{ "id": "24a77136-63d2-4d71-8d32-79e237652486", "created_at": "2026-04-06T00:07:12.85689Z", "updated_at": "2026-04-10T13:12:04.063384Z", "deleted_at": null, "sha1_hash": "6b9e9e5cbf87d4f5295786dd2cb3113c3edcbb8f", "title": "Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83998, "plain_text": "Bluebottle: Campaign Hits Banks in French-speaking Countries in\r\nAfrica\r\nBy About the Author\r\nArchived: 2026-04-02 10:34:39 UTC\r\nBluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to\r\nmount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use\r\ntools, and commodity malware, with no custom malware deployed in this campaign.\r\nThe activity observed by Symantec, a division of Broadcom Software, appears to be a continuation of activity\r\ndocumented in a Group-IB report from November 2022. The activity documented by Group-IB spanned from\r\nmid-2019 to 2021, and it said that during that period this group, which it called OPERA1ER, stole at least $11\r\nmillion in the course of 30 targeted attacks.\r\nSimilarities in the tactics, techniques, and procedures (TTPs) between the activity documented by Group-IB and\r\nthe activity seen by Symantec include:\r\nSame domain seen in both sets of activity: personnel[.]bdm-sa[.]fr\r\nSome of the same tools used: Ngrok; PsExec; RDPWrap; Revealer Keylogger; Cobalt Strike Beacon\r\nNo custom malware found in either set of activity\r\nThe crossover in targeting of French-speaking nations in Africa\r\nBoth sets of activity also feature the use of industry-specific, and region-specific, domain names\r\nWhile this does appear to be a continuation of the activity documented by Group-IB, the activity seen by\r\nSymantec is more recent, running from at least July 2022 to September 2022, though some of the activity may\r\nhave begun as far back as May 2022. Some new TTPs have also been employed in recent attacks, including:\r\nSome indications the attackers may have used ISO files as an initial infection vector\r\nThe use of the commodity malware GuLoader in the initial stages of the attack\r\nIndications the attackers have adopted the technique of abusing kernel drivers to disable defenses\r\nAttack chain\r\nThe initial infection vector is unknown, but the earliest malicious files found on victim networks had French-language, job-themed file names. These likely acted as lures. In some cases, the malware was named to trick the\r\nuser into thinking it was a PDF file, e.g.:\r\nfiche de poste.exe (\"job description\")\r\nfiche de candidature.exe (\"application form\")\r\nfiche de candidature.pdf.exe (\"application form\")\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\r\nPage 1 of 7\n\nIt’s most likely these files were delivered to victims via a spear-phishing email, which would align with the initial\r\ninfection vector documented by Group-IB for the OPERA1ER activity.\r\nAlthough the majority of the activity observed by Symantec researchers began in July 2022, at least one victim\r\nwas found to have an infostealer with a similar naming theme on its network as early as mid-May 2022. In that\r\ncase, the malware arrived in the form of a ZIP file containing an executable SCR file.\r\nfiche de candidature(1).zip (ZIP file)\r\nfiche de candidature.scr  (executable SCR file)\r\nThe file is an older, likely commodity, malware. It's difficult to determine when it was used to target the\r\norganization. It is, however, consistent with infection vectors reported as used by OPERA1ER in 2021.\r\nHowever, the job-themed malware in July was observed in paths suggesting it had been mounted as CD-ROMs.