{ "id": "82e8399f-4246-48de-9451-087b2c9cdb93", "created_at": "2026-04-06T00:14:53.59534Z", "updated_at": "2026-04-10T03:37:50.171368Z", "deleted_at": null, "sha1_hash": "43abc07ab069ee95944e022c3f83783a77f8a95c", "title": "No summer vacations for Zebrocy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 618427, "plain_text": "No summer vacations for Zebrocy\r\nBy ESET Research\r\nArchived: 2026-04-05 16:39:43 UTC\r\nWhile summer is usually synonymous with vacations, it seems that the Sednit group has been developing new\r\ncomponents to add to the Zebrocy malware family.\r\nThe Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – has been operating since at\r\nleast 2004 and has made headlines frequently in recent years.\r\nOn August 20th, 2019, a new campaign was launched by the group targeting their usual victims – embassies of,\r\nand Ministries of Foreign Affairs in, Eastern European and Central Asian countries.\r\nThis latest campaign started with a phishing email containing a malicious attachment that launches a long chain of\r\ndownloaders, ending with a backdoor. An example of such an email was uploaded to VirusTotal on August 22nd,\r\ntwo days after the mail was delivered. An overview of the attack vector was recently published by Telsy TRT.\r\nHowever, we have some further pieces of this puzzle that could help to draw a more complete picture of the\r\ncampaign.\r\nAs predicted by other fellow researchers, the Sednit group added a new development language in their toolset —\r\nmore precisely, for their downloader: the Nim language. However, their developers were also busy improving\r\ntheir Golang downloader, as well as rewriting their backdoor from Delphi into Golang.\r\nA complicated compromise\r\nFigure 1 depicts the different steps leading to a victim being compromised, from the malicious email initially\r\nreceived in the inbox to the backdoor deployed on targets deemed “interesting enough” by the operators.\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 1 of 13\n\nFigure 1. Chain of compromise overview\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 2 of 13\n\nWhen a victim is targeted by Zebrocy’s components, the chain is usually quite loud. Loud because, in this case,\r\nthe victim has at least six malicious components dropped on the computer before the final payload is executed.\r\nSuch activities can easily raise different types of flags for a security product.\r\nThe document attached to the phishing email is blank, but references a remote template, wordData.dotm, hosted at\r\nDropbox. Opening this document in Word causes it to download wordData.dotm, as seen in Figure 2, and to\r\nincorporate it into the associated document’s working environment, including any active content the template may\r\ncontain.\r\nFigure 2. Empty word document downloading a remote template\r\nThe wordData.dotm file contains malicious macros that then are executed. (Depending on the Microsoft Word\r\nversion, the VBA macros may be disabled by default; if so, user action is required to enable them.) It also contains\r\nan embedded ZIP archive that the macros dropped and extracted.\r\nAs shown in Figure 1, the macros in wordData.dotm open another document (lmss.doc that was unpacked from\r\nthe archive extracted from wordData.dotm). Macros in lmss.doc execute lmss.exe (Zebrocy’s new Nim\r\ndownloader, also extracted from the archive embedded in wordData.dotm) instead of wordData.dotm executing\r\nthe downloader directly.\r\nHowever, it’s important to notice that lmss.doc, containing the VBA code that executes the new Nim downloader,\r\nalso embeds a base64-encoded executable. According to its Document Properties, lmss.doc was created in January\r\n2019 and modified on August 20th, a few hours before the campaign started.\r\nFigure 3. Creation and last modification dates of lmss.doc\r\nThe executable embedded in lmss.doc is an AutoIt downloader (SHA-1:\r\n6b300486d17d07a02365d32b673cd6638bd384f3) used in the past for a campaign performed around the creation\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 3 of 13\n\ntime of lmss.doc. Here, the AutoIt downloader is ignored and doesn’t have any purpose other than making the size\r\nof the document bigger. The operator probably forgot to remove the previous embedded downloader – it would\r\nnot be the first time that Sednit operators have made mistakes.