{ "id": "3928e16f-7469-4557-a3f9-6ff2a06a25fa", "created_at": "2026-04-06T00:10:43.994519Z", "updated_at": "2026-04-10T03:37:41.108807Z", "deleted_at": null, "sha1_hash": "526719169a69672c71da0921ce97a59e6bf31b49", "title": "CTO at NCSC Summary: week ending May 19th", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1035526, "plain_text": "CTO at NCSC Summary: week ending May 19th\r\nBy Ollie Whitehouse\r\nPublished: 2025-04-12 · Archived: 2026-04-05 17:29:34 UTC\r\nWelcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes\r\nit in, but the best bits do.\r\nOperationally this week nothing overly of note beyond the revelation that 400k Linux servers were compromised for\r\nfinancial gain!\r\nIn the high-level this week:\r\nCyberUK by the UK National Cyber Security Centre was this week in Birmingham, UK - from which there was:\r\nAnne Keast-Butler keynote speech - “Russia and Iran pose immediate threats, but China is the epoch-defining challenge.”\r\nFelicity Oswald keynote speech - “The NCSC, as the nation’s technical authority on cyber security, judges\r\nthat Russia, China, Iran and the DPRK continue to pose the greatest risk to the UK and our allies. “\r\nCyber insurance industry unites to bear down on ransom payments - “Three major UK insurance associations\r\nunite with GCHQ’s National Cyber Security Centre to help reduce ransom payments made by victims of cyber\r\ncrime”\r\nGuidance for organisations considering payment in ransomware incidents\r\nNCSC ramps up support for those at high risk of cyber attacks ahead of election - “NCSC service aims to help\r\nprevent political candidates and election officials from falling foul of spear-phishing, malware and other\r\nthreats during major election year”\r\nNational Cyber Security Centre CTO: The tech market isn't working- “Whitehouse is expected to say that\r\ntechnology is changing at a rapid pace, but that regulation and legislation are not keeping pace and likely\r\nnever will do. He will call for technology developers to be honest about the profound challenges they are\r\nfacing in order to develop products and services that are fit for purpose and for a resilient future.”\r\nIntroducing the NCSC's ‘Share and Defend’ capability - “‘Share and Defend’ is a new capability from the\r\nNCSC, designed to enable protection to the UK public and businesses from cyber attacks and cyber-enabled\r\nfraud.”\r\nStatement from HM Government on the adoption of UK Cyber Security Council standards - “Support cyber security\r\nspecialists at the National Cyber Security Centre (NCSC) to gain Council recognition and using the Council\r\nstandards to define the skills industry will need to deliver NCSC-recognised services.”\r\nCHERI adoption and diffusion research - UK Department for Science Innovation \u0026 Technology - “Research on\r\nthe market potential for CHERI technology; a semiconductor designed to improver cyber security.”\r\nLearning from the mistakes of others – A retrospective review - UK Information Commissioners Office release -\r\n“We have summarised several case studies from our regulatory activities to illustrate some commonly encountered\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 1 of 17\n\nissues and highlight where lessons might be learnt. These are not a full representation of the case and we have linked\r\nto the relevant monetary penalty notice or reprimand for further information.”\r\nU.S. Department of the Treasury’s Federal Insurance Office Launches New Partnership with the National Science\r\nFoundation on Terrorism and Catastrophic Cyber Risks - US Department of the Treasury announces - “This new\r\nIUCRC will bring together the insurance sector, academic teams, the federal government, and other stakeholders to\r\nstrengthen the resilience of the U.S. financial system through efforts that: \r\n(1) help insurers to estimate risk with greater certainty, thereby improving insurance pricing, coverage, and\r\npolicyholder uptake; \r\n(2) contribute to the potential expansion of reinsurance and capital markets to help support these risks; and \r\n(3) inform the treatment of terrorism and catastrophic cyber risks in government programs.”\r\nCanada joins international security partners in release of advisory, guidance on growing cyber security threat to civil\r\nsociety - Canadian Centre for Cyber Security alerts - “In a new advisory co-authored by Canada, the United\r\nStates, Estonia, Japan, Finland and the United Kingdom, cyber security agencies share new details about the ways\r\nand means foreign threat actors use for cyber attacks on civil society targets. The high-risk community of civil society\r\norganizations and individuals is defined in the report as: nonprofit, advocacy, cultural, faith-based, academic, think\r\ntanks, journalist, dissident, and diaspora organizations, communities, and individuals involved in defending human\r\nrights and advancing democracy.  “\r\nMitigating cyber threats with limited resources: Guidance for civil society - Canadian Centre for Cyber\r\nSecurity release\r\nAnalysing the Future of Cyber Conflicts Post Russia-Ukraine War - Predictive Defense analyses -\r\nHow GPS warfare is playing havoc with civilian life - Financial Times reports - ”Such is the fallout from a surge in\r\nthe manipulation of navigation signals — modern GPS warfare — that has played havoc with civilian smartphones,\r\nplanes and vessels on three continents.”