{ "id": "00064796-2e07-4de5-a61f-f5f6e4f8789d", "created_at": "2026-04-06T00:14:22.603732Z", "updated_at": "2026-04-10T13:11:18.942765Z", "deleted_at": null, "sha1_hash": "5b4b5c1a287061d4f811c12fa91e34b0cd1009b5", "title": "SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2548819, "plain_text": "SHADOW-VOID-042 Targets Multiple Industries with Void\r\nRabisu-like Tactics\r\nPublished: 2025-12-11 · Archived: 2026-04-02 11:32:33 UTC\r\nPhishing\r\nIn November, a targeted spear-phishing campaign was observed using Trend Micro-themed lures against various\r\nindustries, but this was quickly detected and thwarted by the Trend Vision One™ platform.\r\nBy: Daniel Lunghi, Ian Kenefick, Feike Hacquebord Dec 11, 2025 Read time: 9 min (2360 words)\r\nSpecial thanks to Stephen Hilt.\r\nKey takeaways\r\nIn November 2025, spear-phishing emails featuring a Trend Micro-themed social engineering lure were\r\nsent to various industry verticals – including defense, energy, chemical, cybersecurity (including Trend and\r\na subsidiary), and ICT companies – where a decoy website mimicked Trend’s corporate style.\r\nThe campaign utilized a multi-stage approach, tailoring every stage to the specific target machine and\r\ndelivering intermediate payloads to a select number of targets.\r\nWe can relate the November 2025 campaign with high confidence to another campaign in October 2025,\r\nwhich used HR complaints and research participation as a social engineering lure.\r\nSeveral elements of the campaign align with the intrusion set known as Void Rabisu, associated with a\r\nhybrid-motivation actor group aligned with Russian interests. However, until a more definitive link to Void\r\nRabisu is established, the two campaigns will be tracked separately under the temporary intrusion set\r\nSHADOW-VOID-042.\r\nTrend Vision One™ detects and blocks the IoCs discussed in this blog. Trend customers can also access\r\ntailored hunting queries, threat insights, and intelligence reports to better understand and proactively\r\ndefend against this campaign. Trend Vision One stopped the campaign early in the kill chain, minimizing\r\nthe potential damage. No final payload was observed in Trend’s telemetry.\r\nNovember 2025 Trend Micro-themed campaign\r\nIn October and November 2025, campaigns targeting sectors such as energy, defence, pharmaceuticals, and\r\ncybersecurity shared characteristics with older campaigns attributed to Void Rabisuopen on a new tab (also known\r\nas ROMCOM, Tropical Scorpius, Storm-0978). Void Rabisu is known to be associated with an actor group that\r\nhas both financial and espionage motivations that are aligned with Russian interests. We are tracking these\r\ncampaigns under a separate, temporary intrusion set, SHADOW-VOID-042, pending further data to support high-confidence attribution.\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 1 of 12\n\nIn  the November 2025 campaign, Trend Micro itself, a subsidiary, a partner, and other industries were targeted\r\nwith a Trend-themed social engineering lure. This lure urged users to install a fake update for alleged security\r\nissues in Trend Micro Apex One™ (Figure 1). However, the campaign was thwarted early by Trend Vision One™.\r\nDuring lab testing, an old 2018 Chrome exploit was detected, but more recent exploits were likely used during the\r\nactual campaign, though they did not appear in Trend’s telemetry due to the early interception by Trend Vision\r\nOne.\r\nFigure 1. Example of a spear phishing e-mail with Trend Micro Apex One™ lure\r\nThe subjects of the e-mails in the November 2025 campaign included:\r\nEnsure Browser Security: Address Critical Vulnerabilities\r\nImportant: Protect Your Browser Against Recent Zero-Day Vulnerabilities\r\nImportant: TM security advisory and steps to protect your system\r\nImportant: Trend Micro security advisory and steps to protect your system\r\nSecurity Advisory — Zero-Day Vulnerabilities Affecting Major Web Browsers\r\nSecurity notice — please check TM on your device\r\nSecurity notice — please check Trend Micro on your device\r\nSecurity notice: Action recommended for Trend Microusers\r\nSecurity notice: Action recommended for TMusers\r\nTM – security update and remediation steps\r\nTrend Micro – security update and remediation steps\r\nVulnerability advisory for Trend Micro — guidance for affected users\r\nVulnerability advisory for TM — guidance for affected users\r\nVulnerability Disclosure: Browser Zero-Days Impacting Multiple Platforms\r\nZero-Day Vulnerabilities Detected in Major Browsers\r\nTargets included executives and upper management in sectors like cybersecurity, energy, IT, and logistics. The\r\ntargeting was carefully done by the actor, but the campaign was halted early in the infection chain: Trend Vision\r\nOne detected and quarantined most spear phishing emails and blocked landing pages, preventing exposure to\r\nexploits and malware further down the kill chain.