\r\nThe downloaders\r\nSednit operators have used several downloaders written in different languages. This campaign uses the most\r\nrecent extension of that list – a downloader written in the relatively new language, Nim. It’s a straightforward\r\ndownload-and-execute binary with two small details added. The first is probably used as an anti-sandbox trick and\r\nit checks that the first letter of the executed file (letter l here or 0x6C in hex) has not changed.\r\nFigure 4. Filename check\r\nThe second is a kind of obfuscation where the operator replaces placeholder letters in a string with the correct\r\nones, at defined offsets. As seen in Figure 5, the downloader reconstructs the correct download URL string with\r\nthis method to avoid basic static analysis tools that could otherwise locate the URL string.\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 4 of 13\n\nFigure 5. Hex-Rays output of the strings deobfuscation\r\nFor example, the string o-ps-c..ll is “patched” at three offsets by s, v and d, respectively, to give ospsvc.dll. In the\r\ncase of the URL, since the beginning of the string in the downloader is h@@p://, tools looking for http:// won’t\r\ncatch it.\r\nThe Nim downloader fetches its dynamic-link library (DLL) payload, named ospsvc.dll, to\r\nC:\\ProgramData\\Java\\Oracle\\, and executes it as a service via regsvr32 /s.\r\nospsvc.dll is a downloader written in Golang, and different from other Sednit downloaders seen in the past.\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 5 of 13\n\nSednit’s previous Golang downloaders have been described in detail by other researchers [1][2][3] and it seems\r\nthat Sednit’s developers have rewritten their previous Delphi downloader in Golang. Those earlier downloaders\r\ngather a lot of information about the victim computer and send it to their C\u0026C server. However, this new one is\r\nquite light in terms of its data-gathering capabilities, as described below.\r\nIts function main_init() contains libraries that are initialized and don’t need further explanations due to their\r\nnames (see this article for more information).\r\nFigure 6. Hex-Rays output of initialized functions in the main_init() using the IDAGolangHelper plugin\r\nSince the DLL is run as a service, via the Nim downloader, we need to look at main_DllRegisterServer() instead\r\nof main_main(). The strings and the key are stacked and they can be decrypted using a simple XOR loop. This\r\nsimple encryption is quite efficient against tools that extract strings stacked from binaries statically.\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 6 of 13\n\nFigure 7. IDA Pro output of encrypted strings stacked\r\nAside from downloading the next stage of the malware, taking screenshots of the victim’s desktop and executing\r\ncommands received from the C\u0026C server are the main functions of this malware.\r\nScreenshots are taken every 35 seconds during the first few minutes of this downloader’s execution, and then they\r\nare sent to the C\u0026C server in base64-encoded form. The hostname and the %USERPROFILE% values are also\r\nsent to the C\u0026C server encoded in base64. The reply from the C\u0026C server is also straightforward: it’s a\r\nconcatenation of base64-encoded strings, separated by “|”.\r\n\u003cspaces\u003e|\u003ccmd to execute\u003e|\u003cname of the binary to drop\u003e|\u003cbinary to drop\u003e\r\nAccording to our telemetry, this downloader has been used to execute three different pieces of malware. The first\r\none is the dumper that we described in our previous Zebrocy article. The second one is the usual Delphi backdoor\r\n– also run as a service via the same command used by the Nim downloader. The third one we saw is a new\r\nbackdoor downloaded and executed on the victim’s machine, as described in the next section.\r\nThe new backdoor\r\nAnalysis\r\nThe new Zebrocy backdoor is not written in Delphi as we are used to, but in Golang. To the best of our\r\nknowledge, this is the first time this backdoor has been seen, but it shares a lot of similarities with the Delphi one.\r\nBy looking again at the main_init() function’s library initialization code (Figure 8) we can see new entries. An\r\nAES algorithm, hex encoding, and screenshot capabilities are the main entries that were added.\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 7 of 13\n\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 8 of 13\n\nFigure 8. Diff between the backdoor and the downloader functions initialized in the main_init()\r\nNotice that image_png_init replaces image_jpeg_init for taking screenshots. Images in JPG format are usually\r\nsmaller in size than the PNG format.