\r\nRelated Un-jammable quantum tech takes flight to boost UK’s resilience against hostile actors - UK\r\nDepartment for Science Innovation \u0026 Technology - “A first-of-its-kind achievement as quantum navigation\r\ntech developed in the UK has been successfully tested in flight.”\r\nNewspaper groups warn Apple over ad-blocking plans - Financial Times reports - “British newspaper groups have\r\nwarned Apple that any move to impose a so-called “web eraser” tool to block advertisements would put the financial\r\nsustainability of journalism at risk.”\r\nGlimpse of next-generation internet - Harvard reports - “The Harvard team established the practical makings of the\r\nfirst quantum internet by entangling two quantum memory nodes separated by optical fiber link deployed over a\r\nroughly 22-mile loop through Cambridge, Somerville, Watertown, and Boston. The two nodes were located a floor\r\napart in Harvard’s Laboratory for Integrated Science and Engineering.”\r\n[US] Treasury Department launches cybersecurity initiative for financial services - ABA Banking Journal reports-\r\n“The Treasury Department has launched a new public-private partnership to provide what it said is a more\r\ncomprehensive approach to defending the financial system from cyberattacks. The new initiative, called “Project\r\nFortress,” will involve information sharing and tools that financial institutions can use to scan for cyber\r\nvulnerabilities, according to the agency.”\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 2 of 17\n\nCommittee on Homeland Security calls on Microsoft president testify about ‘cascade of security failures,\r\ncybersecurity shortfalls’ - Committee on Homeland Security asserts - “However, the CSRB report revealed that\r\nMicrosoft has repeatedly failed to prevent substantial cyber intrusions, causing grave implications for the security\r\nand integrity of U.S. government data, networks, and information, 6 and putting Americans—including U.S.\r\ngovernment officials—at risk”\r\nDefending Democracy\r\nJustice Department vows crackdown on election-related threats - Politico reports - “Top Justice Department\r\nleaders promised Monday to respond swiftly to threats against officials overseeing this year’s elections and to\r\ncombat the increasing use of sophisticated technology to disguise the origins of any disruptions.”\r\nHacks and propaganda: Two brothers from Moldova bring Russia's digital war to Europe - Correctiv\r\ninvestigates - “Parallel to the war of aggression against Ukraine, Russia is stirring up sentiment in the West\r\nwith fake news and cyberattacks. Two brothers from the Republic of Moldova provide the necessary\r\ntechnology.”\r\nReporting on/from China\r\nNew Chinese Tianfu Cup / Pwn2Own style competition for vulnerability discovery - £2 million pound prize\r\npool - they also have an AI competition.\r\nBritain and US sound alarm over growing Chinese cyber threat - Reuters reports - “U.S. National Cyber\r\nDirector Harry Coker told the conference that Chinese military hackers were circumventing U.S. defences in\r\ncyberspace and targeting U.S. interests at an \"unprecedented scale\".”\r\nMore subsea cables bypass China as Sino-U.S. tensions grow - Nikkei Asia reports - “Once billed as a future\r\nhub for subsea networks that form vital arteries of international communication, China is expected to see only\r\nthree cables laid after this year -- fewer than half the number planned for Singapore. The lack of undersea\r\nprojects is also expected to weigh on the construction of data centers in the country.”\r\nTech war: US to dwarf China in advanced chip making capacity by 2032, report finds - South China\r\nMorning Post reports - “The US would grow its global share of advanced chips to 28 per cent by 2032, while\r\nmainland China is expected to account for just 2 per cent”\r\n‘Superior capabilities’: Chinese AI can make flooding forecast for every river on Earth - South China\r\nMorning Post reports - “In the paper, the researchers wrote: “Our proposed model achieved state-of-the-art\r\nperformance in cross-region streamflow forecasting tasks relative to other machine learning models and\r\nclassic hydrological models.” - imagine when applied to Insurance, this is the edge.\r\nChina’s quantum tech ‘core strength’ targeted by latest US trade blacklist, Chinese physicists warn - South\r\nChina Morning Post reports - “Updated US ‘Entities List’ names 22 of China’s leading players in quantum\r\nresearch and industry among 37 of its firms and institutes targeted”\r\nChinese scientific espionage in Germany: what next? - Science|Business reports - ”the Federal Public\r\nProsecutor's Office in Germany announced the arrest of three suspected science spies who are alleged to have\r\nprocured information on dual-use technologies for the Chinese secret service. They were in contact with\r\nseveral German universities and had signed a contract with one of them.”\r\nArtificial intelligence\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 3 of 17\n\nCyber Security of AI: call for views - UK Department for Science Innovation \u0026 Technology - ”The\r\ngovernment is asking for views on a two-part intervention, including a voluntary Code of Practice on AI cyber\r\nsecurity which will form a new global standard.”