{ "id": "e02b5245-1611-47e6-80d4-ff09604757f9", "created_at": "2026-04-06T00:17:58.715215Z", "updated_at": "2026-04-10T03:35:51.316765Z", "deleted_at": null, "sha1_hash": "4c8f97fc9d25791ae96a8c718d6648d4672609ee", "title": "Tracking Adversaries: The Qilin RaaS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4348858, "plain_text": "Tracking Adversaries: The Qilin RaaS\r\nBy BushidoToken\r\nPublished: 2024-06-12 · Archived: 2026-04-05 17:18:20 UTC\r\nThis blog is part of my Tracking Adversaries blog series, whereby I perform a summary analysis of a particular\r\nadversary that has caught my attention and made me feel like they deserve special attention and investigation.\r\nQilin has been covered already by experts from Trend Micro, Secureworks, Group-IB, SentinelOne, SOCRadar,\r\nBleepingComputer, and MalwareHunterTeam. Kudos to them, because without these researchers sharing their\r\nfindings with the community, we would be a lot less informed about this prominent ransomware gang.\r\nBackground\r\nActive since at least May 2022, Qilin ransomware is named after the mythical Chinese creature which you\r\nmay pronounce as \"Chee-lin\". The origin of this cybercriminal threat group, however, is believed to be from\r\nRussia.\r\nLike many other ransomware campaigns run by organised cybercriminal gangs, Qilin ransomware is used for\r\ndomain-wide encryption of servers and workstations and its operators steal vast quantities of data. A ransom is\r\nthen demanded for the decryption keys and/or to prevent the publication of the stolen data. This is also known as\r\ndouble extortion.\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 1 of 11\n\nQilin is a Ransomware-as-a-Service (RaaS), which means that cybercriminals external to the core Qilin team (also\r\nknown as ransomware affiliates) are invited to perform ransomware attacks using the Qilin RaaS platform. The\r\nQilin RaaS will handle payload generation, the publication of stolen data, and ransom negotiations.\r\nAdversary\r\nThe Qilin RaaS operators are also tracked as Water Galura (Trend Micro) and GOLD FEATHER (Secureworks).\r\nQilin is advertised on the exclusive Russian-speaking forum RAMP (short for Ransom Anon Market Place [sic]),\r\nwhere acquiring an account can cost up to $500 in BTC. The forum profile “Haise” joined RAMP on 29 May\r\n2022 and advertised Qilin on 13 February 2023 (see Figure 1).\r\nFigure 1: Qilin RaaS operator Haise advert on RAMP. (Source: Group-IB)\r\nFurther, according to Group-IB, Qilin affiliates that use the RaaS can receive up to 80% if the ransom is paid by\r\nthe victim (if the ransom paid is 3 million USD or less). And for ransoms over 3 million USD an affiliate's cut can\r\nrise to 85%.\r\nIn July 2023, KELA spotted that Qilin announced significant changes to their affiliate payment system. The Qilin\r\nRaaS operator Haise stated on RAMP that ransom payments are paid to their affiliates’ wallets first and only then\r\na share of profits is transferred to the Qilin RaaS owners.\r\nVictims\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 2 of 11\n\nIn October 2022, the first victim of Qilin was posted to their Tor data leak site. However, there are reports of Qilin\r\n(formerly known as Agenda) being deployed as early as June 2022. From Q2 2023, the number of Qilin victims\r\nbegan to steadily be listed at a rate of around five victims per month. Since the start of 2024, the number of Qilin\r\nvictims has noticeably increased (see Figure 2). Do note, however, these are the Qilin victims that are not paying\r\nthe ransoms who are being leaked. Trying to research the actual true amount of ransomware attacks is a difficult\r\nchallenge.\r\nFigure 2: Frequency of Qilin victim posts. (Source: Ransomware.live)\r\nVictims of Qilin have been globally dispersed. The affiliates of Qilin appear to indiscriminately target large\r\ncompanies from around the world, which includes organisations from Argentina, Australia, Brazil, Canada,\r\nColombia, France, Germany, Japan, New Zealand, Serbia, Thailand, The Netherlands, the UAE, the UK and the\r\nUS. Some of Qilin’s most notable victims include the automotive giant Yanfeng, UK newspaper The Big Issue,\r\nand most importantly Synnovis, a healthcare provider for multiple hospitals in London and a major part of the UK\r\nNational Health Service (NHS).\r\nFurther, as is typical of the Russian-speaking cybercriminal underground, the operators of Qilin stated “We do not\r\nwork in the CIS countries” in their RAMP forum post. This means they do not allow their affiliates to deploy Qilin\r\nransomware or extort victims from the Commonwealth of Independent States (CIS), which are all the countries\r\nthat used to make up the Soviet Union (USSR).\r\nIn mid-2023, KELA observed Qilin affiliates demanding ransoms in the range of 25,000 to 600,000 USD and\r\nidentified a real estate development company in Thailand paying 600,000 USD after 20 days of negotiations.\r\nCapabilities\r\nAt the time of writing, only a handful of public resources are available on the tactics, techniques, and procedures\r\n(TTPs) of Qilin affiliates with Trend Micro being the primary contributor (big thanks to them for sharing with the\r\ncommunity).