{ "id": "c72824b7-6e26-4055-a9d6-b7b2790077af", "created_at": "2026-04-06T00:20:11.561807Z", "updated_at": "2026-04-10T03:35:17.27998Z", "deleted_at": null, "sha1_hash": "6d2e144a6d54a9bc9a6d22a1a5df7266502489e9", "title": "LIMINAL PANDA: A Roaming Threat to Telecommunications Companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 111337, "plain_text": "LIMINAL PANDA: A Roaming Threat to Telecommunications\r\nCompanies\r\nBy Jamie Harries - Dan Mayer\r\nArchived: 2026-04-05 14:26:06 UTC\r\nLIMINAL PANDA has targeted telecommunications organizations in Africa and South Asia using a range of custom\r\ntools — including SIGTRANslator, CordScan and PingPong — while demonstrating in-depth understanding of\r\ntelecommunications network architectures to laterally propagate to important systems.\r\nThe adversary appears to have extensive knowledge of telecommunications protocols, including developing scanning\r\nand packet-capture tools to retrieve specific information (such as subscriber information and call metadata) from\r\nmobile communication infrastructure and using protocol emulators to enable command and control (C2) over\r\ninfrequently monitored channels.\r\nThe nature of the data targeted by the adversary aligns with information likely to be of significant interest to\r\nintelligence organizations and security services.\r\nCrowdStrike assesses LIMINAL PANDA is a targeted intrusion adversary that will likely continue targeting the\r\ntelecommunications sector. This assessment is made with moderate confidence based on the adversary’s\r\ndemonstrated tactics, techniques and procedures (TTPs), target scope and apparent collection objectives.\r\nThe original version of this blog post — published in October 2021 — documented targeted intrusion activity against\r\ntelecommunications organizations using a range of custom malware families, novel telecommunications protocol-specific\r\ncommand-and-control (C2) techniques, and publicly available proxy software. At the time, this activity was attributed to\r\nLightBasin, an activity cluster employing a range of custom tooling focused on targeting the telecommunications and\r\nfinancial sectors.\r\nFurther review of related intrusion activity determined that the operation detailed in this blog was attributed to LightBasin\r\nand is now associated with a likely China-nexus adversary dubbed LIMINAL PANDA. While this new assessment does not\r\nimpact the previous technical analysis of malware and TTPs described previously, this blog post has been updated to reflect\r\nthis new attribution, reflecting CrowdStrike’s commitment to continually re-evaluate evidence and provide accurate\r\nreporting on adversary groups.\r\nIn addition, a new blog provides deeper insights into LIMINAL PANDA’s operational profile and key TTPs, as well as\r\nguidance for organizations to defend against this sophisticated adversary.\r\nBackground\r\nCrowdStrike Services and CrowdStrike Intelligence investigated multiple intrusions conducted by an adversary now tracked\r\nas LIMINAL PANDA.\r\nLIMINAL PANDA primarily compromises Linux-based systems common in network environments supporting\r\ntelecommunications infrastructure and only interacts with Windows hosts as needed.1 The adversary takes advantage of\r\nserver configurations that enable interoperability between telecommunications networks by using previously established\r\naccess on remote providers to propagate to new target networks.\r\nThe adversary implements operations security (OPSEC) measures to hide these connections from investigators by tampering\r\nwith legitimate binaries on target systems. Once LIMINAL PANDA gains access to a network, they establish multiple\r\nredundant remote access mechanisms using a combination of custom backdoors and publicly available proxy tools\r\nconfigured to relay traffic to adversary-controlled remote infrastructure.\r\nGPRS eDNS Servers\r\nLIMINAL PANDA compromised several telecommunications companies via their external DNS (eDNS) servers, which are\r\npart of the General Packet Radio Service (GPRS) network and play a role in roaming between different mobile operators.\r\nhttps://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/\r\nPage 1 of 8\n\nThis enabled the adversary to connect directly from other compromised telecommunication companies’ GPRS networks.\r\nCrowdStrike determined LIMINAL PANDA has likely compromised at least 13 telecommunication companies across the\r\nworld since at least 2019.