\r\nU.S.-China talks on AI risks set to begin in Geneva - The Washington Post reports - “The talks Tuesday are\r\naimed at preventing disastrous accidents and unintended war amid an AI arms race.”\r\nThe Role of AI in Russia’s Confrontation with the West - CNAS opines - “According to public statements, the\r\nRussian government also places a significant emphasis on using AI in information and cyber operations”\r\nAI systems are getting better at tricking us - MIT Technology Review reports - jokes about hallucinations not\r\nwithstanding - “Meta’s researchers said they’d trained Cicero on a “truthful” subset of its data set to be\r\nlargely honest and helpful, and that it would “never intentionally backstab” its allies in order to succeed. But\r\nthe new paper’s authors claim the opposite was true: Cicero broke its deals, told outright falsehoods, and\r\nengaged in premeditated deception. Although the company did try to train Cicero to behave honestly, its\r\nfailure to achieve that shows how AI systems can still unexpectedly learn to deceive, the authors say. “\r\nJapan to launch U.S.-inspired defense R\u0026D center with eye on AI - Nikkei Asia reports - “The center will\r\nalso research new, more sensitive methods to detect submarines from a distance using subatomic particles and\r\nelectromagnetic waves. Conventional sonar has become less effective following technological improvements\r\nthat have made subs quieter.”\r\nAdversary use of Artifical Intelligence and LLMs and Classification of TTPs - “an attempt to organize known\r\nuse of artificial intelligence by cyber threat actors and to map and track those techniques.”\r\nCyber proliferation\r\nEx-Variston zero-day experts regroup at Paradigm Shift - Intelligence Online reports - “The fallout of\r\nGoogle's accusations has left the Spanish cyber intelligence firm floundering and its zero-day vulnerability\r\nhunters leaving to new ventures.”\r\nBounty Hunting\r\nRewards for Justice – Reward Offer for Information on North Korean IT Workers - US Department of State\r\nSecurity expert detained in court for 'hacking 400,000 households' wall pads and distributing video' - Donga\r\nreports - “Court sentenced to 4 years in prison\r\nfor attempting to sell private videos hacked into 638 apartment complexes across the country”\r\nDeveloper of Tornado Cash goes to jail for laundering billions of dollars in cryptocurrency - de Rechtspraak\r\nreports - “The East Brabant court has sentenced a 31-year-old Russian, living in Amstelveen, to a prison term\r\nof 5 years and 4 months. He developed and maintained the software tool Tornado Cash, which laundered a\r\ntotal of more than two billion US dollars. “\r\nTwo Brothers Arrested for Attacking Ethereum Blockchain and Stealing $25M in Cryptocurrency - US\r\nDepartment of Justice\r\nDemocratic People's Republic of Korea Leverages U.S.-Based Individuals to Defraud U.S. Businesses and\r\nGenerate Revenue - FBI\r\nReflections this week are around kind people. I had a number of you come up to me at CyberUK and thank me for\r\nproducing this each week. Nearly all of you wondered where I got the time, did I sleep etc. I think I retorted to most of you I\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 4 of 17\n\nam sufficiently neurodiverse coupled with it being a labour of love. Anyway, very kind of all of you who did speak to me.\r\nMy keynote on market failures and incentives is also something I have trailed here in various guises. The video can be seen\r\nhere:\r\nThink someone else would benefit? Share:\r\nShare\r\nAll attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at\r\nthe end.\r\nHave a lovely Friday..\r\nOllie\r\nWho is doing what to whom and how allegedly.\r\nUkrainian Government alleges a concerted campaign which is noteworthy due to the leveraging of diversified\r\ncommunications channels for initial access as much as anything.\r\nuse of legitimate software for deception: hackers tried to disguise spyware as legitimate apps, such as the\r\nsituational awareness system “Kropyva”;\r\nspreading malware through popular messengers: hackers used popular messengers like Signal and\r\nTelegram, imitating cybersecurity guidelines issued by CERT-UA;\r\nquick reaction and adaptation: hackers quickly reacted to new defense measures and developed new attack\r\nvectors to bypass them;\r\ntargeted Windows software: most messenger-based attacks targeted Windows software, as many Ukrainian\r\nservicemen use PC versions of the messengers;\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 5 of 17\n\ndecoy files: hackers attempted to spread malware disguised as certificate updates to the “DELTA”\r\nsituational awareness complex, using Zip or Rar archives.\r\nhttps://cip.gov.ua/en/news/rosiiski-khakeri-aktivizuvali-ataki-na-mobilni-pristroyi-ukrayinskikh-viiskovikh-doslidzhennya-derzhspeczv-yazku\r\nFilip Jurčacko alleges that a Russian state based actor has evolved their implants. Noteworthy due to the use of\r\nsteganography.\r\n[We] discovered two previously unknown backdoors – LunarWeb and LunarMail – used in the\r\ncompromise of a European MFA and its diplomatic missions.\r\nLunarWeb, deployed on servers, uses HTTP(S) for its C\u0026C communications and mimics legitimate\r\nrequests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email\r\nmessages for its C\u0026C communications.