodting.com. Created unique identifiers to monitor browsing activity. All without consent or disclosure.\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 2 of 14\n\nCookie exfiltration\r\nSearch query harvesting: Every keystroke in the search box sent to external servers ( s-85283.gotocdn[.]com\r\nand s-82923.gotocdn[.]com ). Real-time profiling of user interests before you even hit enter. The extension\r\ncaptures partial queries, typos, corrections - building a detailed map of your thought process. All transmitted over\r\nunencrypted HTTP connections, making the data easy to intercept and monetize. Not just what you search for, but\r\nhow you think about searching for it.\r\nShadyPanda was learning and getting more aggressive. But they were still getting caught. Extensions were being\r\nreported and removed within weeks or months of deployment.\r\nThey needed a better strategy.\r\nPhase 3: The Long Game\r\nFive extensions. Three uploaded in 2018-2019 - including Clean Master with 200,000+ installs. All operated\r\nlegitimately for years, gaining Featured and Verified status.\r\nThe strategy: build trust, accumulate users, then weaponize via a single update.\r\nBefore weaponization, ShadyPanda deployed covert installation tracking to optimize distribution. Data-driven\r\nmalware development.\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 3 of 14\n\nMid 2024: After accumulating 300,000+ installs, ShadyPanda pushed the malicious update. Automatic infection\r\nvia Chrome and Edge's trusted auto-update mechanism. All five extensions now run identical malware.\r\nKoidex report on Speedtest Pro-Free\r\nRemote Code Execution: The Hourly Weapon\r\nEvery infected browser runs a remote code execution framework. Every hour, it checks api.extensionplay[.]com\r\nfor new instructions, downloads arbitrary JavaScript, and executes it with full browser API access.\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 4 of 14\n\nRemote code execution\r\nThis isn't malware with a fixed function. It's a backdoor. ShadyPanda decides what it does. Today it's surveillance,\r\ntomorrow it could be ransomware, credential theft, or corporate espionage. The update mechanism runs\r\nautomatically, hourly, forever.\r\nComplete Browser Surveillance\r\nThe current payload monitors every website visit and exfiltrates encrypted data to ShadyPanda's servers:\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 5 of 14\n\nWhat gets collected and exfiltrated:\r\nEvery URL visited with full browsing history\r\nHTTP referrers showing navigation patterns\r\nTimestamps for activity profiling\r\nPersistent UUID4 identifiers (stored in chrome.storage.sync, survives across devices)\r\nComplete browser fingerprints: user agent, language, platform, screen resolution, timezone\r\nAll data encrypted with AES before sending to api.cleanmasters.store\r\nEvasion \u0026 Attack Capabilities\r\nAnti-analysis: If a researcher opens developer tools, the malware detects it and switches to benign behavior. The\r\ncode uses heavy obfuscation with shortened variable names and executes through a 158KB JavaScript interpreter\r\nto bypass Content Security Policy.