\r\nDuring the investigation, CrowdStrike uncovered evidence showing LIMINAL PANDA initially accessed the first eDNS\r\nserver via SSH from another compromised telecommunications company by password spraying extremely weak and third-party-focused passwords (e.g., huawei ).\r\nLater, LIMINAL PANDA returned to access several eDNS servers from one of the compromised telecom entities while\r\ndeploying a backdoor dubbed PingPong using the filename /usr/bin/pingg , and established persistence by modifying the\r\nSysVinit script /etc/rc.d/init.d/sshd to include the following line:\r\ncd /usr/bin \u0026\u0026 nohup ./pingg \u003e/dev/null 2\u003e\u00261 \u0026\r\nPingPong listens for inbound magic ICMP echo requests and establishes a TCP reverse shell connection to an IP address\r\nand port specified at certain offsets within the packet. The /bin/bash process PingPong spawns masquerades under the\r\nprocess name httpd .\r\nFirewalls usually protect eDNS servers from unauthorized external internet access; the magic packet that PingPong expects\r\nwould most likely have to be sent from other compromised GPRS network infrastructure. CrowdStrike Services observed\r\nreverse shells that had been spawned from this implant that communicated with a server owned by a different compromised\r\ntelecom entity in another part of the world. These connections typically communicated with the remote system on TCP port\r\n53 — the port primarily used for DNS — further indicating the adversary’s attempts to disguise their activity as legitimate\r\ntraffic.\r\nIn addition to deploying the PingPong backdoor, LIMINAL PANDA added iptables rules to the eDNS server, ensuring\r\ncontinued SSH access to the server from five other compromised telecom entities. The adversary also replaced the legitimate\r\niptables binary with a wrapper binary (SHA256 hash:\r\n97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb ) that filters output from iptables queries,\r\nincluding the first two octets of remote IP addresses belonging to the compromised telecommunications companies. These\r\nactions make it more difficult for administrators and analysts to identify the firewall rules by reviewing iptables output\r\nalone. Indicators relating to this utility are highlighted in Table 1.\r\nTable 1. Wrapper binaries and legitimate iptables file details\r\nFile Path Description\r\n/usr/local/sbin/iptables\r\niptables wrapper binary that replaced legitimate version (SHA256 hash:\r\n97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb )\r\n/usr/sbin/iptablesDir/iptables\r\n/usr/sbin/iptablesDir/iptables-apply\r\n/usr/sbin/iptablesDir/iptables-batch\r\n/usr/sbin/iptablesDir/iptables-multi\r\n/usr/sbin/iptablesDir/iptables-restore\r\n/usr/sbin/iptablesDir/iptables-save\r\nLegitimate iptables binaries in a non-standard directory that are invoked by\r\nthe trojanized version\r\nhttps://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/\r\nPage 2 of 8\n\nServing GPRS Support Node (SGSN) Emulation\r\nLIMINAL PANDA uses a novel technique to support C2 communication, leveraging SGSN emulation software in concert\r\nwith TinyShell. SGSNs are essentially GPRS network access points, and the emulation software allows the adversary to\r\ntunnel traffic via this telecommunications network.\r\nTinyShell is an open-source Unix backdoor used by multiple adversaries; however, LIMINAL PANDA uniquely combined\r\nthis malware with the publicly available SGSN emulator sgsnemu\r\n2\r\n via a bash script. This script constantly runs on\r\ncompromised systems but only executes certain steps between 2:15 and 2:45 UTC each day, a time window specified via\r\ncommand-line arguments. During the defined period, the script performs the following steps in a loop:\r\n1. Execute TinyShell configured to communicate with an adversary-controlled C2 IP address hosted by the virtual\r\nprivate server (VPS) provider Vultr\r\n2. Add a route to the TinyShell C2 on the interface tun0\r\n3. Check TinyShell C2 connectivity via ping\r\n4. If TinyShell fails to connect to the C2, the script executes the SGSN emulator in a loop, attempting to connect to nine\r\npairs of International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network\r\n(MSISDN) numbers passed as arguments to the emulator. These numbers identify specific mobile devices, or mobile\r\nstations, for the SGSN emulator to create tunnels to. This process generates Packet Data Protocol (PDP) context\r\nrequests for mobile stations with the IMSI/MSISDN number pairs until a connection is established. If a connection is\r\nestablished, the SGSN emulator connects to the device via the GPRS Tunnelling Protocol (GTP) and uses the tun0\r\ninterface for the connection. The TinyShell implant then uses tun0 , as described previously.