\r\nBoth backdoors employ the technique of steganography, hiding commands in images to avoid detection.\r\nBoth backdoors utilize a loader that uses the DNS domain name for decryption of the payload, share\r\nportions of their codebases, and have the unusual capability of being able to execute Lua scripts.\r\nThe loader can have various forms, including trojanized open-source software, demonstrating the advanced\r\ntechniques used by the attackers.\r\nhttps://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/\r\nVolexity alleges that a China-based threat actor was behind (some) the Palo Alto attacks..\r\nShortly after the advisory for CVE-2024-3400 was released, scanning and exploitation of the vulnerability\r\nimmediately increased. The uptick in exploitation appears to have been associated with UTA0218 or\r\nanother threat actor that had early access to the exploit prior to proof-of-concept code being made public.\r\nMultiple organizations were exploited in late March 2024 with simple commands designed to place zero-byte files on the systems in what appears to be an effort to validate vulnerable devices. Volexity did not\r\nobserve follow-on activity from threat actors in most of these cases.\r\nExfiltration of the firewall’s running configuration was the most commonly observed post-exploitation\r\nactivity across devices spanning numerous verticals and geographic regions. This was observed in the\r\nearliest exploitation by UTA0218, and by future unrelated threat actors after public proof-of-concept code\r\nwas made available.\r\n…\r\nVolexity assesses with moderate confidence that UTA0218 is a China-based threat actor based on the targeting\r\nand infrastructure used for this campaign.\r\nhttps://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/\r\nPierre Lee and Cyris Tseng provide an update on this alleged Chinese campaign and how it continues to evolve. It\r\nhighlights that threat actors are increasingly evolving tradecraft to evade detections. Note the anti-memory scanning\r\ntechniques!\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 6 of 17\n\nEarth Hundun is known for targeting the Asia-Pacific and now employs updated tactics for infection\r\nspread and communication.\r\nThis report details how Waterbear and Deuterbear operate, including the stages of infection, command and\r\ncontrol (C\u0026C) interaction, and malware component behavior.\r\nDeuterbear, while similar to Waterbear in many ways, shows advancements in capabilities such as\r\nincluding support for shellcode plugins, avoiding handshakes for RAT operation, and using HTTPS for\r\nC\u0026C communication.\r\nComparing the two malware variants, Deuterbear uses a shellcode format, possesses anti-memory\r\nscanning, and shares a traffic key with its downloader unlike Waterbear.\r\nThe evolution of Waterbear into Deuterbear indicates the development of tools for anti-analysis and\r\ndetection evasion in Earth Hundun's toolbox.\r\nhttps://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html\r\nGenians details an alleged North Korean campaign. The novelty here is the file format used to achieve code execution\r\nwhich may be a blind spot for some.\r\nDisguised as a public official in the North Korean human rights field and searched for attack targets\r\nthrough Facebook  \r\nAfter a personal approach through Facebook Messenger, a brief greeting and conversation begin.  \r\nShare malicious URL link address by pretending to be a specific document file  \r\nObserve MSC-based threats through OneDrive cloud service  \r\nIdentification of ReconShark-like malware from Kimsuky group    \r\nhttps://www-genians-co-kr.translate.goog/blog/threat_intelligence/facebook?_x_tr_sl=auto\u0026_x_tr_tl=en\u0026_x_tr_hl=en-US\u0026_x_tr_pto=wapp\r\nSymantec alleges North Korea has expanded to include Linux as a target operating system of this campaign.\r\n[We] uncovered a new Linux backdoor developed by the North Korean Springtail espionage group (aka Kimsuky)\r\nthat is linked to malware used in a recent campaign against organizations in South Korea. \r\nThe backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent\r\nSpringtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir\r\nis structurally almost identical to GoBear, with extensive sharing of code between malware variants.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\r\nQiAnXin Threat Intelligence Center reports on an alleged North Korean supply chain to get crypto assets. Note this\r\nappears to a continuation of a DreamJob-esq campaign.\r\n[We] found that the attackers continued to carry out frequent attacks after being disclosed at the end of last year,\r\nand the victims were mainly developers in the blockchain industry. Attackers create false identities on work\r\nplatforms (such as LinkedIn, Upwork, Braintrust, etc.), pretend to be employers, independent developers, or\r\nstartup founders, and post job information with generous rewards or urgent tasks. The job content is usually\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 7 of 17\n\nsoftware development. Or problem fixed. This job information will attract developers who actively search for it,\r\nor it will be presented to the target group through the push mechanism of the platform. While discussing the job\r\ndescription, the attackers tried to convince the candidates to run the code they provided on their devices. Once the\r\napplicant runs the program without suspicion, the malicious JS code inserted will steal sensitive information\r\nrelated to virtual currency on the infected device and implant other malware.