\r\nThe backdoor is started with an argument that is a hex-encoded string. All but the last six-byte chunk of this string\r\nis XOR-encrypted with the key stored in the last six bytes of the string. The following python snippet describes\r\nthe decryption logic.\r\nkey = arg[-6:].decode('hex')\r\nenc = arg[:-6].decode('hex')\r\n''.join(chr(ord(i) ^ ord(j)) for i, j in zip(itertools.cycle(key), enc))\r\nIt’s the address of the C\u0026C server, which is later encrypted and stored on disk. That encryption is done using the\r\nAES-128 ECB algorithm with a key generated from the hostname. Hence, there is no possibility to obtain this\r\nC\u0026C server just by looking at the binary. There is no persistence defined by the downloaders as we have seen in\r\nthe past, nor does the backdoor have any persistence mechanism.\r\nThis new backdoor has various capabilities that were also previously seen in Zebrocy’s Delphi backdoor:\r\nfile manipulation such as creation, modification, and deletion\r\nscreenshot capabilities\r\ndrive enumeration\r\ncommand execution (via cmd.exe)\r\nschedule a task under the following name Windows\\Software\\OSDebug (which the operators could use to\r\nset persistence manually)\r\nAs in the Delphi backdoor, there is a very limited set of commands – but the ability to execute arbitrary commands\r\nvia cmd.exe extends possibilities like persistence or information gathering. Another similarity found is a three-digit version number (in the format x.y.z); the current major version is 4.y.z.\r\nNetwork\r\nThe network protocol shares some similarities with the Delphi version of the backdoor. The first interaction with\r\nthe C\u0026C server retrieves an AES 32-bit key to encrypt future communications. The packet capture of that first\r\nrequest looks like this:\r\nPOST [REDACTED URI] HTTP/1.1\r\nHost: [REDACTED IP]\r\nUser-Agent: Go-http-client/1.1\r\nContent-Length: 297\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 9 of 13\n\nContent‑Type: multipart/form‑data; boundary=b116f1e0a94eff1bb406531e74bb0feba65687cf90ec8a64fc409f230fbd\r\nAccept-Encoding: gzip\r\n--b116f1e0a94eff1bb406531e74bb0feba65687cf90ec8a64fc409f230fbd\r\nContent-Disposition: form-data; name=\"filename\"; filename=\"[REDACTED]\"\r\nContent-Type: application/octet-stream\r\n1\r\n--b116f1e0a94eff1bb406531e74bb0feba65687cf90ec8a64fc409f230fbd--\r\nThose with experience with Sednit might think that the Content-Disposition and boundary keywords look familiar.\r\nThey were previously used by the Delphi backdoor in its network protocol; it also uses the AES algorithm to\r\nencrypt the pseudo body (content after the Content-Type data). Notice that even if Content-Disposition and the\r\nsecond instance of Content-Type are real HTTP headers, here they are used inside the HTTP message body. The\r\nboundary field is randomized for every exchange and the filename field inside the pseudo Content‑Disposition\r\nheader can be decrypted with the following snippet of Python:\r\nlen_filename = len(filename)\r\nlen_key = 14\r\nxor_key = filename[-len_key:].decode('hex')\r\nfilename = filename[:len_filename-len_key].decode('hex')\r\nval_filename = ''.join(chr(ord(i)^ord(j)) for i,j in zip(itertools.cycle(xor_key),filename))\r\nrandom_int = val_filename[-4:]\r\nwhich results in the following string:\r\n757365722D504318162020190821151055207C.inc\r\nThat string can be further understood thus:\r\nUsername: 757365722D5043\r\nSID*: 181620\r\nDate: 20190821151055\r\nRandom: 207C.inc\r\n* 6 bytes comes from the current user’s Security Identifiers (SID) S-1-5-\r\n21‑xxxxxxxxx‑yyyyyyyyyy‑zzzzzzzzzz‑1000\r\nFurther interactions with the C\u0026C server follow this pattern except that the pseudo body, which is 1 in the\r\nexample above, is replaced by the output of the command requested by the C\u0026C server. The full message body is\r\nalso encrypted, using the same AES algorithm used previously, with the key provided in the first exchange.\r\nConclusion\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 10 of 13\n\nNew downloaders, new backdoor – the Sednit group has been active and is not letting their components get too\r\nold. New? Not really. By looking at it, it seems that the Sednit group is porting the original code to, or\r\nreimplementing it in, other languages in the hope of evading detection. It's probably easier that way and it means\r\nthey do not need to change their entire TTPs. The initial compromise vector stays unchanged, but using a service\r\nlike Dropbox to download a remote template is unusual for the group.