\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 6 of 14\n\nMan-in-the-Middle: Service worker can intercept and modify network traffic, replace legitimate JavaScript files\r\nwith malicious versions, enabling credential theft, session hijacking, and content injection into any website - even\r\nHTTPS connections.\r\nShadyPanda can update any of these capabilities hourly. Even though the extensions were recently removed from\r\nmarketplaces, the infrastructure for full-scale attacks remains deployed on all infected browsers.\r\nPhase 4: The Spyware Empire (5 Extensions, 4M+ Users)\r\nHowever, ShadyPanda's biggest operation wasn't Clean Master. The same publisher behind Clean Master in Edge\r\n- Starlab Technology - launched 5 additional extensions on Microsoft Edge around 2023, accumulating over 4\r\nmillion combined installs.\r\nAnd here's the problem: ALL 5 extensions are still live in the Microsoft Edge marketplace. Unlike Phase 3's\r\nremoved extensions, this 4-million-user surveillance operation is active right now.\r\nTwo of the five are comprehensive spyware. The flagship, WeTab 新标签页 (WeTab New Tab Page), has 3\r\nmillion installs alone and functions as a sophisticated surveillance platform disguised as a productivity tool.\r\nComprehensive Data Collection\r\nWeTab collects and exfiltrates extensive user data to 17 different domains (8 Baidu servers in China, 7 WeTab\r\nservers in China, and Google Analytics):\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 7 of 14\n\nWhat gets collected:\r\nEvery URL visited - complete browsing history transmitted in real-time\r\nAll search queries - keystroke-level monitoring of what users search for\r\nMouse click tracking with pixel-level precision - X/Y coordinates and element identification\r\nBrowser fingerprinting - screen resolution, language, timezone, user agent\r\nPage interaction data - time on page, scroll behavior, active viewing time\r\nStorage access - reads localStorage, sessionStorage, and can access all cookies\r\nPhase 4 dwarfs the Clean Master operation: 4 million infected users versus 300,000. The extensions remain live in\r\nMicrosoft Edge marketplace - the extension already has dangerous permissions including access to all URLs and\r\ncookies, users are downloading them right now. ShadyPanda can push updates at any time, weaponizing 4 million\r\nbrowsers with the same RCE backdoor framework from Phase 3, or something even worse. The infrastructure is in\r\nplace. The permissions are granted. The update mechanism works automatically.\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 8 of 14\n\nSeven Years of Exploitation\r\nShadyPanda's success isn't just about technical sophistication. It's about systematically exploiting the same\r\nvulnerability for seven years: Marketplaces review extensions at submission. They don't watch what happens after\r\napproval.