\r\nhttps://mp-weixin-qq-com.translate.goog/s/84lUaNSGo4lhQlpnCVUHfQ?_x_tr_sl=auto\u0026_x_tr_tl=en\u0026_x_tr_hl=en-US\u0026_x_tr_pto=wapp\r\nObsidian observe some strong TTPs in this alleged Iranian aligned operation. These should provide some real detection\r\nopportunities.\r\n[We] observed a set of unique characteristics across several targeted attacks, distinguishing them from others of a\r\nsimilar kind.\r\nResidential Proxy Usage: Phishing kits and services are taking advantage of proxy networks that utilize a\r\nvariety of residential IPs. To evade detection and get past conditional access policies, attackers can appear\r\nin the same city as a victim while also coming from a residential ISP such as Comcast, Cox, T-Mobile,\r\nVerizon, etc. This gives attackers an advantage as opposed to coming from IP space associated with private\r\nVPNs or hosting infrastructure which is easier for defenders to identify. As you can imagine, this muddies\r\nthe waters when performing detection engineering, security operations, and incident response. \r\n“Zscaler Inc.” ISP Minted a Malicious Session. Residential proxy networks consist of willing and\r\nunwilling parties leasing their bandwidth and IP to other users. There are a variety of ways in which these\r\nnetworks are built, deployed, and used which was covered extensively in a blog post by Sekoia. The\r\nvictim organization was not a paying customer of Zscaler but we see this ISP appear in one of the\r\ncompromised login sequences that matched those of other true positives that all went through residential\r\nproxy IPs. To the best of our knowledge, Zscaler can be set up in a VPN mode via Zscaler Client\r\nConnector. This can technically route all traffic on a machine through Zscaler infrastructure, potentially\r\nincluding traffic from a residential proxy agent or traffic via a compromised host. The residential proxy\r\nagents we tested were able to distinguish residential IPs from infrastructure IPs and only route traffic via\r\nthe IPs they classified as residential. However, this was not an exhaustive test so we can not completely\r\nrule out the possibility that the Zscaler IP came from a voluntary proxy agent. Regardless of it being a\r\nresidential proxy agent or a compromised host, residential IPs mixed with security gateway IPs, for\r\nobvious reasons, can complicate matters further…\r\nOutdated User Agent. In addition to the use of residential proxies, the attackers used an outdated Chrome\r\nuser agent released in 2019. While detecting phishing through residential proxies poses a challenge, this\r\nsimple IOC has a very high success rate in identifying these attacks.\r\n.\r\nhttps://www.obsidiansecurity.com/blog/emerging-identity-threats-the-muddy-waters-of-residential-proxies/\r\nMarc-Etienne M.Léveillé details a decade old criminal campaign which continues to thrive I think it is fair to say. The\r\nalleged compromise of kernel.org for three years will be of concern.\r\nEbury actors have been pursuing monetization activities subsequent to our 2014 publication on Operation\r\nWindigo, including the spread of spam, web traffic redirections, and credential stealing.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 8 of 17\n\nAdditionally, we have confirmed that operators are also involved in cryptocurrency heists by using AitM\r\nand credit card stealing via network traffic eavesdropping, commonly known as server-side web skimming.\r\nOver the years, Ebury has been deployed to backdoor almost 400,000 Linux, FreeBSD, and OpenBSD\r\nservers, and more than 100,000 were still compromised as of late 2023.\r\nWe uncovered new malware families authored and deployed by the gang for financial gain, including\r\nApache modules and a kernel module to perform web traffic redirection.\r\nIn many cases, Ebury operators were able to gain full access to large ISPs and well-known hosting\r\nproviders. They used that access to deploy Ebury on the partial or complete server infrastructure hosted by\r\nthat provider.\r\nEbury also compromised the infrastructure of other threat actors, including Vidar Stealer and many others,\r\nto steal data stolen by those other groups and copycat competing operations to blur attribution attempts.\r\nEbury operators also used zero-day vulnerabilities in administrator software to compromise servers in\r\nbulk.\r\nThe data we obtained confirmed a number of suspected victims, including the compromise of kernel.org\r\nfrom 2009 to 2011.\r\nWe provide a set of tools and indicators to help system administrators determine whether their systems are\r\ncompromised by Ebury.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 9 of 17\n\nhttps://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/\r\nInsikt Group have discovered what we shall call a scaled campaign.