\r\n5. If no connection has been made by the end of the 30-minute window, the script kills both the SGSN emulator and the\r\nTinyShell instance.\r\nIn summary, the SGSN emulator is used to tunnel TinyShell C2 traffic between the infected host and remote C2 server via\r\nGTP through specific mobile stations. The script is used as a persistence mechanism; it runs continually but attempts to\r\nestablish a tunnel to each of the specified mobile stations, which act as tunnels to the TinyShell C2 server. The script runs for\r\nonly 30 minutes each day, culminating in a similar effect to a scheduled job.\r\nCrowdStrike Intelligence assesses that this sophisticated form of C2 is likely an OPSEC measure. This assessment is made\r\nwith moderate confidence, as GTP-encapsulated TinyShell C2 traffic is less likely to be considered anomalous within mobile\r\ncommunications networks. Additionally, network security solutions are less likely to inspect and restrict GTP-encapsulated\r\ntraffic.\r\nAdditional Malware and Utilities\r\nLIMINAL PANDA has also deployed numerous custom and publicly available tools to support ongoing intrusion operations\r\nand enable reconnaissance and data collection.\r\nCordScan\r\nCordScan is a network-scanning and packet-capture utility containing built-in logic to fingerprint and retrieve data relating\r\nto common telecommunication protocols from infrastructure such as SGSNs. LIMINAL PANDA may target SGSNs for\r\nfurther collection, as this infrastructure is responsible for packet-data delivery to and from mobile stations, and also contains\r\nlocation information for registered GPRS users. CrowdStrike identified multiple versions of this utility, including a cross-compiled version for systems running on ARM architecture, such as Huawei’s commercial CentOS-based operating system\r\nEulerOS.\r\nLIMINAL PANDA’s ability to fingerprint various brands of networking hardware and compile tools for appropriate\r\nprocessor architectures likely indicates the adversary’s robust research and development capabilities to target vendor-specific infrastructure commonly seen in telecommunications environments. This access development effort may indicate an\r\nintelligence organization or security service collection requirements against a diverse set of target environments.\r\nhttps://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/\r\nPage 3 of 8\n\nSIGTRANslator\r\nSIGTRANslator is a Linux ELF binary capable of sending and receiving data via various SIGTRAN protocols that carry\r\npublic switched telephone network (PSTN) signaling over IP networks. This signaling data includes valuable metadata such\r\nas telephone numbers called by a specific mobile station. Data collected and relayed by SIGTRANslator is also sent to a\r\nremote C2 host that connects to a port opened by the binary. This allows the remote C2 server to collect data proxied by\r\nSIGTRANslator as well as send data to the tool to be retransmitted via a SIGTRAN protocol.\r\nSIGTRANslator traffic sent to and from the remote C2 is encrypted with the hardcoded XOR key wuxianpinggu507 . This\r\nPinyin text translates to \"wireless evaluation 507\" or \"unlimited evaluation 507.\" \"Wireless evaluation\" is likely the correct\r\ntranslation, given that the malware is used to target telecommunications systems. The Pinyin artifact indicates\r\nSIGTRANslator’s developer has some knowledge of the Chinese language.\r\nFast Reverse Proxy\r\nLIMINAL PANDA uses this open-source reverse proxy to provide general access to the eDNS server via an adversary-controlled C2 IP address hosted by the VPS provider Vultr.\r\nMicrosocks Proxy\r\nLIMINAL PANDA typically uses this open-source SOCKS5 proxy server to pivot to systems internally.\r\nProxyChains\r\nThis open-source utility can transmit network traffic through a chain of proxy servers, even if the program generating the\r\ntraffic does not have proxy support. It uses a configuration file specifying proxy IP addresses and associated credentials to\r\nuse. A recovered LIMINAL PANDA-associated ProxyChains configuration file contained a mixture of local IP addresses, IP\r\naddresses assigned to Vultr, and IP addresses belonging to eight different telecommunication organizations across the globe.