\r\nWhat linked all these campaigns together: code signing similarities, overlapping infrastructure, identical\r\nobfuscation techniques evolving over time. Same actor. Different masks. Each phase learned from the last - from\r\ncrude affiliate fraud to patient five-year operations.\r\nThe auto-update mechanism - designed to keep users secure - became the attack vector. Chrome and Edge's\r\ntrusted update pipeline silently delivered malware to users. No phishing. No social engineering. Just trusted\r\nextensions with quiet version bumps that turned productivity tools into surveillance platforms.\r\nShadyPanda controls what happens next: session hijacking, credential harvesting, account takeover, supply chain\r\nattacks through compromised developers. For enterprises, infected developer workstations mean compromised\r\nrepositories and stolen API keys. Browser-based authentication to SaaS platforms, cloud consoles, and internal\r\ntools means every login is visible to ShadyPanda. Extensions bypass traditional security controls. ShadyPanda has\r\nbeen inside your network for over a year.\r\nThe systemic problem isn't just one malicious actor. It's that the security model incentivizes this behavior:\r\n1. Build something legitimate\r\n2. Pass review and gain trust signals (installs, reviews, verified badges)\r\n3. Collect large user base\r\n4. Weaponize via update\r\n5. Profit before detection\r\nShadyPanda proved this works. And now every sophisticated threat actor knows the playbook.\r\nFinal Thoughts\r\nOne patient threat actor and one lesson: Trust is the vulnerability.\r\nShadyPanda proved that marketplaces still review extensions the same way they did seven years ago - static\r\nanalysis at submission, trust after approval, no ongoing monitoring. Clean Master operated legitimately for five\r\nyears. Static analysis wouldn't catch this.\r\nThis writeup was authored by the research team at Koi Security.\r\nWe've built Koi for this moment. Behavioral analysis and risk scoring for everything your teams pull from\r\nmarketplaces. We watch what extensions do after installation, not what they claim to be.\r\nBook a demo to see how behavioral monitoring catches threats that evolve after approval.\r\nIOCS\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 9 of 14\n\nC\u0026C Domains:\r\nextensionplay[.]com\r\nyearnnewtab[.]com\r\napi.cgatgpt[.]net\r\nExfiltrations Domains:\r\ndergoodting[.]com\r\nyearnnewtab[.]com\r\ncleanmasters[.]store\r\ns-85283.gotocdn[.]com\r\ns-82923.gotocdn[.]com\r\nChrome Extensions:\r\neagiakjmjnblliacokhcalebgnhellfi\r\nibiejjpajlfljcgjndbonclhcbdcamai\r\nogjneoecnllmjcegcfpaamfpbiaaiekh\r\njbnopeoocgbmnochaadfnhiiimfpbpmf\r\ncdgonefipacceedbkflolomdegncceid\r\ngipnpcencdgljnaecpekokmpgnhgpela\r\nbpgaffohfacaamplbbojgbiicfgedmoi\r\nineempkjpmbdejmdgienaphomigjjiej\r\nnnnklgkfdfbdijeeglhjfleaoagiagig\r\nMljmfnkjmcdmongjnnnbbnajjdbojoci\r\nllkncpcdceadgibhbedecmkencokjajg\r\nnmfbniajnpceakchicdhfofoejhgjefb\r\nijcpbhmpbaafndchbjdjchogaogelnjl\r\nolaahjgjlhoehkpemnfognpgmkbedodk\r\ngnhgdhlkojnlgljamagoigaabdmfhfeg\r\ncihbmmokhmieaidfgamioabhhkggnehm\r\nlehjnmndiohfaphecnjhopgookigekdk\r\nhlcjkaoneihodfmonjnlnnfpdcopgfjk\r\nhmhifpbclhgklaaepgbabgcpfgidkoei\r\nlnlononncfdnhdfmgpkdfoibmfdehfoj\r\nnagbiboibhbjbclhcigklajjdefaiidc\r\nofkopmlicnffaiiabnmnaajaimmenkjn\r\nocffbdeldlbilgegmifiakciiicnoaeo\r\neaokmbopbenbmgegkmoiogmpejlaikea\r\nlhiehjmkpbhhkfapacaiheolgejcifgd\r\nondhgmkgppbdnogfiglikgpdkmkaiggk\r\nimdgpklnabbkghcbhmkbjbhcomnfdige\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 