\r\nInsikt Group discovered an extensive and multi-faceted campaign, attributed to Russian-speaking threat actors\r\nlikely located in the Commonwealth of Independent States (CIS), abusing a legitimate GitHub profile to\r\nimpersonate legitimate software, such as 1Password, Bartender 5, and Pixelmator Pro, among others, and\r\ndistribute various malware families focused on stealing personal information from unsuspecting victims. Some\r\nmalware families observed in this campaign, like Atomic macOS Stealer (AMOS), Vidar, Lumma, and Octo, use\r\nshared command-and-control (C2) systems, showing a complex, coordinated cyberattack strategy. The presence\r\nof multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2\r\ninfrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks. This\r\ndemonstrates a technique where attackers employ multiple variants in cross-platform attacks to boost their\r\ncampaigns' success rates.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 10 of 17\n\nThe campaigns observed in this investigation demonstrate a strategic targeting approach across a spectrum\r\nof operating systems and computer architectures, reflecting the threat actors' broad goals and their\r\nadaptability to evolving technological landscapes.\r\nGitHub, a widely utilized platform for collaborative software development, has been utilized as a vector\r\nfor the propagation of the infostealer AMOS, among other infostealers, masquerading as legitimate\r\napplications. This campaign highlights the abuse of legitimate internet services (LIS), underscoring an\r\nintention to undermine organizations’ trust in such services.\r\nDespite having access to a wide range of premium cybercriminal tools and techniques, the threat actors\r\nidentified in this campaign use free and web-based infrastructure, like FileZilla servers, as a mechanism\r\nfor malware delivery, abusing these legitimate channels to disseminate various malicious payloads to\r\nvictims' devices. This tactic showcases a deliberate effort to obfuscate malicious activity within seemingly\r\nbenign infrastructure.\r\nThe presence of Russian-language artifacts within the analyzed HTML code suggests potential linguistic\r\nand geographical affiliations of threat actors associated with the development or deployment of the\r\nobserved malware\r\nhttps://go.recordedfuture.com/hubfs/reports/cta-2024-0514.pdf\r\nWho had OCR in implants on their bingo card? Sanseo details an example where it is the case. So photos of you passwords\r\nis not a mitigation of exfiltration.\r\nThe malware newly discovered this time utilizes the open-source OCR engine Tesseract. Tesseract extracts texts\r\nfrom images using deep learning techniques. The malware used in the attack reads images stored on the infected\r\nsystems and extracts strings using the Tesseract tool. If the extracted strings contain any phrases related to\r\npasswords or cryptocurrency wallet addresses, the malware exfiltrates those images.\r\nhttps://asec.ahnlab.com/en/65426/\r\nPhil Stokes released this earlier this month but I missed it. It is worth covering because of the pace of pivot by the threat\r\nactor. Where there is an incentive threat actors will adapt - the 🐱 and 🐭 games begin!\r\nIt’s been little more than a week since Apple rolled out an unprecedented 74 new rules to its XProtect malware\r\nsignature list in version 2192. A further 10 rules were appended in version 2193 on April 30th. Cupertino’s\r\nsecurity team were clearly hoping that a concerted effort would serve to disrupt prolific adware distributor\r\nAdload’s assault on macOS devices. Those behind the adware, however, appear to have pivoted quickly as dozens\r\nof new Adload samples are already appearing that evade Apple’s new signatures.\r\nhttps://www.sentinelone.com/blog/macos-adload-prolific-adware-pivots-just-days-after-apples-xprotect-clampdown/\r\nHow we find and understand the latent compromises within our environments.\r\nAdan provides an open source project which will provide value to those living in the AWS eco-system by reducing some of\r\nthe overhead.\r\nI’ve developed another project, HoneyTrail, to support the deployment of deception solutions. Designed\r\nspecifically for AWS users, HoneyTrail adds a layer of deception without a complicated setup process. It’s a\r\nstraightforward Terraform that integrates honeypots directly within AWS, eliminating the need for additional\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 11 of 17\n\nsetups or dependencies. It offers functionality similar to what AWS presented here, but it utilizes Terraform and\r\ndoes not need Security Hub, which is an extra cost.\r\nhttps://medium.com/@adan.alvarez/deterring-attackers-with-honeytrail-deploying-deception-in-aws-6b5977afa784\r\nhttps://github.com/adanalvarez/HoneyTrail\r\nRad provides this which when combined with the right action will provide a canary that will fire.\r\ngist.github.com/radk2/45e729f5859d76197d8f7e6b53dd6d71\r\nStephan Berger shows that anti-forensics is really a thing for some threat actors.\r\nstumbled upon a ‘cleaner’ script, which we will examine in this short blog post.\r\n..\r\nLast, the script changes the name of the Splashtop firewall rule with the command Set-NetFirewallRule. The\r\ncomment inside the code reads, translated from Russian to English: Change the name and description of the rule\r\nto “Cast to Device streaming server (HTTP-Streaming-In):\r\nhttps://dfir.ch/posts/cleanup_script_rmm/\r\nInteresting forensics source for Windows environment which I suspect a lot don’t know about.