{ "id": "99f99f07-73a0-4f2d-96b9-da2eaa0a4cff", "created_at": "2026-04-06T00:14:03.505046Z", "updated_at": "2026-04-10T03:35:14.243023Z", "deleted_at": null, "sha1_hash": "6f171518918ce3ae69ada331224c5c8f020b93ef", "title": "Contagious Interview: Malware delivered through fake developer job interviews", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2389096, "plain_text": "Contagious Interview: Malware delivered through fake developer\r\njob interviews\r\nBy Microsoft Defender Experts, Microsoft Defender Security Research Team\r\nPublished: 2026-03-11 · Archived: 2026-04-05 21:54:38 UTC\r\nMicrosoft Defender Experts has observed the Contagious Interview campaign, a sophisticated social engineering\r\noperation active since at least December 2022. Microsoft continues to detect activity associated with this\r\ncampaign in recent customer environments, targeting software developers at enterprise solution providers and\r\nmedia and communications firms by abusing the trust inherent in modern recruitment workflows.\r\nThreat actors repeatedly achieve initial access through convincingly staged recruitment processes that mirror\r\nlegitimate technical interviews. These engagements often include recruiter outreach, technical discussions,\r\nassignments, and follow-ups, ultimately persuading victims to execute malicious packages or commands under the\r\nguise of routine evaluation tasks.\r\nThis campaign represents a shift in initial access tradecraft. By embedding targeted malware delivery directly into\r\ninterview tools, coding exercises, and assessment workflows developers inherently trust, threat actors exploit the\r\ntrust job seekers place in the hiring process during periods of high motivation and time pressure, lowering\r\nsuspicion and resistance.\r\nAttack chain overview\r\nInitial access\r\nAs part of a fake job interview process, attackers pose as recruiters from cryptocurrency trading firms or AI-based\r\nsolution providers. Victims who fall for the lure are instructed to clone and execute an NPM package hosted on\r\npopular code hosting platforms such as GitHub, GitLab, or Bitbucket. In this scenario, the executed NPM package\r\ndirectly loads a follow-on payload.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 1 of 15\n\nExecution of the malicious package triggers additional scripts that ultimately deploy the backdoor in the\r\nbackground. In recent intrusions, attackers have adapted their technique to leverage Visual Studio Code\r\nworkflows: when victims open the downloaded package in Visual Studio Code, they are prompted to trust the\r\nrepository author. If trust is granted, Visual Studio Code automatically executes the repository’s task configuration\r\nfile, which then fetches and loads the backdoor.\r\nA typical repository hosted on Bitbucket, posing as a blockchain-powered game.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 2 of 15\n\nSample task found in the repository (bottom: URL shortener redirecting to vercel.app).\r\nOnce the victim executes the task or the package is successfully executed, a backdoor is launched. Over time, the\r\nattackers deploy various cross platform functional backdoor families to establish initial foothold on the impacted\r\ndevices and then pivot into more traditional intrusion operations.\r\nOtterCookie\r\nOtterCookie is the most widely observed backdoor variant in this campaign. First observed in September 2024,\r\nthis JavaScript based backdoor was in active development phase and over time, it evolved from a basic tool for\r\nexecuting remote commands and searching for crypto keys into a modular program capable of broader data theft\r\nwith a capability to check for VM environments, install communication clients like socket.io for C2, exfiltrate\r\ninformation, executes arbitrary shell commands, load other modules to collect specific intended data and reports\r\nresults.\r\nMicrosoft Defender Experts continue to observe two active OtterCookie variants, with the latest tracked since\r\nOctober 2025 retains the same core functionality but introduces significantly heavier obfuscation that hides\r\nstrings, URLs, and logic through encoded index lookups and shuffled arrays. This reduces runtime artifacts and\r\nvisibility while making static analysis and signature-based detection substantially harder through deliberate stealth\r\nand intent masking.