{ "id": "a20146f2-4790-4f9f-8b72-a7ed90bc8f06", "created_at": "2026-04-06T00:09:13.514208Z", "updated_at": "2026-04-10T03:37:04.516905Z", "deleted_at": null, "sha1_hash": "4830359a8b776bdcd9c79356025fa94b523b6ac8", "title": "Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3078833, "plain_text": "Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes\r\nBy Anomali Threat Research\r\nPublished: 2026-03-12 · Archived: 2026-04-05 15:35:24 UTC\r\nAnomali Threat Research details Primitive Bear (Gamaredon) targeting Ukrainian officials with timely-themed\r\nmalicious .docx files and remote templates in a Russia-sponsored campaign\r\nKey FindingsOverviewDetailsTechnical AnalysisConclusionMITRE TTPsEndnotesIOCs\r\nhttps://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes\r\nPage 1 of 9\n\nKey Findings\r\nAnomali Threat Research discovered a campaign targeting Ukrainian government officials with malicious\r\nfiles that could be repurposed to target government officials of other countries.\r\nWe assess with high confidence that this activity was conducted by Russia-sponsored cyberespionage\r\ngroup Primitive Bear (Gamaredon).\r\nPrimitive Bear was observed distributing .docx files that attempted to download a .dot file via remote\r\ntemplates.\r\nThe campaign appears to have taken place from January through at least late March 2021, and used decoy\r\ndocuments themed around current events. These documents also showed that Primitive Bear likely used\r\nhttps://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes\r\nPage 2 of 9\n\nunauthorized access or illicit purchase of private documents prior to their publication.\r\nThe final objective of this campaign remains unclear because the remote template domains were down at\r\nthe time of discovery.\r\nOverview\r\nAnomali Threat Research identified malicious samples that align with the Russia-sponsored cyberespionage group\r\nPrimitive Bear’s (Gamaredon, Winterflounder) tactics, techniques, and procedures (TTPs).[1] The group was\r\ndistributing .docx files that attempted to download .dot files from remote templates. The final objective of this\r\ncampaign remains unclear as the remote template domains were down at the time of discovery. We observed\r\nPrimitive Bear activity in late 2019, and again in April 2020, during which time they used similar TTPs and\r\nUkrainian government-themed decoys.[2] In those campaigns, Primitive Bear’s decoys loaded a remote template\r\nto drop a .dot file that would determine if the compromised machine was worthy of a second-stage payload.[3]\r\nPrimitive Bear, known primarily to focus on Ukraine, has been very active in 2021. However, the themes of the\r\nsamples we found, as well as those shared by the security community, could also be used to target multiple former\r\nUnion of Soviet Socialist Republic (USSR) countries.\r\nDetails\r\nAnomali Threat Research found malicious .docx files being distributed by Primitive Bear, likely through\r\nspearphishing, that attempted to download remote template .dot files through template injection. Most of the .docx\r\ndecoy files were written in Ukrainian, and a minority written in Russian, and contained content discussing\r\nmultiple Ukrainian government agencies, institutions, and public entities, as well as Russian intelligence agencies\r\nin the context of occupied Crimea. Primitive Bear was using specific names of individuals and entities in their\r\nfiles, relevant to the January through mid-March 2021 timeframe, to make their malicious files appear more\r\nlegitimate. This highlights the group’s use of authentic events to craft likely phishing themes more likely to be\r\neffective.