\r\nUsed by Windows servers to aggregate client usage data by role and products on a server.\r\nUsed to assist Administrators quantify requests from client computers for roles and services, as described\r\nby Microsoft\r\nInstalled by default on\r\nWindows Server 2012, 2012 R2, 2016, 2019, 2022\r\nCollects data going back 3 years\r\nhttps://www.thedfirspot.com/post/sum-ual-investigating-server-access-with-user-access-logging\r\nSquiblydoo shows the scale of illicit certificate use by this threat actor. Hints we might need to improve the process.\r\nSince 2023, I have documented another 50 certificates leveraged by SolarMarker: bringing us to 100 certificates\r\nknown to be abused by the actor. The purpose of this blog-post is to continue to expand awareness of impostor\r\ncerts by reviewing the impostor certs used by SolarMarker as a case study.\r\nhttps://squiblydoo.blog/2024/05/13/impostor-certs/\r\nHow we proactively defend our environments.\r\nMatthias Frielingsdorf walks through end to end analysis NSO iOS samples.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 12 of 17\n\nhttps://i.blackhat.com/Asia-24/Asia-24-Frielingsdorf-YouShallNotPassAnalysing.pdf\r\nYakir Kadkoda and Assaf Morag show that if you are an APT and you look for it you might find a way in sitting on the\r\nInternet for an initial foothold. Highlights the importance of tokens as a means for an authentication.\r\nDuring our research, we found credentials within a git commit by a Microsoft employee, which granted us access\r\nto an internal Azure Container Registry used by Azure. This registry contains images critical to various Azure\r\nprojects, such as Azure IoT Edge, Akri, and Apollo. The exposed token provided privileged access, allowing us to\r\ndownload private images and upload/overwrite images.\r\n..\r\nDuring our investigation, we discovered several instances where Red Hat employees unintentionally exposed\r\ntokens for internal Red Hat container registries containing highly sensitive data linked to vital corporate functions.\r\nThese tokens grant both pull and push privileges, posing substantial risks to the company.\r\n..\r\nDuring our research, we discovered credentials for the internal container registry (quay.io/tigera) exposed in a Git\r\ncommit of other company. This registry contains images from various Tigera projects, such as Calico, and more.\r\nhttps://www.aquasec.com/blog/github-repos-expose-azure-and-red-hat-secrets/\r\nHow they got in and what they did.\r\nKey Tronic Corporation is a technology company who’s core products initially included keyboards, mice and other input\r\ndevices. Sounds like ransomware, but given the types of devices just imagine if it had been supply chain!\r\nOn May 6, 2024, Key Tronic Corporation (the “Company”) detected unauthorized third party access to portions of\r\nits information technology (“IT”) systems. Upon detection of this outside threat, the Company activated its cyber\r\nincident procedure to investigate, contain, and remediate the incident, including beginning an investigation with\r\nexternal cybersecurity experts and notifying law enforcement.\r\nhttps://www.board-cybersecurity.com/incidents/tracker/20240509-key-tronic-corp-cybersecurity-incident/\r\nOur attack surface.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 13 of 17\n\nBit of an ‘if’, but widely used..\r\nIf pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is\r\nthe default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting\r\ndomain.\r\nhttps://github.com/advisories/GHSA-wgrm-67xf-hhpq\r\nAttack capability, techniques and trade-craft.\r\nInteresting write up on the various technical implementation details\r\nTechnique one: The IFUNC feature of GLIBC\r\nTechnique two: Concealing characters using Radix Tree\r\nTechnique three: Obtaining all dependency information\r\nTechnique Four: Hooking Functions from Other Dependency Libraries\r\nhttps://medium.com/@knownsec404team/techniques-learned-from-the-xz-backdoor-74b0a8d45c30\r\nExpect malicious use in 3..2..\r\nReverst is a (load-balanced) reverse-tunnel server and Go server-client library built on QUIC and HTTP/3.\r\nGo Powered: Written in Go using quic-go\r\nCompatible: The Go client package is built on net/http standard-library abstractions\r\nLoad-balanced: Run multiple instances of your services behind the same tunnel\r\nPerformant: Built on top of QUIC and HTTP/3\r\nhttps://github.com/flipt-io/reverst/\r\nFrom a Chinese researcher.\r\ndarkPulse is a shellcode Packer written in Go. It is used to generate various shellcode loaders. Currently, it is free\r\nof tinder, 360, and 360 core crystal.\r\nhttps://github.com/fdx-xdf/darkPulse\r\nLovely summary here.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 14 of 17\n\nhttps://artemonsecurity.blogspot.com/\r\nWhat is being exploited.\r\nBoris Larin and Mert Degirmenci show that zero days sometimes float around in semi open source and that criminals do\r\nhave some sort of supply mechanism.\r\nIn early April 2024, we decided to take a closer look at the Windows DWM Core Library Elevation of Privilege\r\nVulnerability CVE-2023-36033, which was previously discovered as a zero-day exploited in the wild. While\r\nsearching for samples related to this exploit and attacks that used it, we found a curious document uploaded to\r\nVirusTotal on April 1, 2024.