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 3 of 15\n\nOtterCookie variant comparison: direct strings and API calls (top) versus an obfuscated string pool\r\nwith index‑based lookups masking indicators and logic (bottom).\r\nBeaconing agent\r\nMicrosoft Defender Experts has observed this JavaScript backdoor variant (shown below) in active use since at\r\nleast October 2025. The malware operates as a lightweight command-and-control beacon capable of collecting\r\nhost fingerprints, including hostname, network identifiers, operating system details, and public IP address. It\r\nperiodically contacts a remote controller to exchange status information and retrieve tasking and can execute\r\narbitrary attacker-supplied code by spawning a local runtime and piping the payload directly through standard\r\ninput.\r\nThe backdoor launches detached background child processes, tracks their process identifiers for lifecycle\r\nmanagement, supports remote configuration updates and shutdown commands, and reports execution errors back\r\nto the controller. These capabilities enable stealthy execution, resilient remote code execution, system\r\nreconnaissance, and ongoing remote process control.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 4 of 15\n\nJavaScript backdoor variant.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 5 of 15\n\nData collection\r\nOnce a foothold is established via backdoors, attackers move on to collecting sensitive information from\r\ncompromised devices. Although the objective remains consistent, the methods vary depending on the underlying\r\nplatform and the specific capabilities of each backdoor.\r\nEnumerating sensitive data\r\nOn Windows systems, through beaconing agent a script was launched to enumerate credential and keystore\r\nmaterial (as shown in the image below). This includes environment configuration files, wallet mnemonic phrases,\r\npassword stores such as KeePass database, 1Password artifacts, notes, and cryptographic keys. Collected data is\r\npackaged and exfiltrated to attacker-controlled infrastructure via HTTP POST requests.\r\nOn macOS, attackers through the same beaconing agent adapt their behavior by issuing system commands to\r\nsearch the entire filesystem for files matching credential- and secret-related patterns (as shown in the image\r\nbelow). To improve efficiency and reduce noise, the search logic deliberately excludes common system, vendor,\r\nand developer directories before exfiltrating the results to remote servers.\r\nIn contrast, intrusions leveraging the OtterCookie backdoor employ a modular Node.js-based approach. The\r\nmalicious module performs broad file-harvesting operations across local drives, excluding large system and\r\ndevelopment cache directories. The backdoor targets high-value assets such as cryptographic keys, environment\r\nfiles, documents, images, source code, and package artifacts. Files matching predefined patterns are exfiltrated to\r\nattacker-controlled endpoints using axios-based form-data uploads, allowing the activity to blend into legitimate\r\nweb traffic.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 6 of 15\n\n[Normalized view] Obfuscated OtterCookie variant defining file-extension include and exclude lists.\r\nSpying and clipboard data read\r\nThrough the backdoor, the attacker installs benign npm packages such as node-global-key-listener and screenshot-desktop for keylogging and desktop screenshot. The backdoor also loads a Node.js module that orchestrates staged\r\npayload execution via PowerShell and CMD, ultimately collecting active window metadata and clipboard contents\r\nthrough repeated, hidden PowerShell commands.\r\nObserved events in an intrusion involving screenshot capture via the screenshot-desktop NPM\r\npackage (screenCapture_1.3.2).\r\nProcess tree (condensed for clarity) highlighting covert PowerShell‑based surveillance activity.\r\nWhile the above is implemented through a separate module, OtterCookie also embeds a clipboard watcher\r\nfunction that captures clipboard content and exfiltrates it to attacker-controlled infrastructure.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 7 of 15\n\nSnippet illustrating how two different OtterCookie variants implement this clipboard monitoring\r\nfunctionality.\r\nFollow-up payloads: Invisible Ferret\r\nIn the early stages of this campaign, Invisible Ferret was primarily delivered via BeaverTail, an information stealer\r\nthat also functioned as a loader. In more recent intrusions, however, Invisible Ferret is predominantly deployed as\r\na follow-on payload, introduced after initial access has been established through the beaconing agent or\r\nOtterCookie.