\r\nOctober 2025 campaign\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 2 of 12\n\nA campaign in October 2025 involving the SHADOW-VOID-042 intrusion set targeted several executives and key\r\nhuman resources (HR) employees belonging to various industries with alleged harassment complaints as a social\r\nengineering lure. Other social engineering lures included a request to join academic research or to fill in a\r\nquestionnaire on a work-related topic.\r\nThe HR complaints are hard to ignore by the targets, as legitimate complaints might be sent from whistleblowers\r\nwho prefer to stay anonymous. That is why HR-related lures and job applications are popular tools for social\r\nengineering by malicious actors.\r\nSome of the subject lines are listed below:\r\nAnonymous Concern About Workplace Environment\r\nAssistance Needed: Sensitive Workplace Issue – Confidential\r\nConfidential Concern: Workplace Misconduct and Lack of Resolution\r\nConfidential Inquiry: Guidance on Reporting Misconduct Safely\r\nConfidential Report: Ongoing Harassment and Inaction by HR\r\nConfidential: Escalation of Unresolved Sexual Harassment Complaint\r\nConfidential: Report of Misconduct and Request for Immediate HR Support\r\nFollow-Up on Unresolved Harassment Complaint\r\nFollow-up on Research Survey\r\nFollow-up on Research Survey – Innovation in Heavy Equipment Design\r\nFollow-up: CBS Research on Retail Communication and Brand Engagement\r\nFollow-up: UTN Research on Real-Time Monitoring in Financial Operations\r\nFormal Complaint: Unresolved Sexual Harassment by Manager\r\nHarassment Issue\r\nInvitation Reminder: Seaco’s Input on Container Design and Interoperability Study\r\nInvitation to Participate – Fintech Monitoring Study\r\nInvitation to participate in research for a master's thesis\r\nJoin a Short Academic Survey on Workplace Digital Change\r\nReport of Inappropriate Behavior by Manager\r\nRequest for Your Input in Academic Research on Digital Transformation\r\nResearch Invitation – Hotel Design in High-Density Cities\r\nSeeking Employee Perspectives for a Master's Thesis Study\r\nSerious Misconduct\r\nSurvey Participation Request\r\nUnresolved Sexual Harassment by Manager\r\nUrgent: Request for Intervention Regarding Workplace Harassment\r\nThis campaign used tailored decoy documents or Google forms like a questionnaire or a specification document of\r\na product for the energy sector. Some of the decoy documents meant only for specific targeted companies are\r\nlisted below in Figure 2.\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 3 of 12\n\nFigure 2. Targeted decoy forms meant for different verticals, IT companies, food industry, and two\r\nenergy sector suppliers, respectively\r\nOctober 2025 November 2025\r\n- Defense\r\n- Energy\r\n- Chemical\r\nLogistics -\r\n- Cyber Security\r\nFinance -\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 4 of 12\n\nManufacturing Manufacturing\r\nFood Food\r\nRetail Retail\r\nICT ICT\r\nISP ISP\r\nTable 1. Industry verticals targeted (Source: Trend Micro telemetry)\r\nWe found that the October 2025 and November 2025 campaigns have a significant overlap in terms of the\r\nattackers’ infrastructure, as well as the tactics, techniques, and procedures (TTPs) that were used. \r\nInfection chain stopped early in the November campaign\r\nAfter clicking on the link, the target gets redirected multiple times and ends on an HTML page impersonating\r\nCloudFlare (Figure 3).\r\nFigure 3. Landing page after clicking on the malicious link\r\nIn the background, three different JavaScript files get loaded (Figure 4). \r\nFigure 4. Loaded JavaScript files exploiting vulnerabilities\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 5 of 12\n\nWe could only retrieve one of those JavaScript files. It contains code exploiting Chrome vulnerability CVE-2018-\r\n6065 (Figure 5). The vulnerability has been patched in Chrome version 65.0.3325.146 issued in March 2018. \r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 6 of 12\n\nFigure 5. JavaScript code exploiting CVE-2018-6065\r\nWe could not retrieve the two other JavaScript files. It is likely that they include code for exploiting more recent\r\nvulnerabilities. It is possible that these more recent exploits were used against selected targets only. Another\r\npossibility is that the campaign targeted a specific application that is built on top of an old version of Chromium.