\r\nObserved Infection Chain\r\nFigure 1 – Observed Infection Chain\r\nTechnical Analysis\r\nThe .docx files distributed by Primitive Bear used template injection to add a remote domain that contained a .dot\r\n(Word template) file. In Figure 2, the template injection can be seen with the TargetMode set to “External,”\r\nindicating the file was reaching out to a remote location. If the connection was made, the .dot file was\r\nsubsequently downloaded.\r\nавтореферат Тертична last 8.2.docx Remote Template Domain Information\r\nFigure 2 – автореферат Тертична last 8.2.docx Remote Template Domain Information\r\nThe final objective of this campaign remains unclear because the remote template domains were down at the time\r\nof discovery, and we encourage the security community to share if discovered.\r\nhttps://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes\r\nPage 3 of 9\n\nDecoy Analysis\r\nAnalyzed File – автореферат Тертична last 8.2.docx\r\nTranslated File Name – Tertychna Abstract last 8.2.docx\r\nSHA-256 – 9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418\r\nавтореферат Тертична last 8.2.docx (Translated from Ukrainian: Tertychna Abstract last 8.2.docx)\r\nFigure 3 – автореферат Тертична last 8.2.docx (Translated from Ukrainian: Tertychna Abstract last 8.2.docx)\r\nTertychna Abstract last 8.2.docx (Translated from Ukrainian)\r\nFigure 4 – Tertychna Abstract last 8.2.docx (Translated from Ukrainian)\r\nTertychna Abstract last 8.2.docx, shown above in Figures 3 and 4, is a 26 page abstract of a Ukrainian\r\ndissertation discussing modern relations between Ukraine and Bulgaria. Most of the document is in Ukrainian,\r\nhowever, the last two and one-half pages have English summaries. Tertychna Abstract last 8.2.docx appears to\r\nbe a shortened version of another Primitive Bear file called дисертація 8.02.21.docx (from Ukrainian:\r\nDissertation 8.02.21.docx), which was also mentioned by the security community, shown in Figures 5 and 6\r\nbelow.\r\n[4]\r\nдисертація 8.02.21.docx (Translated from Ukrainian: Dissertation 8.02.21.docx)\r\nFigure 5 – дисертація 8.02.21.docx (Translated from Ukrainian: Dissertation 8.02.21.docx)\r\nDissertation 8.02.21.docx (Translated from Ukrainian, Page 1/282)\r\nFigure 6 – Dissertation 8.02.21.docx (Translated from Ukrainian, Page 1/282)\r\nThese two documents (автореферат Тертична last 8.2.docx and дисертація 8.02.21.docx) appear to be\r\nlegitimate documents that were weaponized by Primitive Bear for template injection. The group likely procured\r\nthem through illicit purchase or previous compromise. We found the full document was published by its author,\r\nAnna, on the literature repository site, chtyvo.org[.]ua.[5] The file was uploaded to the site on March 7, 2021, but\r\nboth of the analyzed file names suggested a date of February 8, 2021 (8.2.docx) or called it out explicitly. This\r\nindicates that Primitive Bear has used access to private Ukrainian documents, weaponized them, and distributed\r\nthem prior to the authorized publication of said documents.\r\nIn hindsight, the decision for Primitive Bear to use a Ukrainian and Bulgarian-themed dissertation comes at an\r\ninteresting time for Russian and Bulgarian relations. This is due to the Bulgarian government arresting six of its\r\nown members who were charged with spying for the Russian government, on March 19, 2021, according to the\r\nBulgarian prosecutors’ statement.[6] However, Russia is known for combining cyber and real-world operations,\r\nand has been using this hybrid warfare to target Georgia in 2008 and Ukraine since at least the 2014 annexation of\r\nCrimea.