10 of 14\n\nEdge Add-ons:\r\nbpelnogcookhocnaokfpoeinibimbeff\r\nenkihkfondbngohnmlefmobdgkpmejha\r\nhajlmbnnniemimmaehcefkamdadpjlfa\r\naadnmeanpbokjjahcnikajejglihibpd\r\nipnidmjhnoipibbinllilgeohohehabl\r\nfnnigcfbmghcefaboigkhfimeolhhbcp\r\nnlcebdoehkdiojeahkofcfnolkleembf\r\nfhababnomjcnhmobbemagohkldaeicad\r\nnokknhlkpdfppefncfkdebhgfpfilieo\r\nljmcneongnlaecabgneiippeacdoimaa\r\nonifebiiejdjncjpjnojlebibonmnhog\r\ndbagndmcddecodlmnlcmhheicgkaglpk\r\nfmgfcpjmmapcjlknncjgmbolgaecngfo\r\nkgmlodoegkmpfkbepkfhgeldidodgohd\r\nhegpgapbnfiibpbkanjemgmdpmmlecbc\r\ngkanlgbbnncfafkhlchnadcopcgjkfli\r\noghgaghnofhhoolfneepjneedejcpiic\r\nfcidgbgogbfdcgijkcfdjcagmhcelpbc\r\nnnceocbiolncfljcmajijmeakcdlffnh\r\ndomfmjgbmkckapepjahpedlpdedmckbj\r\ncbkogccidanmoaicgphipbdofakomlak\r\nbmlifknbfonkgphkpmkeoahgbhbdhebh\r\nghaggkcfafofhcfppignflhlocmcfimd\r\nhfeialplaojonefabmojhobdmghnjkmf\r\nboiciofdokedkpmopjnghpkgdakmcpmb\r\nibfpbjfnpcgmiggfildbcngccoomddmj\r\nidjhfmgaddmdojcfmhcjnnbhnhbmhipd\r\njhgfinhjcamijjoikplacnfknpchndgb\r\ncgjgmbppcoolfkbkjhoogdpkboohhgel\r\nafooldonhjnhddgnfahlepchipjennab\r\nfkbcbgffcclobgbombinljckbelhnpif\r\nfpokgjmlcemklhmilomcljolhnbaaajk\r\nhadkldcldaanpomhhllacdmglkoepaed\r\niedkeilnpbkeecjpmkelnglnjpnacnlh\r\nhjfmkkelabjoojjmjljidocklbibphgl\r\ndhjmmcjnajkpnbnbpagglbbfpbacoffm\r\ncgehahdmoijenmnhinajnojmmlnipckl\r\nfjigdpmfeomndepihcinokhcphdojepm\r\nchmcepembfffejphepoongapnlchjgil\r\ngoogojfbnbhbbnpfpdnffnklipgifngn\r\nfodcokjckpkfpegbekkiallamhedahjd\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 11 of 14\n\nigiakpjhacibmaichhgbagdkjmjbnanl\r\nomkjakddaeljdfgekdjebbbiboljnalk\r\nllilhpmmhicmiaoancaafdgganakopfg\r\nnemkiffjklgaooligallbpmhdmmhepll\r\npapedehkgfhnagdiempdbhlgcnioofnd\r\nglfddenhiaacfmhoiebfeljnfkkkmbjb\r\npkjfghocapckmendmgdmppjccbplccbg\r\ngbcjipmcpedgndgdnfofbhgnkmghoamm\r\nncapkionddmdmfocnjfcfpnimepibggf\r\nklggeioacnkkpdcnapgcoicnblliidmf\r\nklgjbnheihgnmimajhohfcldhfpjnahe\r\nacogeoajdpgplfhidldckbjkkpgeebod\r\nekndlocgcngbpebppapnpalpjfnkoffh\r\nelckfehnjdbghpoheamjffpdbbogjhie\r\ndmpceopfiajfdnoiebfankfoabfehdpn\r\ngpolcigkhldaighngmmmcjldkkiaonbg\r\ndfakjobhimnibdmkbgpkijoihplhcnil\r\nhbghbdhfibifdgnbpaogepnkekonkdgc\r\nfppchnhginnfabgenhihpncnphhafmac\r\nghhddclfklljabeodmcejjjlhoaaiban\r\nbppelgkcnhfkicolffhlkbdghdnjdkhi\r\nikgaleggljchgbihlaanjbkekmmgccam\r\nbdhjinjoglaijpffoamhhnhooeimgoap\r\nfjioinpkgmlcioajfnncgldldcnabffe\r\nopncjjhgbllenobgbfjbblhghmdpmpbj\r\ncbijiaccpnkbdpgbmiiipedpepbhioel\r\nfbbmnieefocnacnecccgmedmcbhlkcpm\r\nhmbacpfgehmmoloinfmkgkpjoagiogai\r\npaghkadkhiladedijgodgghaajppmpcg\r\nbafbmfpfepdlgnfkgfbobplkkaoakjcl\r\nkcpkoopmfjhdpgjohcbgkbjpmbjmhgoi\r\njelgelidmodjpmohbapbghdgcpncahki\r\nlfgakdlafdenmaikccbojgcofkkhmolj\r\nhdfknlljfbdfjdjhfgoonpphpigjjjak\r\nkpfbijpdidioaomoecdbfaodhajbcjfl\r\nfckphkcbpgmappcgnfieaacjbknhkhin\r\nlhfdakoonenpbggbeephofdlflloghhi\r\nljjngehkphcdnnapgciajcdbcpgmpknc\r\nejfocpkjndmkbloiobcdhkkoeekcpkik\r\nccdimkoieijdbgdlkfjjfncmihmlpanj\r\nagdlpnhabjfcbeiempefhpgikapcapjb\r\nmddfnhdadbofiifdebeiegecchpkbgdb\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 