\r\nThis could indicate a genuine disc was inserted, but it could also be that a malicious ISO file was delivered to\r\nvictims and mounted. An ISO file is an archive file that contains an identical copy or image of the data that would\r\nbe found on an optical disc. Malicious ISO files have been used as an initial infection vector in other campaigns in\r\n2022, including being used alongside the Bumblebee loader in a campaign where delivering ransomware was the\r\nultimate goal. If the Bluebottle and OPERA1ER actors are indeed one and the same, this would mean that they\r\nswapped out their infection techniques between May and July 2022. ISO files were not seen in the activity\r\ndocumented by Group-IB.\r\nIn many cases, the job-themed malware delivered to victims was the commodity loader called GuLoader.\r\nGuLoader is a shellcode-based downloader with anti-analysis features. In addition to malicious files, the loader\r\ndeploys some legitimate binaries as a decoy for its malicious activity. GuLoader was distributed to victims in a\r\nself-extracting NSIS executable. This NSIS script decrypts and injects obfuscated shellcode into another process.\r\nThe process most often observed in the July activity was ieinstal.exe, the Internet Explorer Add-on Installer, but\r\nalso included aspnet_regbrowsers.exe, the ASP.NET Browser Registration tool.\r\nThe process for the Internet Explorer Add-on Installer was likely used to download a malicious .NET downloader\r\nfrom URLs such as hxxp://178.73.192[.]15/ca1.exe. Multiple .NET downloaders were found that abused the file\r\ntransfer service transfer[.]sh to download a file named with an RTF extension. This payload is unknown, but the\r\ndownloaders are designed to load it as a .NET DLL.\r\nAfter GuLoader and the .NET loaders were deployed, various other post-compromise tools were seen on victim\r\nnetworks. These include the publicly available Netwire remote access Trojan (RAT) and the open-source Quasar\r\nRAT. The attackers also used the commercial post-compromise tool Cobalt Strike Beacon. The Cobalt Strike\r\nBeacon variant used by Bluebottle employed an API hammering technique in order to hamper analysis. \r\nUse of a signed driver to kill processes\r\nA set of malware was also deployed by the attackers that had the likely goal of disabling the security products on\r\nvictim networks. The malware consisted of two components, a controlling DLL that reads a list of processes from\r\na third file, and a signed 'helper' driver controlled by the first driver and used to terminate the processes in the list.\r\nAttackers used Windows Service Control (sc.exe) to load the driver:\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\r\nPage 2 of 7\n\nsc create fgt binPath= %TEMP%\\fgt.sys type= kernel\r\nsc start fgt\r\nIn August 2022, Symantec observed the same driver being used in suspected pre-ransomware attack activity\r\nagainst a non-profit in Canada. Another tool found on the victim network was Infostealer.Eamfo, a hacktool that\r\nhas been associated with Cuba, Noberus, and Lockbit ransomware attacks.\r\nThe same driver also appears to have been used by multiple groups for similar purposes. Mandiant documented a\r\nfinancially motivated threat group it calls UNC3944 using this same driver to disable defenses. It referred to this\r\ndriver as POORTRY and the malware that uses it as STONESTOP. However, Mandiant did note at the time that\r\n“POORTRY appears across different threat groups and is consistent with malware available for purchase or shared\r\nfreely between different groups.”\r\nSophos also documented an instance where Cuba ransomware operators used a loader called BURNTCIGAR to\r\nload signed drivers to kill defenses. The loader operates similarly to the malicious DLL seen in this activity.\r\nThese drivers were reported to Microsoft by other vendors, and the company suspended the developer accounts\r\nand added defenses to address them.