[7] Therefore, it would not be unlikely to think that Primitive Bear was using Bulgaria-themed decoys\r\nbefore the media knew of the events, thus making the information more relevant to Ukrainian officials who knew\r\nwhat was transpiring.\r\nAnalyzed File – ДОПОВІДНА ЗАПСКА.docx\r\nTranslated File Name – REPORT NOTE.docx\r\nSHA-256 – 63da0b2abb744a5c92c3a1fff2c3e5940f5c969890f3f16fd8dca0a1363da494\r\nhttps://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes\r\nPage 4 of 9\n\nДОПОВІДНА ЗАПСКА.docx (from Ukrainian: REPORT NOTE.docx)\r\nFigure 7 – ДОПОВІДНА ЗАПСКА.docx (from Ukrainian: REPORT NOTE.docx)\r\nREPORT NOTE.docx (Translated from Ukrainian) page 1/5\r\nFigure 8 – REPORT NOTE.docx (Translated from Ukrainian) page 1/5\r\nREPORT NOTE.docx, shown in Figures 7 and 8 above, purports to be an internal note by the Prosecutor\r\nGeneral’s Office of Ukraine dated February 2021. The file includes pre-trial investigative rulesets regarding\r\nsuspected terrorists. These fighters, from unrecognized regions of Donetsk People’s Republic (DPR) and Luhansk\r\nPeople’s Republic (LPR), have been accused of fighting against the Ukrainian government. Russia has been the\r\nde-facto controller of DPR and LPR since the regions simultaneously declared their independence from Ukraine in\r\n2014, which makes the use of these regions ideal in decoy documents for Primitive Bear.\r\nThe escalating tensions between Russia and Ukraine in 2021 add incentive for mentioning DPR and LPR. On\r\nJanuary 28, 2021, DPR and LPR groups presented a doctrine dubbed “Russian Donbass,” which stated the groups’\r\ncollective desire to rejoin Russia “in order to return to our historical roots.”[8] In the subsequent months, European\r\nmonitors reported an increase in Russian troop movement along the Ukraine-Russia border. Tensions boiled over\r\nin the DPR on March 30, 2021, with exchanging artillery and machine-gun fire between the factions resulting in\r\nfour Ukrainians killed and one wounded.[9] This was another strong example of Primitive Bear samples themed\r\naround real-world conflicts before a significant event occurred, a strong indication of potential hybrid warfare.\r\nAnalyzed File – incoming.docx\r\nSHA-256 – 82fe93b52ae5f12fad99fc533324cbf680f5777cc67b9f30dd2addeeee7527f8\r\nincoming.docx\r\nFigure 9 – incoming.docx\r\nincoming.docx (Translated from Russian)\r\nFigure 10 – incoming.docx (Translated from Russian)\r\nThe .docx file shown in Figures 9 and 10 above is a letter allegedly from Emil Variev, a neighbor of Rustem\r\nSeytmemetov, in occupied Crimea. He referenced how Russia’s Federal Security Service (FSB) arrested him in\r\n2020 in relation to the Hizb ut-Tahrir (extremist aim to unite all Muslim countries) case. Rustem Seytmemetov is\r\njust one of three individuals who were arrested in what Crimeans refer to as “the so-called third Bakhchisaray\r\nHizb ut-Tahrir case,” and they are expected to remain under arrest until April 22, 2021.[10] While the decoy did\r\nnot state an intended recipient, the context appears directed towards Ukrainian authorities. This is another example\r\nof Primitive Bear using documents to coincide with real-world events.\r\nConclusion\r\nPrimitive Bear is motivated by cyberespionage (data theft, information gathering), and this campaign\r\ndemonstrates their specific targeting of regional foes with what often appears to be private documents likely\r\nobtained by illicit means. We have observed Primitive Bear using malicious .docx files to distribute .dot files for\r\nover a year, however, the remote template domains used in this campaign were down at the time of discovery.