\r\nInvisible Ferret is a Python-based backdoor used in later stages of the attack chain, enabling remote command\r\nexecution, extended system reconnaissance, and persistent control after initial access has been secured by the\r\nprimary backdoor.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 8 of 15\n\nProcess tree snippet from an incident where the beaconing agent deploys Invisible Ferret.\r\nOther Campaigns\r\nAnother notable backdoor observed in this campaign is FlexibleFerret, a modular backdoor implemented in both\r\nGo and Python variants. It leverages encrypted HTTP(S) and TCP command and control channels to dynamically\r\nload plugins, execute remote commands, and support file upload and download operations with full data\r\nexfiltration. FlexibleFerret establishes persistence through RUN registry modifications and includes built-in\r\nreconnaissance and lateral movement capabilities. Its plugin-based architecture, layered obfuscation, and\r\nconfigurable beaconing behavior contribute to its stealth and make analysis more challenging.\r\nWhile Microsoft Defender Experts have observed FlexibleFerret less frequently than the backdoors discussed in\r\nearlier sections, it remains active in the wild. Campaigns deploying this backdoor rely on similar social\r\nengineering techniques, where victims are directed to a fraudulent interview or screening website impersonating a\r\nlegitimate platform. During the process, users encounter a fabricated technical error and are instructed to copy and\r\npaste a command to resolve the issue. This command retrieves additional payloads, ultimately leading to the\r\nexecution of the FlexibleFerret backdoor.\r\nCode quality observations\r\nRecent samples exhibit characteristics that differ from traditionally engineered malware. The beaconing agent\r\nscript contains inconsistent error handling, empty catch blocks, and redundant reporting logic that appear\r\nminimally refined. Similarly, the FlexibleFerret Python variant combines tutorial-style comments, emoji-based\r\nlogging, and placeholder secret key markers alongside functional malware logic.\r\nThese patterns, including instructional narrative structure and rapid iteration cycles, suggest development\r\nworkflows that prioritize speed and functional output over refined engineering. While these characteristics may\r\nindicate the use of development acceleration tools, they primarily reflect evolving threat actor development\r\npractices and rapid tooling adaptation that enable quick iteration on malicious code.\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 9 of 15\n\nSnippets from the Python variant of FlexibleFerret highlighting tutorial‑style comments and\r\nAI‑assisted code with icon‑based logging.\r\nSecurity implications\r\nThis campaign weaponizes hiring processes into a persistent attack channel. Threat actors exploit technical\r\ninterviews and coding assessments to execute malware through dependency installations and repository tasks,\r\ntargeting developer endpoints that provide access to source code, CI/CD pipelines, and production infrastructure.\r\nThreat actors harvest API tokens, cloud credentials, signing keys, cryptocurrency wallets, and password manager\r\nartifacts. Modular backdoors enable infrastructure rotation while maintaining access and complicating detection.\r\nOrganizations should treat recruitment workflows as attack surfaces by deploying isolated interview\r\nenvironments, monitoring developer endpoints and build tools, and hunting for suspicious repository activity and\r\ndependency execution patterns.\r\nMitigation and protection guidance\r\nHarden developer and interview workflows\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 10 of 15\n\nUse a dedicated, isolated environment for coding tests and take-home assignments (for example, a non-persistent virtual machine). Do not use a primary corporate workstation that has access to production\r\ncredentials, internal repositories, or privileged cloud sessions.\r\nEstablish a policy that requires review of any recruiter-provided repository before running scripts,\r\ninstalling dependencies, or executing tasks. Treat “paste-and-run” commands and “quick fix” instructions\r\nas high-risk.