\r\nRecommendations\r\nTelecommunications servers must communicate with one another as part of cellular roaming agreements between providers;\r\nhowever, LIMINAL PANDA’s ability to pivot between multiple networks is enabled by overly permissive access policies\r\nthat are not restricted to required services and protocols. As such, telecom entities should ensure that firewalls protecting\r\nGPRS network borders restrict network traffic to necessary protocols such as DNS or GTP.\r\nAs LIMINAL PANDA can conduct C2 over common telecommunications protocols, organizations compromised by the\r\nadversary are likely unable to remediate intrusions by solely restricting network traffic. In this event, CrowdStrike\r\nrecommends conducting an incident response investigation that reviews all partner systems alongside all systems managed\r\nby the organization itself. This recommendation also applies to any organization seeking to determine whether LIMINAL\r\nPANDA has compromised their system.\r\nIf any aspects of a telecom entity’s network are managed by a third-party managed service provider (MSP), organizations\r\nshould evaluate the partner’s security controls to ensure systems are sufficiently protected. CrowdStrike Services\r\ninvestigations commonly reveal a lack of any monitoring or security tooling on core telecommunication network systems.\r\nWhile the security tooling is infrequently applied to real-time operating systems, LIMINAL PANDA typically targets other\r\nUnix-based operating systems that support core telecommunications network services and should have basic security\r\ncontrols and logging in place such as:\r\nSSH logging forwarded to a SIEM\r\nEndpoint detection and response (EDR) for process execution\r\nFile integrity monitoring (FIM) for recording file changes of key configuration files\r\nAdditionally, organizations should implement appropriate incident response plans that account for partner-managed systems\r\nwithin the network. This incident response plan enumerates the roles and responsibilities of third-party MSPs to ensure\r\nforensic artifacts can be acquired from third-party equipment not managed by the telecom.\r\nhttps://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/\r\nPage 4 of 8\n\nFinally, given that highly advanced state-sponsored adversaries consistently target telecoms, these organizations must have\r\naccess to up-to-date and comprehensive threat intelligence resources to understand the threats facing the industry. This\r\nintelligence should also provide insights into the TTPs of adversaries that typically target telecoms — both corporate\r\nnetworks and critical telecommunications infrastructure — and allow telecoms to further augment detection mechanisms\r\nand evaluate existing security controls.\r\nConclusion\r\nBecause telecommunications entities possess information with significant intelligence value, CrowdStrike assesses that\r\nsophisticated adversaries will continue to target telecoms and their constituent infrastructure. While the partner-heavy nature\r\nand high-availability systems associated with these networks make implementing robust cybersecurity a complex task,\r\nsecuring all aspects of telecommunications infrastructure — not only the corporate network — is crucial.\r\nIndicators of Compromise\r\nTable 2. LIMINAL PANDA indicators of compromise\r\nIndicator SHA256 Hashes Descrip\r\n/usr/bin/pingg\r\ne9c0f00c34dcd28fc3cc53c9496bff863b81b06723145e106ab7016c66581f72\r\n4668561d60daeb7a4a50a9c3e210a4343f92cadbf2d52caab5684440da6bf562\r\nPingPon\r\nbackdoo\r\n/usr/lib/om_proc\r\n3a259ad7e5c19a782f7736b5ac50aac4ba4d03b921ffc6a3ff6a48d720f02012\r\n65143ccb5a955a22d6004033d073ecb49eba9227237a46929495246e36eff8e1\r\nMicroso\r\nProxy (p\r\ntool)\r\n/usr/lib/frpc\r\n05537c1c4e29db76a24320fb7cb80b189860389cdb16a9dbeb0c8d30d9b37006\r\n16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2\r\nFast Re\r\nProxy (p\r\ntool)\r\n/usr/lib/frpc.ini N/A\r\nFast Re\r\nProxy\r\nconfigur\r\nfile nam\r\n/usr/lib/cord.lib\r\n/usr/lib/libcord.so\r\n/usr/bin/libcord.so\r\n6d3759b3621f3e4791ebcd28e6ea60ce7e64468df24cf6fddf8efb544ab5aec0\r\nc5ddd616e127df91418aeaa595ac7cd266ffc99b2683332e0f112043796ede1d\r\n9973edfef797db84cd17300b53a7a35d1207d166af9752b3f35c72b4df9a98bc\r\n4480b58979cc913c27673b2f681335deb1627e9ba95073a941f4cd6d6bcd6181\r\nad9fef1b86b57a504cfa1cfbda2e2ac509750035bff54e1ca06f7ff311d94689\r\nCordSca\r\n/home/REDACTED/cordscan_raw_arm cdf230a7e05c725a98ce95ad8f3e2155082d5a6b1e839c2b2653c3754f06c2e7\r\nCordSca\r\n(ARM\r\narchitec\r\n/usr/lib/javacee 917495c2fd919d4d4baa2f8a3791bcfd58d605ee457a81feb52bc65eb706fd62 