\r\nAfter sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and\r\nattacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day\r\nvulnerability. We have seen it used together with QakBot and other malware, and believe that multiple threat\r\nactors have access to it.\r\nhttps://securelist.com/cve-2024-30051/112618/\r\nAntonis Terefos gives a good example of poor socio-technical design and the security implications of it. Also of note is the\r\nwide use of this technique..\r\nCheck Point Research discovered that samples from EXPMON produced unusual behavior when executed with\r\nFoxit Reader compared to Adobe Reader. The exploitation of victims occurs through a flawed design in Foxit\r\nReader, which shows as a default option the “OK,” which could lead the majority of the targets to ignore those\r\nmessages and execute the malicious code. The malicious command is executed once the victim “Agrees” to the\r\ndefault options twice.\r\nOnce clicking “OK“, the target comes across a second pop-up. If there were any chance the targeted user would\r\nread the first message, the second would be “Agreed” without reading. This is the case that the Threat Actors are\r\ntaking advantage of this flawed logic and common human behavior, which provides as the default choice the most\r\n“harmful” one.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 15 of 17\n\n[We] collected a plethora of malicious PDF files, taking advantage of the specific exploit targeting Foxit Reader\r\nusers. Despite the majority of sandboxes and VirusTotal failing to trigger the exploit, given Adobe’s prevalence as\r\nthe primary PDF Reader, numerous files from previous campaigns remained unretrieved.\r\nhttps://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/\r\nLow level tooling and techniques for attack and defence researchers…\r\nAir provides useful work aid for those who haven’t moved to Ghidra.\r\nSourceSync is both a set of plugins for synchronisation between debugger and decompiler and a library for\r\ngenerating pdb from decompiler data. In the case of plugins, it establishes a connection between the debugger\r\n(Windbg, client) and the decompiler (Ida Pro, server) to dynamically generate pdb for functions in the current\r\nthread call stack that belong to the decompiled module.\r\nhttps://github.com/Air14/SourceSync\r\nSome other small (and not so small) bits and bobs which might be of interest.\r\nAggregate reporting\r\nESET APT Activity Report Q4 2023–Q1 2024\r\nThe 471 Cyber Threat Report 2024\r\nODNI Releases Intelligence Community Policy Framework for Commercially Available Information\r\nMoving beyond linearity in academic-policymaking impact claims of futures and foresight\r\nCovert Connections: The LinkedIn Recruitment Ruse Targeting Defense Insiders\r\nArtificial intelligence\r\nA framework for large language model evaluations created by the UK AI Safety Institute.\r\nOracle community knowledge base based on LLM\r\nSoK: Where to Fuzz? Assessing Target Selection Methods in Directed Fuzzing - “Our analysis provides new\r\ninsights for target selection in practice: First, we find that simple software metrics significantly outperform\r\nother methods, including common heuristics used in directed fuzzing, such as recently modified code or\r\nlocations with sanitizer instrumentation. Next to this, we identify language models as a promising choice for\r\ntarget selection”\r\nDoes Fine-Tuning LLMs on New Knowledge Encourage Hallucinations?\r\nBooks\r\nNothing this week\r\nEvents\r\nNothing this week\r\nUnless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to\r\nthird parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 16 of 17\n\ncontrol over the content of third party websites and consequently accepts no responsibility for your use of them.\r\nThis newsletter is subject to the NCSC website terms and conditions which can be found at\r\nhttps://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat\r\nyour personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.\r\nSource: https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b" ], "report_names": [ "cto-at-ncsc-summary-week-ending-may-16b" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "38cecfb3-e717-4b4a-9792-f95e4ba4521d", "created_at": "2024-04-23T02:00:04.248176Z", "updated_at": "2026-04-10T02:00:03.632032Z", "deleted_at": null, "main_name": "UTA0218", "aliases": [], "source_name": "MISPGALAXY:UTA0218", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1934b371-2525-4615-a90a-772182bc4184", "created_at": "2022-10-25T15:50:23.396576Z", "updated_at": "2026-04-10T02:00:05.341979Z", "deleted_at": null, "main_name": "Windigo", "aliases": [ "Windigo" ], "source_name": "MITRE:Windigo", "tools": [ "Ebury" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d", "created_at": "2022-10-25T16:07:24.526179Z", "updated_at": "2026-04-10T02:00:05.023222Z", "deleted_at": null, "main_name": "Operation Windigo", "aliases": [ "G0124" ], "source_name": "ETDA:Operation Windigo", "tools": [ "CDorked", "CDorked.A", "Calfbot", "Ebury" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434243, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/526719169a69672c71da0921ce97a59e6bf31b49.pdf", "text": "https://archive.orkl.eu/526719169a69672c71da0921ce97a59e6bf31b49.txt", "img": "https://archive.orkl.eu/526719169a69672c71da0921ce97a59e6bf31b49.jpg" } }