\r\nProvide guidance to developers on common red flags: short links redirecting to file hosts, newly created\r\nrepositories or accounts, unusually complex “assessment” setup steps, and instructions that request\r\ndisabling security controls or trusting unknown repository authors.\r\nReduce attack surface from tools commonly abused in this campaign\r\nEnsure tamper protection and real-time antivirus protection are enabled, and that endpoints receive security\r\nupdates. These campaigns often rely on script execution and commodity tooling rather than exploiting a\r\nsingle vulnerability, so layered endpoint protection remains effective.\r\nRestrict scripting and developer runtimes where possible (Node.js, Python, PowerShell). In high-risk\r\ngroups, consider application control policies that limit which binaries can execute and where they can be\r\nlaunched from (for example, preventing developer tool execution from Downloads and temporary folders).\r\nMonitor for and consider blocking common “download-and-execute” patterns used as stagers, such as\r\ncurl/wget piping to shells, and outbound requests to low-reputation hosts used to serve payloads (including\r\nshort-link redirection services).\r\nProtect secrets and limit downstream impact\r\nReduce the exposure of secrets on developer endpoints. Use just-in-time and short-lived credentials, store\r\nsecrets in vaults, and avoid long-lived tokens in environment files or local configuration.\r\nEnforce multifactor authentication and conditional access for source control, CI/CD, cloud consoles, and\r\nidentity providers to mitigate credential theft from compromised endpoints.\r\nReview and restrict access to password manager vaults and developer signing keys. This campaign\r\nexplicitly targets artifacts such as wallet material, password databases, private keys, and other high-value\r\ndeveloper-held secrets.\r\nDetect, investigate, and respond\r\nHunt for execution chains that start from a code editor or developer tool and quickly transition into shell or\r\nscripting execution (for example, Visual Studio Code/Cursor App→ cmd/PowerShell/bash → curl/wget →\r\nscript execution). Review repository task configurations and build scripts when such chains are observed.\r\nMonitor Node.js and Python processes for behaviors consistent with this campaign, including broad\r\nfilesystem enumeration for credential and key material, clipboard monitoring, screenshot capture, and\r\nHTTP POST uploads of collected data.\r\nIf compromise is suspected, isolate the device, rotate credentials and tokens that may have been exposed,\r\nreview recent access to code repositories and CI/CD systems, and assess for follow-on payloads and\r\npersistence.\r\nMicrosoft Defender XDR detections\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 11 of 15\n\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR\r\ncoordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to\r\nprovide integrated protection against attacks like the threat discussed in this blog. \r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate\r\nand respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.  \r\nTactic Observed Activity\r\nMicrosoft Defender\r\nCoverage\r\nExecution\r\ncurl or wget command launched from NPM\r\npackage to fetch script from vercel.app or URL\r\nshortner\r\nMicrosoft Defender for\r\nEndpoint\r\nSuspicious process\r\nexecution\r\nExecution\r\nBackdoor (Beaconing agent, OtterCookie,\r\nInvisibleFerret, FlexibleFerret) execution\r\nMicrosoft Defender for\r\nEndpoint\r\nSuspicious Node.js\r\nprocess behavior\r\nPossible OtterCookie\r\nmalware activity\r\nSuspicious Python library\r\nload\r\nSuspicious connection to\r\nremote service\r\nMicrosoft Defender for\r\nAntivirus\r\nSuspicious ‘BeaverTail’\r\nbehavior was blocked\r\nCredential\r\nAccess\r\nEnumerating sensitive data\r\nMicrosoft Defender for\r\nEndpoint\r\nEnumeration of files with\r\nsensitive data\r\nDiscovery\r\nGathering basic system information and\r\nenumerating sensitive data\r\nMicrosoft Defender for\r\nEndpoint\r\nSystem information\r\ndiscovery\r\nSuspicious System\r\nHardware Discovery\r\nSuspicious Process\r\nDiscovery\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 12 of 15\n\nCollection Clipboard data read by Node.js script\r\nMicrosoft Defender for\r\nEndpoint\r\nSuspicious clipboard\r\naccess\r\nHunting Queries\r\nMicrosoft Defender XDR  \r\nMicrosoft Defender XDR customers can run the following queries to find related activity in their networks.