{ "id": "240d7941-2656-41a6-9042-b86a8faae634", "created_at": "2026-04-06T00:07:36.028921Z", "updated_at": "2026-04-10T13:11:25.974989Z", "deleted_at": null, "sha1_hash": "556d5e692dcc26947f4fbeed44cb02f657d13679", "title": "BlueNoroff APT group targets macOS with ‘RustBucket’ Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66234, "plain_text": "BlueNoroff APT group targets macOS with ‘RustBucket’ Malware\r\nBy Jamf Threat Labs\r\nArchived: 2026-04-02 12:25:12 UTC\r\nBy Ferdous Saljooki and Jaron Bradley\r\nJamf Threat Labs has discovered a macOS malware family that communicates with command and control (C2)\r\nservers to download and execute various payloads. We track and protect against this malware family under the\r\nname ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor. The APT group\r\ncalled BlueNoroff is thought to act as a sub-group to the well-known Lazarus Group and is believed to be behind\r\nthis attack. This attribution is due to the similarities noted in a Kaspersky blog entry documenting an attack on the\r\nWindows side. These similarities include malicious tooling on macOS that closely aligns with the workflow and\r\nsocial engineering patterns of those employed in the campaign.\r\nStage-One\r\nThe stage-one malware (0be69bb9836b2a266bfd9a8b93bb412b6e4ce1be) was discovered while performing\r\nnormal hunting routines for compiled AppleScript applications that contained various suspicious commands.\r\nAmong our results, we identified a suspicious AppleScript file titled main.scpt contained within an unsigned\r\napplication named Internal PDF Viewer.app. It should be noted that we have no reason to believe this application\r\nis allowed to execute without the user manually overriding Gatekeeper.\r\nThe directory structure for the stage-one dropper is shown below. As with all compiled AppleScript applications,\r\nthe primary app code is within the main.scpt file, located within the /Contents/Resources/Scripts/\r\ndirectory.\r\nAlthough the AppleScript was compiled, we were able to extract its contents by loading it into the macOS Script\r\nEditor application. When launched, the dropper executes the code seen below:\r\nThe stage-one simply executes various do shell script commands to download the stage-two from the C2\r\nusing curl . The malware writes and extracts the contents of the zip file to the /Users/Shared/ directory and\r\nexecutes the stage-two application also named Internal PDF Viewer.app . By breaking up the malware into\r\nseveral components or stages, the malware author makes analysis more difficult, especially if the C2 goes offline.\r\nThis is a clever but common technique used by malware authors to thwart analysis.\r\nAt the time of our analysis, both the stage-one and stage-two components of this malware were undetected on\r\nVirusTotal.\r\nStage-Two\r\nAlthough the stage-two (ca59874172660e6180af2815c3a42c85169aa0b2) application name and icons look very\r\nsimilar to stage-one, the directory structures are different and there is no use of AppleScript in the latter. The\r\nhttps://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/\r\nPage 1 of 5\n\napplication version, size and bundle identifier — com.apple.pdfViewer — are also notably different,\r\nmasquerading as a legitimate Apple bundle identifier. This application is signed with an ad-hoc signature as well.\r\nThe application layout is that of a much more traditional app and is written in Objective-C.\r\nWhen the Internal PDF Viewer application is launched, the user is presented with a PDF viewing application\r\nwhere they can select and open PDF documents. The application, although basic, does actually operate as a\r\nfunctional PDF viewer. A task that isn’t overly difficult using Apple’s well-built PDFKit Framework.\r\nUpon execution, the application does not perform any malicious actions yet. In order for the malware to take the\r\nnext step and communicate with the attacker, the correct PDF must be loaded. We were able to track down a\r\nmalicious PDF (7e69cb4f9c37fad13de85e91b5a05a816d14f490) we believe to be tied to this campaign, as it\r\nmeets all the criteria in order to trigger malicious behaviors.\r\nFor example, when the malicious PDF is double-clicked from within Finder the user will see the following:\r\nThis minimal message informs the user that they must open the PDF using the necessary application in order to\r\nsee the full details.