\r\nThe short-term goal of Bluebottle in this recent activity appears in part to be persistence and credential theft. The\r\nactors used credential theft techniques and tools, such as modifying the WDigest setting and deploying Mimikatz,\r\nas well as an open-source fake login screen keylogger.\r\nFor lateral movement, the attackers deployed the penetration testing tool SharpHound for domain trust\r\nenumeration and executed additional files across the victim organizations using PsExec.\r\nFor persistence, evidence suggests the attackers added additional accounts using the 'net localgroup /add'\r\ncommand. They also deployed an open-source RDPWrap script to enable multiple concurrent RDP sessions on\r\nvictim systems. This script also modifies the registry and opens port 3389 on the firewall to allow RDP traffic\r\nthrough.\r\nIndications are that this activity was likely “hands-on-keyboard” activity rather than automated. While we do not\r\nsee what further activity is carried out by the attackers, the victims and the crossover with the activity documented\r\nby Group-IB all indicate that this activity is likely financially motivated.\r\nVictims\r\nThree different financial institutions in three African nations were compromised in the activity seen by Symantec,\r\nwith multiple machines infected in all three organizations.\r\nThe activity on one of the infected institution’s networks ran as follows:\r\nThe first activity was seen in mid-July 2022, when job-themed malware was spotted on the infected system. A\r\ndownloader was then deployed, before the Sharphound hacktool was detected and a tool called fakelogonscreen\r\nwas also deployed.\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\r\nPage 3 of 7\n\nAbout three weeks after the initial compromise of the network, the attackers were seen using a command prompt\r\nand PsExec for lateral movement. It appears the attackers were “hands on keyboard” at this point of the attack.\r\nThe attackers used various dual-use and living-off-the-land tools for numerous purposes, including:\r\nQuser for user discovery\r\nPing for checking internet connectivity\r\nNgrok for network tunneling\r\nNet localgroup /add for adding users\r\nFortinet VPN client - likely for a secondary access channel\r\nXcopy to copy RDP wrapper files\r\nNetsh to open port 3389 in the firewall\r\nThe Autoupdatebat 'Automatic RDP Wrapper installer and updater' tool to enable multiple concurrent RDP\r\nsessions on a system\r\nSC privs to modify SSH agent permissions - this could have been tampering for key theft or installation of\r\nanother channel\r\nMalicious tools used included:\r\nGuLoader\r\nMimikatz\r\nRevealer Keylogger\r\nBackdoor.Cobalt\r\nNetwire RAT\r\nThe malicious DLL and driver for killing processes\r\nMultiple other unknown files were also deployed on this network. The last activity seen on this network was in\r\nSeptember 2022, but the Ngrok tunneling tool remained on the network until November 2022.\r\nSome of the same tools were also deployed on the other victims, with GuLoader seen in all three victims. Other\r\nactivity linking the activity in all three victims includes:\r\nSame .NET downloader\r\nMalicious driver used\r\nAt least one overlapping transfer[.]sh URL\r\nConclusion\r\nWhile Symantec cannot confirm whether or not Bluebottle successfully monetized the campaigns we saw it\r\ncarrying out, the group’s success at monetizing its activity between 2019 and 2021, as documented by Group-IB,\r\nindicates that this group has had a significant amount of success in the past.\r\nThe effectiveness of its campaigns means that Bluebottle is unlikely to stop this activity. It appears to be very\r\nfocused on Francophone countries in Africa, so financial institutions in these countries should remain on high alert\r\nfor the activity documented in this blog. The attackers appear to be French-speaking, so the possibility of them\r\nexpanding this activity to French-speaking nations in other regions also cannot be ruled out.