\r\nNot too much has been shared publicly about the initial access methods leveraged by Qilin affiliates. Trend Micro,\r\nhowever, has reportedly observed one Qilin affiliate use stolen credentials to access a public-facing Citrix servers\r\nfor the point of entry, but how the credentials were stolen in the first place is unknown – potentially via an earlier\r\nintrusion by an initial access broker (IAB) or from infostealer malware logs. KELA also tweeted that they saw a\r\nQilin affiliate claiming they gained access via a phishing email during a ransom negotiation with a victim.\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 3 of 11\n\nQilin affiliate post-compromise TTPs also appear to vary somewhat and only limited information is available in\r\nopen sources. Trend Micro observed one affiliate using Nmap and Nping for internal enumeration and RDP with\r\nvalid credentials for lateral movement. Another affiliate was found to be using a combination of Cobalt Strike and\r\nremote monitoring and management (RMM) tools, though Trend Micro did not say which one(s). To disable\r\nendpoint protection and response (EDR) systems, Qilin affiliates are known to use the bring-your-own-vulnerable-driver (BYOVD) trick using Terminator.exe by SpyBoy or the publicly available rootkit tool called YDArk.\r\nSecureworks stated they saw a Qilin affiliate using PCHunter and PowerTool. Data exfiltration TTPs by Qilin\r\naffiliates have not been shared publicly either.\r\nFor ransomware distribution, the final stage of the intrusion, Qilin operators have reportedly used an Active\r\nDirectory Group Policy Object (GPO) to create a scheduled task called enc64.exe. The first version of Qilin\r\n(formerly called Agenda) would also change the default user’s password and enable automatic login with the new\r\ncredentials. Plus it would reboot the victim’s machine in safe mode and then proceed with the encryption routine\r\nupon reboot to bypass protection systems. The Rust version of Qilin ransomware has also been deployed using a\r\ncustom PowerShell script embedded in the binary to propagate across VMware vCenter and ESXi servers as well\r\nas via PsExec, the Windows Sysinternals tool. Another notable TTP about Qilin ransomware that SentinelOne\r\nhighlighted is that it uses intermittent encryption, reportedly to bypass protections.\r\nAs for the ransom notes, in August 2022, Trend Micro uncovered the first version of the ransomware, which was\r\ncalled Agenda and was later renamed to Qilin (see Figure 3 and 4).\r\nFigure 3: Agenda ransom note example. (Source: Trend Micro)\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 4 of 11\n\nFigure 4: Qilin ransom note example. (Source: Trend Micro)\r\nThere are multiple versions of Qilin ransomware. This includes a Golang variant and Rust variant to target\r\nWindows. Plus, since December 2023, a custom-coded version of Qilin to target Linux virtual machines on\r\nVMware ESXi hypervisors. This is notable as many other ransomware gangs that target ESXi often just use the\r\nleaked Babuk source code.\r\nInfrastructure\r\nThe Qilin ransom notes shown above are dropped on the encrypted devices at victim organisations. If a victim\r\nfollows the instructions in the ransom notes they are greeted with a “recovery portal” hosted on Tor as part of the\r\nQilin RaaS for ransom negotiations and decryption (see Figure 5).\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 5 of 11\n\nFigure 5: Qilin victim recovery portal. (Source : BleepingComputer Forums)\r\nIf a victim does not pay the ransom to Qilin, then their data is posted to the Qilin Tor Data Leak Site, which has\r\nalso gone through an upgrade and the operators have since added some more Qilin branding graphics (see Figure\r\n6).\r\nFigure 6: Qilin data leak site.\r\nIn May 2023, Group-IB disclosed that they managed to infiltrate the Qilin group in March 2023 and managed to\r\ngain visibility to the Qilin RaaS (see Figure 7, 8, and 9), highlighting the power of human intelligence (HUMINT)\r\nand undercover operations. The RaaS platform operates similarly to others we have seen in the past. Affiliates get\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 6 of 11\n\naccess to a panel to build customisable payloads for Windows and ESXi, publish stolen victim files to the data\r\nleak site, negotiate with victims for the ransom payments, and read some guidance shared by the RaaS operators\r\non how to use Qilin ransomware.\r\nFigure 7: Qilin RaaS  dashboard. (Source: Group-IB)\r\nFigure 8: Qilin RaaS customisable options. (Source: Group-IB)\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 7 of 11\n\nFigure 9: Qilin ransomware usage guide. (Source: Group-IB)\r\nAlongside their Tor data leak site, Qilin also runs another Telegram news channel to make announcements (see\r\nFigure 10).\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 8 of 11\n\nFigure 10: Telegram channel of Qilin ransomware.\r\nOn 1 May 2024, Qilin pulled an unusual move and added a new QR code to its Tor data leak site which pointed to\r\na site called WikiLeaksV2, which is hosted on the Clearnet site (see on URLscan here) where they listed a\r\nselection of their victims in addition to soliciting cryptocurrency donations (see Figure 11).