\r\nESET recommends being attentive when users are opening attachments from suspicious emails.\r\nWe will continue to monitor new activities from the Sednit group and will publish relevant information on our\r\nblog. For any inquiries, contact us at threatintel@eset.com.\r\nIndicators of Compromise (IoCs)\r\nHashes (SHA-1) Filenames ESET detection names\r\nc613fcccb380f7e3ce157c4f620efca503c1bad3 - (eml file) DOC/TrojanDownloader.Agent.AMY\r\n6f281b30d8d6a9bc1dbe2fe73995aac382c4a543 612243236.docx DOC/TrojanDownloader.Agent.AMY\r\nf3f945fb22916f82cb7407cde2a80a68cd83b074 wordData.dotm VBA/TrojanDropper.Agent.AIP\r\na56af5b44624e8ada60057fd7f39af5b3de10724 lmss.zip Win32/TrojanDownloader.Sednit.BK\r\nb8ac400e1deb6e90fa4e2adb150c511c98bafc6e lmss.doc VBA/TrojanDropper.Agent.AIQ\r\nf0793e02180f3ccf48e41bd67ec1161d93f07e01 lmss.exe Win32/TrojanDownloader.Sednit.BK\r\n04303024ff453f918925d7160abbd199f137a442 ospsvc.dll Win32/Sednit.DI\r\nc96db85ece2b57a9e82ba36b5f31ca9d2051a6f0 osppsvc.exe Win32/Sednit.DJ\r\nNetwork\r\nhttps://www.dropbox[.]com/s/foughx315flj51u/wordData.dotm?dl=1\r\n185.221.202[.]35\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access T1193\r\nSpearphishing\r\nAttachment\r\nZebrocy is using spearphishing emails\r\nwith an attachment as method of\r\ncompromise.\r\nExecution\r\nT1059\r\nCommand-Line\r\nInterface\r\nThe Golang backdoor uses cmd.exe to\r\nexecute commands.\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 11 of 13\n\nTactic ID Name Description\r\nT1117 Regsvr32\r\nThe Nim downloader uses\r\nregsvr32.exe to launch the Golang\r\ndownloader.\r\nT1053 Scheduled Task\r\nThe Golang backdoor can create a pre-defined scheduled task.\r\nT1064 Scripting\r\nThe remote template contains VBA\r\nused to execute the next stage of the\r\nmalware.\r\nT1204 User Execution\r\nZebrocy attempts to get users to click\r\non Microsoft Office attachments\r\ncontaining malicious macro scripts.\r\nPersistence T1053 Scheduled Task\r\nThe Golang backdoor can create a pre-defined scheduled task.\r\nPrivilege\r\nEscalation\r\nT1053 Scheduled Task\r\nThe Golang backdoor can create a pre-defined scheduled task.\r\nDefense\r\nEvasion\r\nT1107 File Deletion The Golang backdoor can delete files.\r\nT1117 Regsvr32\r\nThe Nim downloader uses\r\nregsvr32.exe to launch the Golang\r\ndownloader.\r\nT1064 Scripting\r\nThe remote template contains VBA\r\nused to execute the next stage of the\r\nmalware.\r\nDiscovery T1083\r\nFile and Directory\r\nDiscovery\r\nThe Golang backdoor can list drives.\r\nCollection T1113 Screen Capture\r\nHTTP is used for C\u0026C\r\ncommunications.\r\nCommand\r\nand Control\r\nT1043 Commonly Used Port\r\nAll components are using port 80 to\r\ncommunicate with the C\u0026C server.\r\nT1024\r\nCustom Cryptographic\r\nProtocol\r\nThe Golang backdoor is using an XOR\r\nloop for its communications.\r\nT1132 Data Encoding\r\nThe Golang backdoor base64- encodes\r\nthe data before encrypting it.\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 12 of 13\n\nTactic ID Name Description\r\nT1071\r\nStandard Application\r\nLayer Protocol\r\nHTTP is used for C\u0026C\r\ncommunications.\r\nT1032\r\nStandard Cryptographic\r\nProtocol\r\nThe Golang backdoor encrypts\r\ncommunications with the C\u0026C server\r\nwith AES ECB.\r\nExfiltration T1022 Data Encrypted\r\nThe Golang backdoor encrypts the data\r\nwith AES ECB before sending it over\r\nthe C\u0026C server.\r\nT1041\r\nExfiltration Over\r\nCommand and\r\nControl Channel\r\nThe Golang backdoor\r\nexfiltrates data to its\r\nC\u0026C server.\r\nReferences:\r\n[1] https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/\r\n[2] https://securelist.com/a-zebrocy-go-downloader/89419/\r\n[3] https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html\r\nSource: https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nhttps://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/" ], "report_names": [ "no-summer-vacations-zebrocy" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434493, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/43abc07ab069ee95944e022c3f83783a77f8a95c.pdf", "text": "https://archive.orkl.eu/43abc07ab069ee95944e022c3f83783a77f8a95c.txt", "img": "https://archive.orkl.eu/43abc07ab069ee95944e022c3f83783a77f8a95c.jpg" } }