12 of 14\n\nalknmfpopohfpdpafdmobclioihdkhjh\r\nhlglicejgohbanllnmnjllajhmnhjjel\r\niaccapfapbjahnhcmkgjjonlccbhdpjl\r\nehmnkbambjnodfbjcebjffilahbfjdml\r\nngbfciefgjgijkkmpalnmhikoojilkob\r\nlaholcgeblfbgdhkbiidbpiofdcbpeeo\r\nnjoedigapanaggiabjafnaklppphempm\r\nfomlombffdkflbliepgpgcnagolnegjn\r\njpoofbjomdefajdjcimmaoildecebkjc\r\nnhdiopbebcklbkpfnhipecgfhdhdbfhb\r\ngdnhikbabcflemolpeaaknnieodgpiie\r\nbbdioggpbhhodagchciaeaggdponnhpa\r\nikajognfijokhbgjdhgpemljgcjclpmn\r\nlmnjiioclbjphkggicmldippjojgmldk\r\nffgihbmcfcihmpbegcfdkmafaplheknk\r\nlgnjdldkappogbkljaiedgogobcgemch\r\nhiodlpcelfelhpinhgngoopbmclcaghd\r\nmnophppbmlnlfobakddidbcgcjakipin\r\njbajdpebknffiaenkdhopebkolgdlfaf\r\nejdihbblcbdfobabjfebfjfopenohbjb\r\nikkoanocgpdmmiamnkogipbpdpckcahn\r\nileojfedpkdbkcchpnghhaebfoimamop\r\nakialmafcdmkelghnomeneinkcllnoih\r\neholblediahnodlgigdkdhkkpmbiafoj\r\nipokalojgdmhfpagmhnjokidnpjfnfik\r\nhdpmmcmblgbkllldbccfdejchjlpochf\r\niphacjobmeoknlhenjfiilbkddgaljad\r\njiiggekklbbojgfmdenimcdkmidnfofl\r\ngkhggnaplpjkghjjcmpmnmidjndojpcn\r\nopakkgodhhongnhbdkgjgdlcbknacpaa\r\nnkjomoafjgemogbdkhledkoeaflnmgfi\r\nebileebbekdcpfjlekjapgmbgpfigled\r\noaacndacaoelmkhfilennooagoelpjop\r\nljkgnegaajfacghepjiajibgdpfmcfip\r\nhgolomhkdcpmbgckhebdhdknaemlbbaa\r\nbboeoilakaofjkdmekpgeigieokkpgfn\r\ndkkpollfhjoiapcenojlmgempmjekcla\r\nemiocjgakibimbopobplmfldkldhhiad\r\nnchdmembkfgkejljapneliogidkchiop\r\nlljplndkobdgkjilfmfiefpldkhkhbbd\r\nhofaaigdagglolgiefkbencchnekjejl\r\nhohobnhiiohgcipklpncfmjkjpmejjni\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 13 of 14\n\njocnjcakendmllafpmjailfnlndaaklf\r\nbjdclfjlhgcdcpjhmhfggkkfacipilai\r\nahebpkbnckhgjmndfjejibjjahjdlhdb\r\nenaigkcpmpohpbokbfllbkijmllmpafm\r\nbpngofombcjloljkoafhmpcjclkekfbh\r\ncacbflgkiidgcekflfgdnjdnaalfmkob\r\nibmgdfenfldppaodbahpgcoebmmkdbac\r\nSource: https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nhttps://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign"
	],
	"report_names": [
		"4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign"
	],
	"threat_actors": [
		{
			"id": "2fc0f25d-a92d-4f36-bb88-aeccd320dbbf",
			"created_at": "2026-01-18T02:00:03.06809Z",
			"updated_at": "2026-04-10T02:00:03.90724Z",
			"deleted_at": null,
			"main_name": "ShadyPanda",
			"aliases": [],
			"source_name": "MISPGALAXY:ShadyPanda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434612,
	"ts_updated_at": 1775792161,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41dc099583f2aebf46ad0960455294e1e03d04ec.pdf",
		"text": "https://archive.orkl.eu/41dc099583f2aebf46ad0960455294e1e03d04ec.txt",
		"img": "https://archive.orkl.eu/41dc099583f2aebf46ad0960455294e1e03d04ec.jpg"
	}
}