\r\nHowever, this is not consistent with the targeting that was observed in Trend’s telemetry. Still, the exploit\r\ncontained snippets from an old exploit that was used to target WeChat, which has a component derived from\r\nChromium. We don’t know if this was intended to mislead researchers, or the result of the attacker copying and\r\npasting from public sources.\r\nIn case the vulnerability exploitation fails, the target is redirected to a decoy website of a company called\r\nTDMSEC, as shown in Figure 6. The look and feel of this website mimics the corporate style of Trend’s website\r\nto a certain extent, and this is likely intentional. \r\nFigure 6. Decoy website of “TDMSec” company. The naming of the website somewhat resembles\r\nTrend’s brand name. The corporate brand colouring also mimics Trend’s website.\r\nShellcode analysis\r\nThe Javascript file contained a hardcoded 64-bits shellcode (Figure 7). It calls some Windows APIs using a\r\ncustom API hashing algorithm, with the 0x5010101010101203 value as a seed.\r\nIt generates a custom ID based on the following information:\r\nHostname\r\nNumber of processors\r\nProcessor Type\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 7 of 12\n\nProcessor level (as returned by GetSystemInfo WinAPI)\r\nVolume serial number\r\nSuch unique ID is encrypted with a randomly generated 8-byte AES CBC encryption key. The result is sent to a\r\nfirst C\u0026C server through an HTTPS request starting with “get_module_hello”.\r\nThe C\u0026C server answers with an encrypted binary that is decrypted and written to hardcoded filepath\r\nC:\\ProgramData\\Microsoft\\Windows\\SystemProcessHost.exe, which we will call Stage 2. A scheduled task is then\r\ncreated to launch such process with four arguments at every boot with SYSTEM privileges.\r\nFigure 7. Execution flow of shellcode\r\nStage 2 analysis\r\nThis file is a simple loader for code embedded inside it that is encrypted with the SHA512 of the unique ID\r\ngenerated by the shellcode. This means that the file returned by the C\u0026C in the previous stage is already\r\ncustomized to the targeted machine. Without the information used to generate the custom ID, it is not possible to\r\ndecrypt the embedded code.\r\nThe file also uses a modified version of the custom API hashing algorithm seen in the shellcode analysed in the\r\nprevious section. In this case it uses the four arguments passed to the executable at run time to do the calculation.\r\nThis means that those arguments are necessary to analyse the file, preventing someone without any context to\r\nanalyse the file properly. The calculated hashes are the same as in the shellcode.\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 8 of 12\n\nOnce loaded in memory and decrypted, the embedded code, which we will call Stage 2, is loaded and run.\r\nStage 3 analysis\r\nThe code resolves some Windows APIs using the same API hashing algorithm used in the shellcode (Figure 8). It\r\ntries 20 times to retrieve the next stage by connecting to a hardcoded C\u0026C. If it fails, it tries again 20 times to\r\nconnect to another C\u0026C. If successful, this stage searches for “MZ” and “PE” headers in the retrieved file, loads it\r\nin memory, and jumps to its entry point.\r\nFigure 8. Execution flow of shellcode\r\nUnfortunately, we did not manage to retrieve the next stage, as the C\u0026C returned 404 HTTP code.\r\nAttribution and outlook\r\nFor the October and November 2025 campaigns described above we could not determine the final payload in the\r\ninfection chain, because Trend Vision One stopped the infection chain in an early stage. Consequently, it remains\r\nunclear whether the actors intended to deploy the ROMCOM backdoor or any related malware associated with\r\nVoid Rabisu.