\r\nWhen opened within the malicious PDF viewer, the user will see a document (9 pages in total) that shows a\r\nventure capital firm that is interested in investing in different tech startups. From what we can tell, the PDF was\r\ncreated by taking the website of a small but legitimate venture capital firm and putting it into PDF format.\r\nIt should be noted here that earlier, the stage-one dropper reached out to cloud[.]dnx[.]capital, thus keeping on\r\ntheme with the disguise of a venture capital firm.\r\nThis PDF viewer technique used by the attacker is a clever one. At this point, in order to perform analysis, not\r\nonly do we need the stage-two malware but we also require the correct PDF file that operates as a key in order to\r\nexecute the malicious code within the application.\r\nSo, how is the malware displaying a different PDF than the one loaded by the\r\nuser?\r\nTo answer this, we take a closer look into some of the functions within the app. Most notably, we see one titled\r\nviewPDF as part of the PEPWindow class. This function seeks to a specific offset within the loaded PDF to check\r\nfor a specific blob of data. If the expected data is present, a function called _encrypt_data is invoked, which,\r\nironically runs code to decrypt the blob and produce a new PDF. It does this using a hardcoded 100-byte XOR key\r\nwhich can be found in the __CONST data of the executable.\r\nThis newly decrypted PDF is then displayed to the user in the application, providing the illusion that this app was\r\ntruly necessary in order to view the full details of the PDF.\r\nSince the embedded PDF file is loaded directly into the viewer, it is never written to the disk. Using a\r\ndisassembler — such as Hopper — we can extract it by placing a breakpoint on the return in the encrypt_data\r\nfunction.\r\nhttps://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/\r\nPage 2 of 5\n\nIf analyzing the ARM executable (as opposed to the Intel executable), we can print the $x0 register which gives\r\nus all the bytes of the decrypted blob. Saving these bytes into a file will also reveal the inner PDF file.\r\nStage-Two Communication\r\nSo far we’ve decoded the PDF file that is embedded within the original PDF file, but as we stated earlier, this is\r\nthe point where the malware will also phone home to the attacker. Much like the inner PDF document, the\r\nattacker’s C2 is also XOR encoded within the original PDF. This is why we see the encrypt_data function run a\r\nsecond time. The following bytes are passed to it which can be found towards the bottom of the original PDF\r\ndocument.\r\nThis time when the encrypt_data function runs using the same hardcoded XOR key as before, it returns the\r\nfollowing:\r\nAfter the embedded PDF has been displayed to the user and the URL has been de-obfuscated, the malware then\r\ncalls a function titled _downAndExecute and makes a POST request to a C2 server to presumably retrieve and\r\nexecute a stage-three payload.\r\nIn the _downAndExecute function shown below, we can see the various parameters being set in order to initiate an\r\nHTTP request.\r\nThe malware also creates a new thread and sleeps before making the POST request again in a loop until an HTTP\r\n200 response is returned.\r\nUnfortunately, at the time of our analysis, the server was not responding with the necessary message.\r\nWe have however managed to discover a new URL on the same domain that is hosting a Mach-O executable that\r\nwe believe to be the new location of the final payload.\r\nIf the stage-two dropper succeeds in downloading the stage-three payload, we can view the next actions within the\r\ndownAndExecute_block_invoke .\r\nThe aforementioned image shows the following steps taking place if the C2 responds:\r\n1. The malware creates a temporary directory and writes the received file to that temporary directory. The\r\nname of that malicious file will be the current mach timestamp (the number of seconds since midnight\r\nJanuary 1st, 2001). An example file path would look like this:\r\n\u003cstrong\u003e/\u003c/strong\u003evar/folders/g6/w3s4hg8n57sgfjl4xgrhjs_w0000gn/T/703517604263\r\n2. Executable permissions are assigned to the new file.\r\n3. The program arguments are set and the file is executed. The set argument is that of the attacker C2 decoded\r\nfrom this stage two payload. The stage-three will go on to use this value.