\r\nTherefore, the final payload of this campaign remains unclear at the time of this writing.\r\nhttps://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes\r\nPage 5 of 9\n\nMITRE TTPs\r\nMasquerading - T1036\r\nPhishing - T1566\r\nSpearphishing Attachment - T1566.001\r\nTemplate Injection - T1221\r\nUser Execution - T1204\r\nUser Execution: Malicious File - T1204.002\r\nEndnotes\r\n[1]\r\n Anomali Threat Research, “Gamaredon TTPs Target Ukraine,” Anomali White Papers, accessed April 5, 2021,\r\npublished December 5, 2019, https://wwwlegacy.anomali.com/files/white-papers/Anomali_Threat_Research-Gamaredon_TTPs_Target_Ukraine-WP.pdf, 1-2.\r\n[2]\r\n Ibid., 9-11; Gage Mele and Parthiban Rajendran, “Gamaredon Spearphishing Campaign,” accessed April 5\r\n2021, published April 20, 2020, https://ui.threatstream.com/campaign/61380.\r\n[3]\r\n Anomali Threat Research, “Gamaredon TTPs Target Ukraine,” Anomali White Papers, 6.\r\n[4]\r\n “#Gamaredon #APT mal doc:,” @h2jazi, https://twitter.com/h2jazi/status/1371445133560983552.\r\n[5]\r\n Anna Tertychna, “PUBLIC DIPLOMACY IN UKRAINIAN-BULGARIAN RELATIONS (1991-2018),”\r\nCHTIVO Electronic Library, accessed April 6, 2021, published March 7, 2021,\r\nhttps://shron1.chtyvo.org.ua/Tertychna_Anna/Publichna_dyplomatiia_v_ukrainsko-bolharskykh_vidnosynakh_19912018.pdf?.\r\n[6]\r\n “Bulgarian PM tells Russia to stop spying after intelligence ring charges,” Reuters, accessed April 7, 2021,\r\npublished March 20, 2021, https://www.reuters.com/article/us-bulgaria-russia-espionage/bulgarian-pm-tells-russia-to-stop-spying-after-intelligence-ring-charges-idUSKBN2BC0MR; https://www.reuters.com/article/us-bulgaria-russia-espionage/bulgaria-charges-six-people-over-alleged-russian-spy-ring-idUSKBN2BB1V4.\r\n[7]\r\n Ibid; Dave Lee, “Russia and Ukraine in cyber ‘stand-off’,” BBC News, accessed April 7, 2021, published\r\nMarch 5, 2014, https://www.bbc.com/news/technology-26447200; Laurens Cerulus, “How Ukraine became a test\r\nbed for cyberweaponry,” Politico, accessed April 7, published February 14, 2019,\r\nhttps://www.politico.eu/article/ukraine-cyber-war-frontline-russia-malware-attacks/; Andy Greenberg, How an\r\nEntire Nation Became Russia’s Test Lab for Cyberwar,” Wired, accessed April 7, 2021, published June 6, 2017,\r\nhttps://www.wired.com/story/russian-hackers-attack-ukraine/; David J. Smith, “Russian Cyber Strategy and the\r\nWar Against Georgia,” Atlantic Council, accessed April 7, 2021, published January 17, 2014,\r\nhttps://www.atlanticcouncil.org/blogs/natosource/russian-cyber-policy-and-the-war-against-georgia/; Dancho\r\nDanchev, “Coordinated Rusia vs Georgia cyber attack in progress,” ZDNet, access April 7, 2021, published\r\nAugust 11, 2008, https://www.zdnet.com/article/coordinated-russia-vs-georgia-cyber-attack-in-progress/.\r\nhttps://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes\r\nPage 6 of 9\n\n[8]\r\n “\"L-DPR\" presented their \"doctrine\": without entering Russia, but with the capture of the entire Donbass,”\r\nNovosti Donbassa, accessed April 7, 2021, published February 4, 2021, https://novosti.dn.ua/news/308202-l-dnr-predstavyly-svoyu-doktrynu-bez-vkhozhdenyya-v-rossyyu-no-s-zakhvatom-vsego-donbassa [article in Russian];\r\nNikola Mikovic, “The Donbass conflict: Waiting for escalation,” Lowy Institute, accessed April 7, 2021, published\r\nFebruary 4, 2021, https://www.lowyinstitute.org/the-interpreter/donbass-conflict-waiting-escalation.