\r\nRun the below query to identify suspicious script executions where curl or wget is used to fetch remote\r\ncontent.\r\n1\r\n2\r\n3\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_any (\"curl\", \"wget\")\r\n| where ProcessCommandLine has_any (\"vercel.app\", \"short.gy\") and ProcessCommandLine has_any\r\n(\" | cmd\", \" | sh\")\r\nRun the below query to identify OtterCookie-related Node.js activity by correlating clipboard monitoring,\r\nrecursive file scanning, curl-based exfiltration, and VM-awareness patterns.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\nDeviceProcessEvents\r\n| where\r\n(\r\n(InitiatingProcessCommandLine has_all (\"axios\", \"const uid\", \"socket.io\") and\r\nInitiatingProcessCommandLine contains \"clipboard\") or // Clipboard watcher + socket/C2 style\r\nbootstrap\r\n(InitiatingProcessCommandLine has_all (\"excludeFolders\", \"scanDir\", \"curl \",\r\n\"POST\")) or // Recursive file scan + curl POST exfil\r\n(ProcessCommandLine has_all (\"*bitcoin*\", \"credential\", \"*recovery*\", \"curl \")) or\r\n// Credential/crypto keyword harvesting + curl usage\r\n(ProcessCommandLine has_all (\"node\", \"qemu\", \"virtual\", \"parallels\", \"virtualbox\",\r\n\"vmware\", \"makelog\")) or // VM / sandbox awareness + logging\r\n(ProcessCommandLine has_all (\"http\", \"execSync\", \"userInfo\", \"windowsHide\")\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 13 of 15\n\nand ProcessCommandLine has_any (\"socket\", \"platform\", \"release\", \"hostname\",\r\n\"scanDir\", \"upload\")) // Generic OtterCookie-ish execution + environment collection + upload\r\nhints\r\n)\r\nRun the below query to detect possible Node.js beaconing agent activity.\r\n1\r\n2\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_all (\"handleCode\", \"AgentId\", \"SERVER_IP\")\r\nRun the below query to detect possible BeaverTail and InvisibleFerret activity.\r\n1\r\n2\r\n3\r\nDeviceProcessEvents\r\n| where FileName has \"python\" or ProcessVersionInfoOriginalFileName has \"python\"\r\n| where ProcessCommandLine has_any (@'/.n2/pay', @'\\.n2/pay', @'\\.npl', '/.npl', @'/.n2/bow',\r\n@'\\.n2/bow', '/pdown', '/.sysinfo', @'\\.n2/mlip', @'/.n2/mlip')\r\nRun the below query to detect credential enumeration activity.\r\n1\r\n2\r\n3\r\n4\r\n5\r\nDeviceProcessEvents\r\n| where InitiatingProcessParentFileName has \"node\"\r\n| where (InitiatingProcessCommandLine has_all (\"cmd.exe /d /s /c\", \" findstr /v\", '\\\"dir')\r\nand ProcessCommandLine has_any (\"account\", \"wallet\", \"keys\", \"password\", \"seed\", \"1pass\",\r\n\"mnemonic\", \"private\"))\r\nor ProcessCommandLine has_all (\"-path\", \"node_modules\", \"-prune -o -path\", \"vendor\",\r\n\"Downloads\", \".env\")\r\nMicrosoft Sentinel  \r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from\r\nthe Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.   \r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 14 of 15\n\nReferences\r\nFlexibleFerret: macOS Malware Deploys in Fake Job Scams\r\nFamous Chollima deploying Python version of GolangGhost RAT\r\nThreat Actors Expand Abuse of Microsoft Visual Studio Code\r\nThis research is provided by Microsoft Defender Security Research with contributions from Balaji Venkatesh S.\r\nLearn more   \r\nReview our documentation to learn more about our real-time protection capabilities and see how to enable them\r\nwithin your organization.   \r\nLearn more about Protect your agents in real-time during runtime (Preview) – Microsoft Defender for Cloud Apps\r\nExplore how to build and customize agents with Copilot Studio Agent Builder \r\nMicrosoft 365 Copilot AI security documentation \r\nHow Microsoft discovers and mitigates evolving attacks against AI guardrails \r\nLearn more about securing Copilot Studio agents with Microsoft Defender  \r\nSource: https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-inter\r\nviews/\r\nhttps://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/" ], "report_names": [ "contagious-interview-malware-delivered-through-fake-developer-job-interviews" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434443, "ts_updated_at": 1775792114, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6f171518918ce3ae69ada331224c5c8f020b93ef.pdf", "text": "https://archive.orkl.eu/6f171518918ce3ae69ada331224c5c8f020b93ef.txt", "img": "https://archive.orkl.eu/6f171518918ce3ae69ada331224c5c8f020b93ef.jpg" } }