\r\nFigure 11: WikiLeaksV2 created by Qilin. (Source: @BrettCallow)\r\nOverlaps between Qilin and other ransomware groups\r\nAt the time of writing, Qilin has listed over 100 organisations as victims on their Tor data leak site. Among those\r\nvictims, there have been overlaps with over ransomware ‘name-and-shame’ sites. On the 30 April 2023, Qilin\r\npublished the Siix Corporation to its Tor data leak site. On the 17 October 2023, ALPHV/BlackCat also published\r\nSiix Corporation to its Tor data leak site. On 26 October 2023, SG World appeared on the Qilin Tor data leak site.\r\nIt was previously listed on the Conti Tor data leak site on 17 April 2021.\r\nInterestingly, following the overlaps in victims between Qilin, ALPHV/BlackCat, and Conti, Microsoft shared that\r\nPistachio Tempest (formerly DEV-0237 and also known as FIN12) was experimenting with Qilin ransomware\r\nback in June 2022, back when it was called Agenda ransomware still (see Figure 12). Pistachio Tempest is known\r\nfor deploying Ryuk, Conti, Hive, and became a prolific ALPHV/BlackCat affiliate. The link to FIN12 also closely\r\naligns with the usage of Qilin against healthcare targets (particularly the UK NHS), which is a well-documented\r\nTTP of the group.\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 9 of 11\n\nFigure 12: DEV-0237 usage of Qilin. (Source: Microsoft)\r\nAdditional similarities between Qilin and other well-known ransomware families include features such as the user\r\nverification system on the Qilin victim recovery portal is very similar to that of BlackMatter (the predecessor of\r\nALPHV/BlackCat). Other features of the Golang variant of Qilin such as the function of changing system\r\npasswords and rebooting into safe mode is reminiscent of REvil and BlackBasta. REvil has several ties to\r\nALPHV/BlackCat and BlackBasta is a known descendent of the Conti gang.\r\nFurther, the Rust variant of Qilin prompts the user for a password to be passed as an argument which is a feature\r\nreminiscent of ALPHV/BlackCat, which was also written in Rust. Another finding was that SCATTERED\r\nSPIDER, an affiliate of the ALPHV/BlackCat RaaS is also regularly known to use the BYOVD technique to\r\nbypass EDR systems. Plus, Terminator.exe has also been deployed during ALPHV/BlackCat ransomware attacks\r\nin June 2023 as well as leveraged by Akira ransomware affiliates, who also have ties to Conti.\r\nConclusion\r\nSo far, Qilin appears to be nothing special but is evidently attracting the affiliates leftover from the Conti\r\nshutdown, the ALPHV/BlackCat exit scam, and is likely to also be a benefactor of the LockBit takedown. The\r\nnumerous overlaps between affiliates, victims, features and design choices indicate just how closely the\r\nransomware ecosystem is all interconnected. Due to Qilin being relatively new but virtually mirroring the\r\nfunctionality of ALPHV/BlackCat does make it highly likely that some of the same Russian-speaking\r\ncybercriminals associated with ALPHV/BlackCat are associated with Qilin.\r\nTherefore, it seems Qilin may be the next big RaaS to fill the vacuum left by the other big RaaS shutting down or\r\ngetting taken down. However, there is a big question mark around whether they can withstand the pressure from\r\ninternational law enforcement joint operations. Qilin shall almost certainly be receiving a lot of extra attention\r\nsince the UK National Health Service was attacked. Therefore it is likely safe to assume that the operators behind\r\nOperation Cronos at the UK National Crime Agency (NCA) shall be looking closely into Qilin.\r\nAdditional Resources\r\nhttps://id-ransomware.blogspot.com/2022/06/agenda-ransomware.html\r\nhttps://github.com/rivitna/Malware/blob/main/Qilin/Qilin_samples.txt\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 10 of 11\n\nQilin Data Leak Site: ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd[.]onion\r\nQilin Victim Portal: kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad[.]onion\r\nQilin Clearnet Site: wikileaksv2[.]com (31.41.244[.]100)\r\nSource: https://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nhttps://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html" ], "report_names": [ "tracking-adversaries-qilin-raas.html" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "466e2ca5-1e92-49a6-8b6e-4a0ef8ede5de", "created_at": "2025-10-29T02:00:52.027586Z", "updated_at": "2026-04-10T02:00:05.403724Z", "deleted_at": null, "main_name": "Water Galura", "aliases": [ "Water Galura", "GOLD FEATHER" ], "source_name": "MITRE:Water Galura", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "016f38de-9fb8-4e7a-9422-bee62c008839", "created_at": "2024-06-19T02:03:08.04408Z", "updated_at": "2026-04-10T02:00:03.84457Z", "deleted_at": null, "main_name": "GOLD FEATHER", "aliases": [ "Water Galura " ], "source_name": "Secureworks:GOLD FEATHER", "tools": [ "Qilin" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434678, "ts_updated_at": 1775792151, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c8f97fc9d25791ae96a8c718d6648d4672609ee.pdf", "text": "https://archive.orkl.eu/4c8f97fc9d25791ae96a8c718d6648d4672609ee.txt", "img": "https://archive.orkl.eu/4c8f97fc9d25791ae96a8c718d6648d4672609ee.jpg" } }