\r\n[9]\r\n Andrew E. Kramer, “Fighting Escalates in Eastern Ukraine, Signaling the End to Another Cease-Fire,” The\r\nNew York Times, accessed April 7, 2021, published March 30, 2021,\r\nhttps://www.nytimes.com/2021/03/30/world/europe/ukraine-russia-fighting.html.\r\n[10]\r\n “The defendants in the so-called third Bakhchisaray Hizb ut-Tahrir case had their arrest extended,” Crimean\r\nTatar Resource Center, accessed April 7, 2021, published November 9, 2020, https://ctrcenter.org/en/news/5798-\r\nfigurantam-tretego-bahchisarajskogo-dela-hizb-ut-tahrir-prodlili-srok-aresta.\r\nIOCs\r\nFiles\r\n82fe93b52ae5f12fad99fc533324cbf680f5777cc67b9f30dd2addeeee7527f8\r\nd5d080a96b716e90ec74b1de5f42f26237ac959da9af7d09cce2548b5fc4473d\r\ne7f61cd965886e1ca75d5bd3d3140ce7c78c78c245d57c285af83711148b7472\r\n9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418\r\n4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52\r\ne12c6b63c6216338aa645b63f589d2e96e868f9b1f6402520649cfeb7c053c83\r\nf25f4a78760bf0644c06814a3439b772610d7d62f6c5efde8fb314cc58697b01\r\n63da0b2abb744a5c92c3a1fff2c3e5940f5c969890f3f16fd8dca0a1363da494\r\n41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4\r\nfe3141950fe263f50edd8a202fe746dac736dcef91331cd4375d3ede27d5530a\r\nde1df653ca846cc3b01239c9e16c80cee52c01c921a0e8e34c2e5d4425eee715\r\n0600f4be4dc7fe5ba4e226b797888667f5dd6138734a6333da697346e897c216\r\n611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608\r\n8fbea49a8b26889e9157ace2003334f56e3de7020cb099d3948df676539eb4a3\r\ne48fc5ce578d938320f9bce496015247b8c52bee04d851f44270bef8bf831696\r\nDomains\r\nhttp://download[.]logins\r\nhttp://download.logins[.]online/\r\nhttp://download[.]logins.online/wsusa\r\nhttp://email-smtp[.]online/\r\nhttp://email-smtp[.]online/preceding/\r\nhttp://email-smtp[.]online/preceding/rbfwaljtawm.dot\r\nhttp://word-expert[.]online/\r\nhttp://word-expert[.]online/september/\r\nhttps://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes\r\nPage 7 of 9\n\nhttp://word-expert[.]online/september/jtfqxxhzqaw.dot\r\nhttp://melitaeas[.]online\r\nhttp://melitaeas[.]online/4857E18C/countryside/prevent/\r\nhttp://melitaeas[.]online/4857E18C/countryside/prevent/counter.dot\r\nhttp://hamadryas[.]online\r\nhttp://hamadryas[.]online/4857E18C/almost/councilman/rejoice/\r\nhttp://hamadryas[.]online/4857E18C/almost/councilman/rejoice/clank.dot\r\nhttp://acetica[.]online\r\nhttp://acetica[.]online/header/precaution/precisely.dot\r\nhttp://acetica[.]online/presently/refuge/intention.dot\r\nhttp://acetica[.]online/intent/sense/guarded.dot\r\nhttp://mail-check[.]ru\r\nhttp://mail-check[.]ru/preservation/quietly/seedlings.dot\r\nhttp://mail-check[.]ru/refrigerator.dot\r\nhttp://mail-check[.]ru/prediction.dot\r\nhttp://mail-check[.]ru/pre.dot\r\nhttp://mail-check[.]ru/barrier.dot\r\nhttp://office360-expert[.]online\r\nhttp://office360-expert[.]online/intake\r\nhttp://office360-expert[.]online/intake/pfJwhBY.dot\r\nIPs\r\n172.67.136[.]62\r\n104.21.48[.]186\r\n185.119.58[.]61\r\n195.161.114[.]130\r\nhttps://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes\r\nPage 8 of 9\n\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes\r\nhttps://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes" ], "report_names": [ "primitive-bear-gamaredon-targets-ukraine-with-timely-themes" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434153, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4830359a8b776bdcd9c79356025fa94b523b6ac8.pdf", "text": "https://archive.orkl.eu/4830359a8b776bdcd9c79356025fa94b523b6ac8.txt", "img": "https://archive.orkl.eu/4830359a8b776bdcd9c79356025fa94b523b6ac8.jpg" } }