SIGTRA\r\n/usr/lib/sgsnemu\r\n/usr/bin/sgsnemu\r\nbf5806cebc5d1a042f87abadf686fb623613ed33591df1a944b5e7879fb189c8\r\n78c579319734a81c0e6d08f1b9ac59366229f1256a0b0d5661763f6931c3b63c\r\nSGSN\r\nemulato\r\n(public\r\nhttps://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/\r\nPage 5 of 8\n\n/usr/lib/sgsnemu_bak b06f52e2179ec9334f8a3fe915d263180e538f7a2a5cb6ad8d60f045789123b6\r\n/usr/lib/tshd a388e2ac588be6ab73d7e7bbb61d83a5e3a1f80bf6a326f42b6b5095a2f35df3\r\nTinyShe\r\n(public\r\n/home/REDACTED/win7_exp/proxychains.conf\r\n/usr/lib/win7_exp/proxychains.conf\r\nN/A\r\nProxyCh\r\nconfigur\r\nfile nam\r\n/usr/local/sbin/iptables 97d4c9b5750d614face73d11ba8532e53594332af53f4c07c1543195225b76eb\r\niptabl\r\nwrapper\r\n/usr/sbin/iptablesDir/\r\n/sbin/iptablesDir/\r\nN/A\r\nAdversa\r\ncreated\r\ndirector\r\ncontaini\r\nlegitima\r\ncopies o\r\niptables\r\nbinaries\r\nby the\r\niptabl\r\nwrapper\r\n45.76.215[.]0/24 N/A\r\nVultr IP\r\naddress\r\nused by\r\nLIMINA\r\nPANDA\r\n167.179.91[.]0/24 N/A\r\nVultr IP\r\naddress\r\nused by\r\nLIMINA\r\nPANDA\r\n45.32.116[.]0/24 N/A\r\nVultr IP\r\naddress\r\nused by\r\nLIMINA\r\nPANDA\r\n207.148.24[.]0/24 N/A\r\nVultr IP\r\naddress\r\nused by\r\nLIMINA\r\nPANDA\r\n172.104.79[.]0/24 N/A\r\nLinode\r\naddress\r\nused by\r\nLIMINA\r\nPANDA\r\nhttps://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/\r\nPage 6 of 8\n\n45.33.77[.]0/24 N/A\r\nLinode\r\naddress\r\nused by\r\nLIMINA\r\nPANDA\r\n139.162.156[.]0/24 N/A\r\nLinode\r\naddress\r\nused by\r\nLIMINA\r\nPANDA\r\n172.104.236[.]0/24 N/A\r\nLinode\r\naddress\r\nused by\r\nLIMINA\r\nPANDA\r\n172.104.129[.]0/24 N/A\r\nLinode\r\naddress\r\nused by\r\nLIMINA\r\nPANDA\r\nEndnotes\r\n1. Key examples of telecommunications-specific systems targeted include systems involved in the GPRS network such\r\nas external DNS (eDNS) servers, Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, as well as\r\nOperations Support Systems (OSS) and Operation and Maintenance Units (OMU).\r\n2. https[:]//osmocom[.]org/projects/openggsn/wiki/Sgsnemu\r\nCrowdStrike Intelligence Confidence\r\nHigh Confidence: Judgments are based on high-quality information from multiple sources. High confidence in the quality\r\nand quantity of source information supporting a judgment does not imply that that assessment is an absolute certainty or\r\nfact. The judgment still has a marginal probability of being inaccurate.\r\nModerate Confidence: Judgments are based on information that is credibly sourced and plausible, but not of sufficient\r\nquantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to express that\r\njudgments carry an increased probability of being incorrect until more information is available or corroborated.\r\nLow Confidence: Judgments are made where the credibility of the source is uncertain, the information is too fragmented or\r\npoorly corroborated enough to make solid analytic inferences, or the reliability of the source is untested. Further information\r\nis needed for corroboration of the information or to fill known intelligence gaps.\r\nAdditional Resources\r\nRead about the adversaries tracked by CrowdStrike Counter Adversary Operations in the CrowdStrike 2024 Threat\r\nHunting Report.\r\nTune into the Adversary Universe podcast, where CrowdStrike experts discuss today's threat actors — who they are,\r\nwhat they’re after and how you can defend against them.\r\nKnow the adversaries that may be targeting your region or business sector — explore the CrowdStrike Adversary\r\nUniverse.\r\nLearn how CrowdStrike's threat intelligence and threat hunting solutions are transforming security operations to\r\nbetter protect your business.\r\nhttps://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/\r\nPage 7 of 8\n\nSource: https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/\r\nhttps://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/" ], "report_names": [ "an-analysis-of-lightbasin-telecommunications-attacks" ], "threat_actors": [ { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "c0b06c51-f463-47dc-9b15-1ffa317dbf2c", "created_at": "2025-03-04T02:00:02.983311Z", "updated_at": "2026-04-10T02:00:03.793603Z", "deleted_at": null, "main_name": "LIMINAL PANDA", "aliases": [], "source_name": "MISPGALAXY:LIMINAL PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434811, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d2e144a6d54a9bc9a6d22a1a5df7266502489e9.pdf", "text": "https://archive.orkl.eu/6d2e144a6d54a9bc9a6d22a1a5df7266502489e9.txt", "img": "https://archive.orkl.eu/6d2e144a6d54a9bc9a6d22a1a5df7266502489e9.jpg" } }