\r\nThis is one of the reasons why these campaigns are categorized under a separate temporary intrusion set,\r\nSHADOW-VOID-042. Earlier this year, Proofpoint reported about campaigns in 2025 that look like Void Rabisu\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 9 of 12\n\nat first sight, but that are tracked under a different intrusion set for nowopen on a new tab. \r\n  Void Rabisu SHADOW-VOID-042\r\nCommon lure themes\r\nHR harassment\r\ncomplaints \r\nJob applications \r\nSide effects medication\r\nHR harassment\r\ncomplaints \r\nJob applications\r\nROMCOM backdoor usage Yes Not observed\r\nTargeting Ukraine Yes Not observed\r\nSEO/Advertising tactics Yes Not observed\r\nUsage of zero-days Yes Indirect evidence\r\nRedirection through URL\r\nshorteners\r\nYes Yes\r\nFree webmail senders Yes Yes\r\nResidential proxies used to send\r\nspam\r\nYes Yes\r\nNordVPN usage Yes Yes\r\nTOR usage Unknown Yes\r\nTargets in critical sectors Yes Yes\r\nUse of temp.sh file sharing Yes Yes\r\nRussian language artefacts Yes Yes\r\nTable 2. Comparing Void Rabisu intrusion set and temporary intrusion set SHADOW-VOID-042\r\nIn Table 2 above, we compare the Void Rabisu intrusion set with the SHADOW-VOID-042 intrusion set. While\r\nthere are similarities, this comparison does not lead us to a moderate or high confidence level that would justify\r\nmerging the SHADOW-VOID-042 intrusion set into Void Rabisu. However, this may change as more data is\r\ncollected, and additional campaigns are observed.\r\nThe actor group associated with the Void Rabisu intrusion set is one of the best-documented cases where a\r\ncybercrime group has shifted to more targeted attacks typically associated with advanced persistent threat (APT)\r\ngroups. Originally, Void Rabisu was linked to Cuba ransomware and appeared to be financially motivated.\r\nHowever, since the onset of the Russian war against Ukraine in 2022, Void Rabisu has moved away from\r\nprimarily deploying ransomware (Figure 9). Instead, it has begun targeting Ukraine and its allies for\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 10 of 12\n\nespionageopen on a new tab. In addition, Void Rabisu has strategically targeted politicians, participants of security\r\nconferences, pharmaceutical companies, and the energy sectoropen on a new tab.\r\nVoid Rabisu is associated with a particular backdoor called ROMCOM. This backdoor has gone through multiple\r\nenhancements, making it an advanced piece of malware.  In July 2025, the Void Rabisu actor group used a zero-day in WinRaropen on a new tab. Earlier in 2024, Void Rabisu was reported to use zero-days in the Mozilla\r\nbrowser and Microsoft Windowsopen on a new tab. In 2023, the actor group was reported to have used a zero-day\r\nin Microsoft Wordopen on a new tab against governments in Europe and North America.\r\nFigure 9. Related campaigns\r\nThis shows that Void Rabisu is an evolving intrusion set, that has undergone several changes. It remains to be seen\r\nwhether we can merge the recent campaigns associated with SHADOW-VOID-042 into the Void Rabisu intrusion\r\nset.\r\nThe October and November 2025 of SHADOW-VOID-042 were ineffective for customers using Trend Vision\r\nOne. In the next section, we include hunting rules that users of the Trend Vision One platform can use to double-check whether their organizations were targeted. \r\nProactive security with Trend Vision One™\r\nTrend Vision Oneopen on a new tab is the only AI-powered enterprise cybersecurity platform that centralizes\r\ncyber risk exposure management and security operations, delivering robust layered protection across on-premises,\r\nhybrid, and multi-cloud environments.\r\nHunting Queries\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 11 of 12\n\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.  \r\nSHADOW-VOID-042 Creation of Encrypted Binary\r\neventSubId: (101 OR 109) AND objectFilePath: *\\\\ProgramData\\\\Microsoft\\\\Windows\\\\SystemProcessHost.exe*\r\nIndicators of compromise (IOCs)\r\nThe indicators of compromise for this entry can be found hereopen on a new tab.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nhttps://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html\r\nPage 12 of 12\n\nWe could only retrieve one https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html of those JavaScript files. It contains code exploiting Chrome vulnerability CVE-2018-\n6065 (Figure 5). The vulnerability has been patched in Chrome version 65.0.3325.146 issued in March 2018.\n Page 6 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html" ], "report_names": [ "SHADOW-VOID-042.html" ], "threat_actors": [ { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "214ce7dd-0690-44dd-b9a9-054f67e6f71d", "created_at": "2026-02-07T02:00:03.671331Z", "updated_at": "2026-04-10T02:00:03.965185Z", "deleted_at": null, "main_name": "SHADOW-VOID-042", "aliases": [], "source_name": "MISPGALAXY:SHADOW-VOID-042", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434462, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b4b5c1a287061d4f811c12fa91e34b0cd1009b5.pdf", "text": "https://archive.orkl.eu/5b4b5c1a287061d4f811c12fa91e34b0cd1009b5.txt", "img": "https://archive.orkl.eu/5b4b5c1a287061d4f811c12fa91e34b0cd1009b5.jpg" } }