\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\r\nPage 4 of 7\n\nGlossary of tools mentioned\r\nCobalt Strike: An off-the-shelf tool that can be used to execute commands, inject other processes, elevate\r\ncurrent processes, or impersonate other processes, and upload and download files. It ostensibly has\r\nlegitimate uses as a penetration testing tool but is invariably exploited by malicious actors.\r\nGuLoader: A shellcode-based downloader with anti-analysis features. In addition to malicious files, the\r\nloader deploys some legitimate binaries as a decoy for its malicious activity.\r\nMimikatz: Freely available tool capable of changing privileges, exporting security certificates, and\r\nrecovering Windows passwords in plaintext depending on the configuration.\r\nNetsh: Windows command-line utility that allows a user to configure and display the status of various\r\nnetwork communications server roles and components.\r\nNetwire RAT: A remote access Trojan capable of stealing passwords, keylogging, and includes remote\r\ncontrol capabilities.\r\nNgrok: A tunneling tool that allows a user to open a secure tunnel that allows them to instantly open access\r\nto remote systems without touching any network settings or opening any ports on a router.\r\nPing: A tool that is freely available online that can allow users to determine if a specific location on a\r\nnetwork is responding.\r\nPsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool is primarily used\r\nby attackers to move laterally on victim networks.\r\nQuasar RAT: A remote access Trojan that primarily targets Windows systems and which allows users to\r\nremotely control other computers over a network.\r\nQuser: Displays information about user sessions on a Remote Desktop Session Host server. You can use\r\nthis command to find out if a specific user is logged on to a specific Remote Desktop Session Host server. \r\nRDPWrap: An open-source tool that enables Remote Desktop Host support and concurrent RDP sessions.\r\nRevealer Keylogger: A free tool that records everything typed into a computer.\r\nSharpHound: Can collect data from domain controllers and domain-joined Windows systems.\r\nProtection\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nFile hashes (SHA256)\r\n117c66c0aa3f7a5208b3872806d481fd8d682950573c2a7acaf7c7c7945fe10d — ZIP file\r\nc56c915cd0bc528bdb21d6037917d2e4cde18b2ef27a4b74a0420a5f205869e6 —  Infostealer\r\n91b3546dde60776ae3ed84fdf4f6b5fba7d39620f0a6307280265cde3a33206b — .NET downloader\r\n9c4c9fa4d8935df811cae0ce067de54ffdb5cfb4f99b4bc36c5aa2a1ac6f9c8f — .NET downloader\r\n1f6be4c29dfb50f924377444e5ca579d3020985a357533fc052226f0091febf6 — .NET downloader\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\r\nPage 5 of 7\n\nd5b8009dcb50aac8a889e24f038a52fe09721d142a3f1eaa74ac37fff45e9ba2 — .NET downloader       \r\nae4ff662c959cf24df621a2c0b934ed1fa1c26a270a180f695cd5295579afbbd — .NET downloader       \r\n0612ef9d2239edeab05f421e3188e2cfcadacbaeafbc9b8e35e778f7234aaa3b — .NET downloader                   \r\n4acd4335ca43783ff52c0ccbb7e757ea14fb261c33d08268e85ed0ac34e0abec — .NET downloader\r\n47718762dc043f84fb641b1e0a8c65401160cc2e558fd38c14d5d35a114b93cb — .NET downloader\r\na539961f80feb689546a2e334b03aed81252a04fae032e2d28ed9a7000b3afff — .NET downloader\r\n07ca6122fde46d48f71bcde356d5eeb89040e4a6e83441968a9dade98dc36fe5 — .NET loader\r\n938f50cb2e2d670497209e8cef5bf1042f752b6bf76d1547d68040b5a27f618b — .NET loader\r\na257eeebba15afecf76b89a379e066e5ed79a2bb9da349c1fdb5a24316abc753 —  GuLoader\r\nf276c6a25d6b865c6202978f1d409e8b74e063263eab517f249cf6d3ad3fae4a — GuLoader\r\n3d0fd0444a9e295135ecfdc8c87ddc6dcdff63969c745e0218469332aef18dfe — GuLoader\r\nac98e6bf6d16904355b1c706bc2b79761a8b09044da40f2c8bce35142ef8bcc8 — GuLoader\r\nca75b0864d8308efe94eb0822de55eb7f5cfd482d2190100dfd00d433ee790a0 — GuLoader\r\n088110b0ee3588a4822049cf60fff31c67323a9b5993eae3104cc9737a47ce0c — GuLoader\r\nb4adbb5d017d6452c2e1700584261cd3170ee5a14ac658424945f15177494ba1 — GuLoader\r\n818284e7ea0a4bd64ba0eda664f51877ed8c6d35bf052898559dbf4ad8030968 — GuLoader\r\nfa6ca0a168f3400a00dc43f1be07296f4111d7ad9b275809217a9269dd613ae8 — GuLoader\r\nd5b3b1304739986298ba9b7c3ff8b40b3740233d6bb02437ce61a20ee87468bc — GuLoader\r\n8495a328fdd4afd33c3336e964802018d44c1dda15b804560743d6276e926218 — GuLoader\r\nce2ea1807d984e1392599d05f7ab742bae4f20f8ef80c5a514fbdeede2ff7e55 — Quasar RAT\r\ne933ec0f52cbc60b92134d48b08661b1af25c7d93ff5041fc704559b45bd85b8 — Netwire RAT\r\n6db5e2bb146b11182f29d03b036af4e195044f0ef7a8f7c4429f5d4201756b8f — Cobalt Strike\r\nf4fba2181668f766fdfbd1362420a53ac0b987f999c95baf5dbe235fd3bad4b8 — Cobalt Strike\r\nec2146655e2c04bf87b8db754dd2e92b8c48c4df47b64a9adc1252efd8618e62 — Fakelogonscreen\r\ne5633d656dea530a62f5ad2792f253e74453712be34d2eadfb49190f7a9ee10b — Malicious DLL used to register\r\nHelper Driver\r\n0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc — Signed Helper driver\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\r\nPage 6 of 7\n\n5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796 — Sharphound\r\n5e245281f4924c139dd90c581fc79105ea19980baa68eeccf5bf36ae613399b9 — PsExec\r\n31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc — Mimikatz\r\nNetwork Indicators\r\nhxxp://files[.]ddrive[.]online:444/load\r\nhxxp://85.239.34[.]152/download/XWO_UnBkJ213.bin\r\nhxxps://transmissive-basin[.]000webhostapp[.]com\r\nhxxps://udapte[.]adesy[.]in\r\nbanqueislamik[.]ddrive[.]online\r\nhxxps://transfer[.]sh/get/mKwvWI/NHmZJu.rtf\r\nhxxps://transfer[.]sh/get/RTPlqa/oISxUP.rtf\r\nhxxp://files[.]ddrive[.]online:4448/a\r\nhxxp://banqueislamik[.]ddrive[.]online:4448/ZPjH\r\nhxxp://46.246.86[.]12/ca3.exe\r\nhxxp://178.73.192[.]15/ca1.exe\r\npersonnel[.]bdm-sa[.]fr\r\n185.225.73[.]165\r\nSource: http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\r\nhttp://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa" ], "report_names": [ "bluebottle-banks-targeted-africa" ], "threat_actors": [ { "id": "11c69e3d-a740-4a70-abd3-158ac0375452", "created_at": "2023-01-06T13:46:39.29608Z", "updated_at": "2026-04-10T02:00:03.27813Z", "deleted_at": null, "main_name": "Common Raven", "aliases": [ "NXSMS", "DESKTOP-GROUP", "OPERA1ER" ], "source_name": "MISPGALAXY:Common Raven", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "59a48c28-d918-419f-b8b8-44be0c9741c8", "created_at": "2023-11-08T02:00:07.172993Z", "updated_at": "2026-04-10T02:00:03.434175Z", "deleted_at": null, "main_name": "BlueBottle", "aliases": [], "source_name": "MISPGALAXY:BlueBottle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "a1071a25-d7c1-41be-a97f-2ec1b167ceb0", "created_at": "2023-02-18T02:04:24.365926Z", "updated_at": "2026-04-10T02:00:04.792271Z", "deleted_at": null, "main_name": "OPERA1ER", "aliases": [ "Common Raven", "DESKTOP-GROUP", "NXSMS", "Operation Nervone" ], "source_name": "ETDA:OPERA1ER", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Agentemis", "BitRAT", "BlackNET RAT", "Cobalt Strike", "CobaltStrike", "Kasidet", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neutrino Bot", "Neutrino Exploit Kit", "Ngrok", "Origin Logger", "PsExec", "RDPWrap", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revealer Keylogger", "Socmer", "VenomRAT", "ZPAQ", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434032, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6b9e9e5cbf87d4f5295786dd2cb3113c3edcbb8f.pdf", "text": "https://archive.orkl.eu/6b9e9e5cbf87d4f5295786dd2cb3113c3edcbb8f.txt", "img": "https://archive.orkl.eu/6b9e9e5cbf87d4f5295786dd2cb3113c3edcbb8f.jpg" } }