\r\nStage-Three\r\nThe stage-three payload (182760cbe11fa0316abfb8b7b00b63f83159f5aa) is an ad-hoc signed trojan written in\r\nRust and weighing in at a sizable 11.2MB. It’s a universal binary that holds both ARM and x86 architectures.\r\nhttps://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/\r\nPage 3 of 5\n\nUpon initial execution, it performs a handful of system recon commands.\r\nOne of the earliest used modules is titled webT::getinfo . Within this module is the ability to look at the basic\r\ninfo about the system, process listing, current time and whether or not it’s running within a VM. The functions are\r\nnamed accordingly.\r\nRunning this malware results in communication to the URL provided as the first argument passed at execution\r\ntime. The WebT::send_request function is responsible for sending the initial message to the C2 server. When\r\nplacing a breakpoint on it, we can step over it resulting in a call to the server.\r\nThis payload allows the attacker to carry out further objectives on the system, but perhaps a deep dive on stage-three is best saved for another blog post.\r\nAt a High Level\r\nWe dove fairly deeply into some of the different actions of this malware. At a higher level, the workflow looks\r\nlike the following:\r\nConnections to BlueNoroff\r\nThere are a few signs that this malware is tied to BlueNoroff. First and foremost is the domain used in the stage-one dropper: cloud[.]dnx[.]capital. This domain was reported as being used by the attackers in a writeup done by\r\nProofpoint. In the previously mentioned Kaspersky blog, it was reported that the attackers had created numerous\r\nfake domains impersonating venture capital firms and banks in a campaign Kaspersky titled ‘SnatchCrypto’. This\r\naligns with the social engineering schemes discovered in the PDF document. The Windows malware also used the\r\n“decoy document” approach which clearly worked well for the attacker. The earliest submission of the “Internal\r\nPDF Viewer” we could find on VirusTotal was uploaded in January 2023 and we’ve observed the attackers\r\ncontinuing to host it.\r\nWhile many different PDF payloads exist that work on Windows, so far only one PDF has been discovered that\r\nwill result in a call to the attacker on macOS. We do suspect more than just this one PDF exists. It’s worth noting\r\nthat the XOR key found within the malware can also be found within a variety of malicious PDF files. However,\r\nwhen loaded into the Viewer application, these files do not result in a properly decoded URL. We suspect a\r\ndifferent variant of the malicious viewer (or perhaps a different platform) is capable of loading the XOR key from\r\nwithin the PDF instead of the attackers hardcoding it in the malicious app.\r\nConclusion\r\nThe malware used here shows that as macOS grows in market share, attackers realize that a number of victims\r\nwill be immune if their tooling is not updated to include the Apple ecosystem. Lazarus group, which has strong\r\nties to BlueNoroff, has a long history of attacking macOS and it’s likely we’ll see more APT groups start doing the\r\nsame.\r\nJamf Protect defends against the malicious components of this malware and blocks the malicious domains. Jamf\r\nThreat Labs will continue to monitor BlueNoroff’s activity on this campaign.\r\nhttps://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/\r\nPage 4 of 5\n\nA shout out to Patrick Wardle for his collaboration on some of the analysis here. If you’re looking to learn more\r\nabout the analysis of macOS malware, check out the free online book: The Art of Mac Malware.\r\nIndicators of Compromise\r\nReferences:\r\nEnsure your macOS endpoints are protected from current and novel Mac-centric threats.\r\nDon't just take Jamf's word for it, put Jamf Protect to the test today.\r\nSubscribe to the Jamf Blog\r\nHave market trends, Apple updates and Jamf news delivered directly to your inbox.\r\nTo learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy\r\nPolicy.\r\nSource: https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/\r\nhttps://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/" ], "report_names": [ "bluenoroff-apt-targets-macos-rustbucket-malware" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434056, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/556d5e692dcc26947f4fbeed44cb02f657d13679.pdf", "text": "https://archive.orkl.eu/556d5e692dcc26947f4fbeed44cb02f657d13679.txt", "img": "https://archive.orkl.eu/556d5e692dcc26947f4fbeed44cb02f657d13679.jpg" } }